Expert Says Windows XP Aids Vandals
By JOHN MARKOFF and JOHN SCHWARTZ
The New York Times
The Internet is sustaining a growing plague of attacks that overwhelm Web sites by
flooding them with data, and an Internet security expert is warning Microsoft that the
planned consumer rollout of its Windows XP operating system for personal computers could
make the global network even more vulnerable.
The software, which Microsoft plans to begin selling in the fall, adds some powerful
Internet-connection capabilities that the security expert has urged the company to remove
before putting the product on the market. The new features, he says, makes server
computers more susceptible to a type of Web intrusion known as a distributed denial of
service attack, in which attackers remotely commandeer hundreds of personal computers
connected to the Internet and use them to release a disabling deluge of data against a specific
Web site.
Such attacks gained visibility last year when popular commercial Web sites like Amazon,
CNN, Yahoo and eBay were briefly knocked out of service by streams of hostile data. The
attacks have continued this year, with the victims including Microsoft's corporate Web site
and its MSN.com service.
And a recent study by the San Diego Supercomputer Center indicates that this method of
attack, whose blueprint is readily available in the computer underground, is alarmingly on the
rise.
The security expert, Steven Gibson, said he feared that widespread use of Windows XP in
its current form would create a powerful network communications standard that attackers
could widely exploit, particularly as more consumers use high-speed phone lines or cable
modems and keep their computers almost continuously connected to the Internet.
"Nothing more than the whim of a 13-year-old hacker is required to knock any user, site or
server right off of the Internet," said Mr. Gibson, who warned Microsoft after a denial-
of-service attack recently disabled his company's Web site for 17 hours.
He said the attacker in fact identified himself as a 13-year-old who had decided to cripple the
company's site after reading derisive comments about young hackers that he believed Mr.
Gibson had made.
Microsoft executives responded that they respected Mr. Gibson's opinions but that the
network security features of Windows XP were strong enough to deter widespread attacks of
the kind he feared.
Mr. Gibson, a longtime software designer, heads the Gibson Research Corporation in
Laguna Hills, Calif., a publisher of Internet security software. His Web site, grc.com,
provides a colorful account of the attack, which began on Friday evening, May 4 and
continued into the next day.
He said that he and his Internet service provider were finally able to stop the attack by
filtering out the malicious packets of data, which they determined were coming from various
unsecured Windows-based PC's on the Intenet that the hacker had commandeered without
their owners' knowledge.
Newer versions of Windows, including Windows 2000, designed for office PC's, and
Windows XP have enhanced programming to link computers to the Internet. That software
can potentially give mischievous or malicious programmers greater flexibility to send out
torrents of fake data streams with false addresses. Mr. Gibson said the identifying
characteristics of the data that had enabled him to filter out the packets would be far more
difficult to detect in the newer versions of Microsoft's operating systems.
"When those insecure and maliciously potent Windows XP machines are mated to
high-bandwidth Internet connections," he wrote on his Web site, "we are going to experience
an escalation of Internet terrorism the likes of which has never been seen before."
Microsoft argues that Mr. Gibson is misplacing the blame.
"We had an exchange with him two or three weeks ago," said Steve Lipner, manager of
Microsoft's Security Response Center. "We feel he's focused on mechanism rather than
effect. The more fundamental issue is whether I can get hostile code running on your
machine. If I can't, then there isn't a problem." Mr. Lipner said the enhanced security
features also included in the new versions of Windows would make the machines more
difficult for attackers to remotely commandeer.
Some other security experts questioned whether the remedies Mr. Gibson is seeking from
Microsoft would solve the problems. Peter G. Neumann of SRI International, a research
firm in Silicon Valley, said that the network vulnerabilities go far deeper than the enhanced
communication features of Windows XP.
"This is just one more example of how flaky our computer-communication infrastructures
are," Mr. Neumann said. He asserted that more robust hardware and software must be
designed from the ground up with defense against denial of service and other attacks in mind,
instead of dealing with the issues as an afterthought.
Few would dispute, however, that there is a growing Internet security threat, particularly as
more users have high-speed network connections that encourage them to keep their
computers almost continuously online, whether they know it or not. In three weeks of
observation in February, researchers at the San Diego Supercomputer Center at the
University of California at San Diego, recorded nearly 13,000 attacks against 5,000 Web
sites. At any one time, there were some 40 attacks under way. The attacks tended to be
brief, with 90 percent lasting less than an hour.
But 2 percent of the attacks spanned a period of days, or even weeks, said the authors of the
report. And the researchers noted that they believed their methods probably missed many
variants of denial of service attacks, and so the estimates were conservative — perhaps only
half of the actual total.
"So-called denial of service attacks are a growing problem, and are particularly difficult to
fight," said Stefan R. Savage, an author of the report and professor of computer science at
the University of California at San Diego. "It undoubtedly has grown," he said. "Nobody had
heard of denial of service attacks three or four years ago."
A distributed denial of service attack involves a network intruder's breaking into a wide
number of machines connected to the Internet and then directing them to send streams of
data packets at a target computer. The owners of the hostage computers most likely will not
know that their machines are being subverted. Such an attack floods the target system with
millions or even billions of messages that tie up its resources, keeping legitimate users from
gaining access to the site.
Strategies for countering such attacks are limited, Mr. Savage said. He said he was skeptical
about the proposed Microsoft approach, which involves improving Internet security and its
many machines worldwide to prevent their being used as zombies.
"Ultimately, I'm pessimistic about that approach," he said. "There are hundreds of millions of
machines out there, and getting everyone to secure them is a hopeless task."
Another approach involves automating the steps that Mr. Gibson took during the May 4
attack: figuring out which incoming packets of data are linked to the attack and filtering them
out.
That approach is being tried by a company Mr. Savage co-founded, Asta Networks, and
also by companies like Mazu Networks in Cambridge, Mass. But those approaches succeed
or fail on the quality of the filter used to distinguish the digital babies from the bath water,
and Mr. Savage described it as a daunting task. "Unfortunately, there's nothing in these
packets that says, `Hi, I'm a bad packet.' " |
