This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Computer networks have come a long way since their inception. Organizations are hard pressed to keep up with new technology. The pressure also comes from protecting their network systems from cyber attacks. Attacks on computer networks have been increasing over the past few years. One of the most common attacks is the Denial of service (DoS) attack. According to Tech-FAQ (2009), this type of attack attempts to prevent the victim from being able to use all or part of their network connection. The recent DoS attacks on the U.S. has stirred up debate over creating new legislation to help protect against these and other attacks.
The Internet was originally designed for openness and scalability. The infrastructure is certainly working as envisioned by the yardstick. However the price of the success has been poor security. For example the Internet protocol (IP) was designed to support ease of attachment of hosts to networks, and provides little support for verifying the contents of IP packet header fields. This makes it possible to fake the source address packets, and hence difficult to identify the source of traffic. Moreover there is no inherent support in the IP layer to check whether a source is authorized to access a service. Packets are delivered to their destinations and the server at the destination must decide whether to accept and service these packets. While defenses such as firewalls can be added to protect servers, a key challenge for defense is how to discriminate legitimate request for service from malicious access attempts.
If it is easier for sources to generate service requests than it is for a server to check the validity of those requests, then it is difficult to protect the server from malicious requests that waste the resources of the server. This creates the opportunity for a class of attack known as denial of service attack. . (Peng, Leckie &Ramamohanrao, 2007.)
Denial of Service Attacks
A denial of service (DoS) attack aims to deny access by legitimate users to shared service of resources. This occurs in a wide variety of contexts from operating systems to network-based services. It can be launched in two forms. The first form aims to crash a system by sending one or more carefully crafted packets that exploit software vulnerability in the target system. For example the "ping-of-death" attack sends a large International Control Message Protocol (ICMP) ping packet that is fragmented into multiple data reboot due to buffer overflow. The second form is to use massive volumes of useless traffic to occupy all the resources that could service legitimate traffic. While it is possible to prevent the first form attack by patching known vulnerabilities, the second form of attack cannot be so easily prevented. The targets can be attacked simply because they are connected to the public Internet.
When the traffic of a DoS attack comes from multiple sources, it is called a distributed denial of service (DDoS) attack. By using multiple attack sources, the power of a DDos attack is amplified and the problem of defense is made more complicated. The impact of DDos attacks can vary from minor inconvenience to users of a website to serious financial losses for companies that rely on their online availability to do business. On February 9, 2000, Yahoo, eBay, Amazon.com, E*Trade, ZDnet, Buy.com, the FBI and several other websites fell victim to DDoS attacks resulting in substantial damage and inconvenience. From December 2005 to January 2006, 1,500 separate IP addresses were victims of DDoS attacks, with some attacks using traffic rates as high as 10Gb/s. (Peng, Leckie &Ramamohanrao, 2007.)
Some of the DDoS attacks on US organizations include Code Red Worms, Blaster Worm and most recently MyDoom Virus.
Code Red Worm
On July 19, 2001, a random seed variant of the Code Red Worm began to infect hosts running unpatched versions of Microsoft's IIS web server. The worm spreads by probing random IP addresses and infecting all hosts vulnerable to the IIS exploit. The primary observation to make about the Code-Red Worm is the speed at which malicious exploit of a ubiquitous software bug can incapacitate host machines. In particular physical and geographical boundaries are meaningless in the face of a virulent attack. In less than 14 hours, 359,104 hosts were compromised. The worm did no significant damage to the machines it infected. It had a preset cutoff time.
This spread by exploiting a vulnerability in the Remote Procedure Call (RPC) service which allowed malicious code to be executed in the remote host. According to CERT, the number of vulnerabilities reported in 2005 was 5,990, which is 35 times the number in 1995. (Peng, Leckie &Ramamohanrao, 2007.)
The MyDoom computer virus, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, has been affecting Microsoft Windows systems since January 2004. It quickly exceeded the damage caused by the previous Sobig worm and became the fastest spreading email worm ever. After only one month, an estimated one million computers around the world had become infected with the MyDoom virus (Wikipedia).
