09/20/2003 - 2:03 AM ET
Christopher Costigan, Sports911.com
If it's not one book it's another and Hollywood Sports out of San Pedro, Costa Rica appears to be the latest victim.
Denial of Service attacks can be costly to a business. They occur when computers from all over the world send out spoof ISP numbers obtained from unpatched (i.e. poorly secured) providers, many of which we learned are cable companies such as Comcast. These are also often referred to as SYN Attacks.
When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections--telnet, Web, email, etc.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:
Client Server
------ ------
SYN-------------------->
<--------------------SYN-ACK
ACK-------------------->
Client and server can now
send service-specific data
The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.
Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.
There is very little one can do to prevent such an attack other than try and conceal a website's IP number in addition to providing immediate redundancy.
Clients of the affected wagering operations should not fear their personal information such as credit card numbers being leaked to third party perpetrators as DoS attacks do not involve hacking of systems.
It is the business itself that suffers as a result of down time and few Sports books attacked thus far have escaped unscathed.
In recent weeks, World Wide Tele Sports, Pinnacle and BoDog were all hit, though the later company was able to overcome the attack almost immediately.
In order to prevent future Denial of Service attacks from occurring, originating ISPs must apply a patch that prevents spoofing from taking place. Unprotected Internet Service Providers are also prone to hacking. Among those cited in attacks over the past few months, the RIPE Network out of Amsterdam, Comcast Cable out of Michigan, Connecticut and the D.C. area and Asia Pacific.
But in reality, target sites must rely on other ISPs to take the appropriate protective measures and this is not always an easy task.
While law enforcement agencies are willing to assist Internet Service Providers in gathering pertinent information related to the originating source, the World Wide Web remains a relatively lawless territory where pedophiles, terrorists and hackers tend to operate with little fear of apprehension.
There are products on the market to help mitigate DoS attacks.
RackSpace, a leading hosting service based out of San Antonio, Texas, recently entered into a deal with Riverhead Networks, a leading provider of distributed denial-of-service (DDoS) solutions that ensure business continuity for ISPs.
Hosting services like RackSpace often maintain several sites on one server and when DoS attacks occur, they can bring down an entire network. RackSpace witnessed a record number of such attacks back in June and it seems they now understand their vulnerability.
Other large well known hosting services such as Hostway, based out of Chicago, remain oblivious to such attacks and refuse to assist when they do occur.
Rackspace will deploy Riverhead Networks' vanguard product, the Riverhead Guard™, to perform per–flow analysis on suspected attack traffic to identify and block malicious packets.
When a DDoS attack is launched against a Rackspace customer, PrevenTier's monitoring systems will immediately recognize the threat and alert the Guard to begin mitigation services. All traffic destined for the targeted device will be diverted through the Guard for further per–flow analysis and scrubbing.
The Guard applies a series of patented anti-spoofing, anomaly detection and protocol analysis technologies based on Riverhead's Multi–Verification Process™ (MVP) architecture to identify and remove bad packets while allowing “good” packets to pass, ensuring business continuity. Working together in a single solution, these technologies detect and block today's most stealthy attacks to provide Rackspace customers with reliable, uninterrupted service.
Christopher Costigan, Sports911.com
If it's not one book it's another and Hollywood Sports out of San Pedro, Costa Rica appears to be the latest victim.
Denial of Service attacks can be costly to a business. They occur when computers from all over the world send out spoof ISP numbers obtained from unpatched (i.e. poorly secured) providers, many of which we learned are cable companies such as Comcast. These are also often referred to as SYN Attacks.
When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections--telnet, Web, email, etc.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:
Client Server
------ ------
SYN-------------------->
<--------------------SYN-ACK
ACK-------------------->
Client and server can now
send service-specific data
The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.
Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.
There is very little one can do to prevent such an attack other than try and conceal a website's IP number in addition to providing immediate redundancy.
Clients of the affected wagering operations should not fear their personal information such as credit card numbers being leaked to third party perpetrators as DoS attacks do not involve hacking of systems.
It is the business itself that suffers as a result of down time and few Sports books attacked thus far have escaped unscathed.
In recent weeks, World Wide Tele Sports, Pinnacle and BoDog were all hit, though the later company was able to overcome the attack almost immediately.
In order to prevent future Denial of Service attacks from occurring, originating ISPs must apply a patch that prevents spoofing from taking place. Unprotected Internet Service Providers are also prone to hacking. Among those cited in attacks over the past few months, the RIPE Network out of Amsterdam, Comcast Cable out of Michigan, Connecticut and the D.C. area and Asia Pacific.
But in reality, target sites must rely on other ISPs to take the appropriate protective measures and this is not always an easy task.
While law enforcement agencies are willing to assist Internet Service Providers in gathering pertinent information related to the originating source, the World Wide Web remains a relatively lawless territory where pedophiles, terrorists and hackers tend to operate with little fear of apprehension.
There are products on the market to help mitigate DoS attacks.
RackSpace, a leading hosting service based out of San Antonio, Texas, recently entered into a deal with Riverhead Networks, a leading provider of distributed denial-of-service (DDoS) solutions that ensure business continuity for ISPs.
Hosting services like RackSpace often maintain several sites on one server and when DoS attacks occur, they can bring down an entire network. RackSpace witnessed a record number of such attacks back in June and it seems they now understand their vulnerability.
Other large well known hosting services such as Hostway, based out of Chicago, remain oblivious to such attacks and refuse to assist when they do occur.
Rackspace will deploy Riverhead Networks' vanguard product, the Riverhead Guard™, to perform per–flow analysis on suspected attack traffic to identify and block malicious packets.
When a DDoS attack is launched against a Rackspace customer, PrevenTier's monitoring systems will immediately recognize the threat and alert the Guard to begin mitigation services. All traffic destined for the targeted device will be diverted through the Guard for further per–flow analysis and scrubbing.
The Guard applies a series of patented anti-spoofing, anomaly detection and protocol analysis technologies based on Riverhead's Multi–Verification Process™ (MVP) architecture to identify and remove bad packets while allowing “good” packets to pass, ensuring business continuity. Working together in a single solution, these technologies detect and block today's most stealthy attacks to provide Rackspace customers with reliable, uninterrupted service.
