"Stopping denial-of-service attacks is hard
but there are certain basic steps that, if all the ISPs took them, would make it so much harder for the bad guys," said Jeff Schiller, a network manager for Massachusetts Institute of Technology who will present a tutorial on network security at N+I. Schiller and others cited as one example the implementation of ingress and egress filtering, which ensure that packets coming in and out of a network do not carry the spoofed return addresses that DDoS attackers typically use to cover their tracks. This kind of filtering is the subject of a request-for-comment advisory at the Internet Engineering Task Force (IETF), an influential standards body. That document, written by Cisco, was posted in January 1998. A related effort at the IETF is the iTrace working group, whose goal is to improve the tracing of Internet packets as they traverse the Internet. Working-group members sought to downplay expectations in advance of the panel, noting the inherently intractable nature of DDoS attacks and the collective need of the group to keep its defense strategy under wraps. "Right now, the problem is that we're powerless to stop DDoS attacks," said Robert Graham, chief technology officer of Network ICE, which sells network intrusion-detection systems. "There are ways you can attack machines that cannot be stopped." The working group is concentrating on less-than-surefire solutions, such as improving methods of tracing the source of DDoS attacks. Other panelists also sought to minimize expectations for today's event, noting that for strategic reasons the group would be keeping silent about its main findings, as it has kept the organization itself for most of the past seven months. "There is not going to be blockbuster information revealed at the panel," said eBay representative Kevin Purseglove. "For the most part, the working group will continue to maintain its confidentiality because there is some concern that we do not want to disclose anything that we have learned that would tip our hand to those individuals who would repeat the attacks against eBay and other sites." The working group meets as one of its members, ISS, warns of new mutations on the original Trinity and Stacheldraht DDoS tools implicated in February's attacks. Two variants, Stacheldraht 1.666+antigl+yps and Stacheldraht 1.666+smurf+yps, along with a variant of Trinity dubbed entitee, have been observed in use on the Internet. The new versions provide for new types of attacks and come with different encryption, according to ISS. That new encryption has bugs, however, that the company says will facilitate its efforts against it. In bad news for Web sites--but apparently good news for security firms such as ISS--new versions of DDoS attacks and tools show no signs of letting up. "It's like computer viruses," said Chris Rouland, in charge of ISS' research and development team. "There are going to be new ones all the time."