Although the actual author of the worm is unknown, there are a few different beliefs about its origination and purpose. Some security researchers initially believed that it originated from a professional underground programmer in Russia, created to perpetrate a distributed denial-of-service attack against SCO Group, while others believe it originated from organized online crime gangs.
Believed to be a variant of the Mimail viruses that have also traveled the Internet, MyDoom is a mass mailing worm that spreads through email and even peer-to-peer networks. Acting as a backdoor Trojan, it is sent as an attachment to what appears to be a transmission error message. When executed, "this trojan component opens TCP ports 3127 thru 3198 to allow remote users to access and manipulate infected systems. The backdoor routine has the ability to download and execute arbitrary files" (What is the MyDoom Worm, pchell.com).
Symptoms of MyDoom Infection
According to Microsoft, if your computer is infected by MyDoom, you may notice one or more of the following symptoms:
Some variants create a text file containing random data that looks similar to the following screenshot:
Some variants overwrite the hosts file, which may block access to some Microsoft and antivirus vendor Web sites. The overwritten hosts file may look similar to the following screenshot:
The 2004 MyDoom worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed. The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP. As indicated on McAfee.com website, once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. This is done by opening a TCP Port on the victim's machine using the SERVICES.EXE process and listens for incoming connections. This process also sends TCP network traffic from a highport of the infected machine,Â toÂ randomly generatedÂ IP addresses on destination Port.Â When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.
McAfee.com states that, upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:
It also drops the file SERVICES.EXE into this directory:
The following Registry keys are added to hook system startup:
\Run "JavaVM" = %WinDir%\JAVA.EXE
\Run "Services" = %WinDir%\SERVICES.EXE
The following Registry keysÂ are also added:
According to CIO.com news, an updated version of the MyDoom virus is responsible for a large DDOS (distributed denial of service) attack that took down major U.S.A and South Korean Web sites recently. The attack works by infecting a large number of computers with malware, building up what's commonly called a "botnet." Those machines are then used to send tremendous amounts of data to a site's servers, overwhelming it with more information than it could possibly handle.
In comparison, the original version, 2004 MyDoom, carried two payloads, a backdoor to allow remote control of the subverted PC, and a denial of service attack. It was the fastest-spreading e-mail worm in Internet history. Once a PC was infected with MyDoom, it would harvest e-mail addresses and e-mail itself out repeatedly. Whereas the upgraded MyDoom variants, in addition to carrying the original payloads, include a downloader that can bring other malicious code into the compromised PC, a feature also present in earlier versions of the malware. The upgraded MyDoom blocks virus removal tools or updates to antivirus software by blocking access to the sites. An additional file contains details of Web site to be attacked.
Cyber Attack Prevention Recommendations
Most of the prevention mechanisms in practical use focus on access and flow control on a computer and network system. Every network should have some basic cyber attack prevention methods such as firewalls and control of user's access and rights.
A firewall is usually installed on a router or an application gateway that controls incoming and outgoing traffic of a protected computer and network system. A firewall on a router (screening router) filters traffic data between a protected system and its outside world by defining rules which are applicable to mostly header fields of data packets at the TCP and IP layers of the TCP/IP protocol. The data portion of a network packet may not be readable due to the encrypted application data, and therefore is not usually used to define filtering rules in the firewall. A list of typical TCP/IP header fields is as follows:
Source IP address
Destination IP address
Flags, a combination of TCP control bits: S (SYN), F (FIN), P(PUSH) and
R(RST), or a single '.' for no flags
Length of data payload
Window size, indicating the buffer space available to receive data to help
the ï¬‚ow control between two host computers
Urgent, indicating that there is 'urgent' data
Options, indicating TCP options if there are any.
A filtering rule can look for specific types of values in one or more header fields, and allow or deny data packets based on these values. TCP/IP headers have information on the source IP address and port, the destination IP address and port, etc. Using the header information, a screening router can deny data packets from a specific source IP address, block data packets targeting specific network ports running vulnerable network services, prevent certain types of data packets such as those containing ICMP Echo Reply messages from going out, and so on.
