Cyberattacks could have been mitigated

Agencies should improve relationships with service providers, experts urge

Agencies and their service providers need better coordination to quickly stop the type of cyberattacks that recently targeted government Web sites, security experts say.

How a distributed denial-of-service attack works

  1. An attacker hijacks other computers using a virus or other malicious software. The hijacked computers become bots, under the attacker's control.
  2. The attacker instructs the hijacked computers to repeatedly send data packets to the targeted organization's Web servers.
  3. As a flood of packets comes in from thousands of compromised computers, the target's servers become overwhelmed, essentially shutting down the Web site.

Source: SearchSecurity.com

The distributed denial-of-service (DDOS) attacks, which targeted a range of government and private-sector Web sites in the United States and South Korea, affected targets differently. Organizations that work closely with their service providers were able to sidestep the effects of the attacks more readily than those that don't, analysts say.

“Large banks in the United States have great relationships with service providers, so why doesn’t the U.S. government have a good relationship with their service providers to ensure that they can quickly turn the spigot off?” asked John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, an independent research institute.

In recent years, large-scale DDOS attacks also hit Web sites in the nations of Estonia and Georgia. Those attacks and the recent incidents that targeted U.S. sites used botnets, in which computers, hijacked and controlled remotely, were used to overload systems, experts say. DDOS attacks are fairly simple cyberattacks, relying on sheer numbers to shut down Web sites.

Bumgarner said the inability of some agencies to mitigate the recent attacks show the U.S. government didn’t learn the lessons of the attacks on Estonia and Georgia. He said those nations didn’t have established relationships with their providers that they could quickly use to their advantage during a national crisis.

Tips for future attacks

Although it appears that recent distributed denial-of-service attacks targeting government agencies didn’t cause lasting damage, experts say agencies need to know better ways to detect and stop them. Alan Paller, director of research at the SANS Institute, and John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, offer these suggestions.

  • Monitor the traffic that’s coming in. 
  • Have immediate and pre-positioned response strategies for working with Internet service providers to put filters in place.
  • Configure edge routers in ways to protect the networks.
  • Conduct performance tuning on all Web application.
  • Stress-test all public-facing Web applications in a controlled lab environment.
  • Establish secure communication channels with ISPs and the U.S. Computer Emergency Readiness Team.

Some of the security people at government agencies didn’t even know who their Internet service providers are, said Alan Paller, director of Research at the SANS Institute. "The most important lesson learned: too many federal agency security people did not know which network service provider (NSP) connected their web sites to the Internet so they could not get the NSP to filter traffic," Paller added.

U.S. government sites reported to have been among the targets of the attacks that hijacked tens of thousands computers include: the White House; the State, Transportation, Defense, Treasury, and Homeland Security departments; the National Security Agency; the Secret Service; and the Federal Trade Commission.

Nick Shapiro, a White House spokesman, said that as of the night of July 7, all federal Web sites were back up and running and that the attacks “had absolutely no effect on the White House's day-to-day operations."

"The preventative measures in place to deal with frequent attempts to disrupt WhiteHouse.gov's service performed as planned, keeping the site stable and available to the general public, although visitors from regions in Asia may have been affected," he added.

However, the attack disrupted some other agency sites during the July 4 holiday weekend and into the early part of the work week, including the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department, according to published reports.  

In a statement, DHS said its U.S. Computer Emergency Readiness Team had issued a notice to federal departments and agencies advising them of steps to take to help mitigate such attacks. The department also said that attacks on federal networks happen every day and that “measures in place have minimized the impact to federal Web sites.”

Paller said DHS "did a really good job of finding those network service providers that the agency didn’t know about because they have good connections with them.”

Patricia Titus, former chief information security officer at DHS’ Transportation Security Administration and currently chief information security officer at Unisys Federal Systems, said she believed determinations on how to handle remediation was done on a case-by-case basis by the agencies depending on the nature of the attack. Titus said the slower pace at which some sites came back online could be a result of agency officials being cautious in their forensic work.

It’s also possible, she said, that the complexity of the information technology architecture of some agencies makes it more difficult for them to be nimble and come back online quickly. Titus said these types of incidents often “give an opportunity to the security office and the CIO to ask for additional funding for capabilities that they may not have had.”

Bumgarner said that for years, the government’s cybersecurity posture has been primarily focused on reducing information theft, and although that’s important, it represents only a small piece of a larger security picture.

“The success of these recent DDOS attacks suggest that our government may be missing some important pieces needed to complete the overall security puzzle,” he said. 

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Thu, Jul 9, 2009 JaeKuk Lee Korea

Many South Korea Government sites and ecommerce sites use IntruGuard equipment for DDoS mitigation. All these sites withstood the attacks easily. Specialized DDoS mitigation equipment is required for thwarting these attacks. Routers, application tuning, etc. as suggested by author are not sufficient.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above