UMass associate professor Micah Adler told NewsFactor that while there is really no way to stop a DoS attack, the new packet-encoding technique more accurately identifies Internet traffic and can assist in halting a denial of service while it is happening.

Adler said that packets of information sent as part of a DoS attack will always be able to masquerade as legitimate traffic. Enforcing accountability and employing automated techniques to quickly stop an attack in progress are "the best we can hope for," he said.

Advanced Threat Is Norm

SecurityFocus incident analyst Ryan Russell told NewsFactor that while previous packet marking techniques have been attempted, the difficulty is doing something in time to stop a DoS attack.

"If someone has built up a relatively large attack network with 1,000 machines, you're going to want to find out what's attacking," Russell said. "However, how long is it going to take you to clean up 1,000 boxes?"

Russell also said the more sophisticated, multisource attack is becoming the norm in denial-of-service attempts. "That has kind of become the standard threat to a large degree."

Automated Tracing

The new tracking system, which builds on an approach known as "probabilistic packet marking" (PPM), requires significantly fewer bits in Internet message headers to tell DoS victims the source of attack.

Adler said the technique is a novel way of encoding the description of the attack path in a single bit in each packet's header. Routers along the path run a protocol on each packet to determine its value. If a large number of packets come from the same source -– a DoS attack -– the identity of the routers along the path and the original source can be identified, he explained.

"It is surprising that you can get away with only a single bit in the header, and still transmit the entire description of the path to the victim," Adler said. "What is perhaps even more surprising is that there is a fairly simple technique that allows you to do so."

Router Requirements

The technique is somewhat limited, however, with the biggest technological obstacle being deployment on the vast number of routers that support the Internet.

"In order for this technique to be effective, a large number of routers in the Internet must be running this protocol," Adler said.

He added that because of the way packets of data are forwarded on the Internet, the intermediate routers are unable to store information about past traffic as well as what bits of path information already have been sent.

Hurdles Ahead

Among the challenges to making the technique more effective is extending it beyond single-source attacks.

"While the current technique deals quite well with the case where the DoS attack occurs from a single source, many times DoS attacks are coordinated to occur simultaneously from multiple sources," Adler told NewsFactor. "While I do have some techniques that deal with this case, a full understanding of this is still an active area of research."

CERT, a computer security group at Carnegie Mellon University, reported late last year that DoS attacks were becoming easier to launch and harder to fight, due to automated tools and new methods. The group said single-source attacks were continuing, but more damaging multiple-source attacks were on the rise.