A firewall can also be installed on a computer running proxy network applications, called a proxy gateway or application gateway. A proxy gateway transforms network data packets into application data by performing pseudo-application operations. Using information available at the application layer, a proxy gateway can block access to specific services (e.g., certain FTP commands) of an application, and block certain kinds of data (e.g., a file attachment with a detected virus) to an application. For example, a proxy gateway running a pseudo-FTP application can screen FTP commands to allow only acceptable FTP commands. The proxy gateway, which is a host computer inside a protected computer and network system, performs the further data filtering based on information that is available at the Application layer. The firewalls control the entire network perimeter of the protected computer and network system so that all traffic between the system and its outside network must pass through the firewalls.
Authorization and Authentication
Authentication and authorization work together to control a user's access to computer and network assets. Through authentication, a user is verified to be truly what the user claims to be. Through authorization, a user is granted access rights to computer and network assets based on the user's authenticated identity.
A username and a password are commonly used for user authentication. In addition to information keys such as passwords, there are also physical keys such as magnetic cards and security calculators, and biometric keys such as voice print, fingerprint, and retinal print. A digital signature has become an increasingly popular method of authenticating the sender of a digital document. For example, using a public key cryptographic algorithm such as the Rivest-Shamir-Adelman (RSA) algorithm, the sender of a digital document has a pair of a private key and a public key which is known by others.
User authentication is a part of an authorization process which determines which access rights are granted to which computer and network assets for an authenticated user. Authorization controls a user's access to computer and network assets, and can also limit information flow between computer and network assets. Authentication/authorization aims at access and flow control by limiting each user to the user's own work space on a computer and network system.
Creation of New Laws
Along with prevention methods for cyber attacks, there needs to be legislation to help support and encourage different methods for prevention of these widespread attacks. The following are suggestions/recommendation for laws.
Make ISPs responsible for filtering scan and attack traffic across their networks:
Given the debilitating effects of cyber attacks on the nation's infrastructure and the high cost of bandwidth, Congress is supposed to enact legislation that will make it mandatory for all ISPs provide in place a network monitoring tool to scan all network traffic. The law basically would require ISPs to filter out clear attack traffic and cut potential botnets off of their network, this Act will proactively prevent systems from being compromised.
Make ISPs responsible for knocking customer PCs off their network if they become bots.
Secondly, congress should make legislation that will make ISPs responsible for shutting down subscriber's computer systems whenever there is cyber attack. The goal will be to prevent the threat or viruses from spreading across the entire network because it's easier to spot an attack from end user through the IP address or subnet, "it is easier to identify and stop offending traffic at the source than for a victim under attack to identify and contact the appropriate administrators to stop the attacks" (Winkler, R Computerworld).
Make end users liable if losses are incurred because of outdated security software.
Additionally, Congress should formulate legislation that will make it mandatory for end users to have the latest Antivirus software and security patches on their systems. The objective is to make end users more responsible and not allow their systems from being manipulated by remote users. All PCs connected to the Internet should have the latest patches installed, as well as updated firewall, antivirus and antispyware software, this will help decrease computer attacks. This measure is similar to purchasing a home or car insurance.
Legislation to foster global response against Cyber Attack.
Furthermore, this Legislation will ensure that the US governments collaborate with foreign government to foster a global response in case of a cyber attack. For example attacks against the US originate from foreign countries have become increasingly sophisticated the Department of defense has spent over $100 million in the first six months of 2009 to repair damage to network caused by cyber attacks (Gillibrand.senate.gov). However, because of these daily cyber attacks Senator Kirsten Gillibrand is introducing a new and innovative legislation known as "The Fostering a Global Response to Cyber Attacks Act". The primary objective of the legislation is to empower the State Department to work with foreign governments to: Encourage international cooperation in improving cyber security on a global basis; push for a set of international agreements and law enforcement cooperation to stop cyber attacks and cyber crime; and develop appropriate safeguards for the protection of privacy, freedom of speech, and commercial transactions to be included in any agreements or other activities designed to safeguard cyberspace.
Enact an efficient Hardware and security software Law.
Finally, congress should authorize legislation that will make it mandatory for software and hardware producers to manufacture high quality products. According to U S Senator Tom Caper ( D.Del) "We know that in most cases, cyber-criminals prey on insecure software and hardware, and my bill (Carper bill S.921) will provide incentives for the federal government to use its great purchasing power to demand private companies sell our agencies more secure products."(eweek)