Smartening Up the Routers: A Way to Put Cybervandals Out of Business?
By David Nevin
In February, hackers took remote control of thousands of computers scattered around the world. Using a technique known as a Distributed Denial of Service attack (or DDoS), they effectively shut down two major Internet services -- Yahoo! and Ebay -- for several hours and severely hampered another, CNN. Aside from the inconvenience to users, it is estimated these attacks cost millions of dollars in lost revenue for these e-businesses.
More recently, a computer virus known as ILOVEYOU caused disorder around the world. The cost estimate of that damage is climbing into the billions of dollars.
The Internet is vulnerable to such an attack because of the way it works at the lowest levels. Fundamentally, the Internet is a collection of simple computers known as routers connected by cables. These routers are well-named: they route traffic along those cables.
That traffic is composed of small groupings of data known as packets. Packets are composed of two parts, an addressing unit and a data, or content, unit. A packet is sort of like a post card. It typically takes several of them to constitute an entire e-mail message.
The easiest way to picture the movement of packets from router to router is to recall the last trip you took to the drive-in lane at your bank, especially the part where a vacuum tube scooted your deposit right up to the teller.
Well, suppose that the Internet is a series of banks. And instead of the Internet's being composed of routers connected by cables, it's a series of tellers connected by vacuum tubes.
Next, imagine you're sitting in front of your computer in Hutchinson, Kansas, and you send an e-mail requesting information from a friend in Chicago.
The e-mail is sucked into a vacuum tube (the cable) to a teller (the router). It arrives in a few chunks (the packets). The teller is facing a group of vacuum tubes. The teller looks at the address on the first chunk.
He then glances at a big chart that tells him which tube goes towards Chicago. (He's very busy and not very bright, but he does follow these directions well.) So one chunk gets routed to another teller, who puts it in another tube. The process is repeated with the other chunks. Finally, all the chunks reach the address on the card, and the message can be delivered.
On the real Internet, this process is all invisible to the computer user. A program on your computer is able to take those chunks and reassemble them into the complete message you see on your screen.
In a typical DDoS attack, a malicious hacker runs a program that connects to several hundred or several thousand other computers. Using those captured computers, the hacker sends thousands of packets to one specific site as fast as all those computers can physically send them. The targeted web site -- or the router at that website -- becomes overwhelmed and can no longer respond to normal requests for information. Think of one of our poor tellers above being buried under a stack of postcards.
Gary Minden and Joe Evans, researchers at the University of Kansas Information Telecommunications Technology Center, are working to solve such problems. Their solution: raise the I.Q of the tellers.
Smartening Up Routers
Their approach is to harness technological innovations to create a system called active networking. Their project involves KU and 30 other research facilities, including ones at MIT, Princeton and the University of Arizona.
The concept of active networking was developed when Minden was a program manager at the Defense Advanced Research Projects Agency, or DARPA, in the mid 1990s. The concept was developed in response to the rapid growth of the Internet and numerous new devices (personal data assistants, mobile phones, pagers, etc.) that were starting to connect to it. Minden said that security was a major issue as researchers developed active networking.
"Even then we knew most of the attacks you're hearing about these days," Minden said. "We knew of denial of service attacks. We were aware of viruses. So security was very strongly emphasized from the beginning."
So how does active networking work? It allows network administrators to insert intelligence -- programs -- anywhere in the network. In effect, they're able to train the routers (the tellers in our example) to respond directly to attacks.
"Right now, the network is pretty dumb," Evans mused. "It's designed to make decisions about sending traffic one way or another, and that's it. Active networks allow you to have more dynamic responses to these kind of attacks."
Currently, certain routers are designed to make decisions about the packets. One such decision-making router is known as a firewall. It allows only "approved" packets -- packets from certain addresses -- to pass through to certain sections of the network. Businesses set firewalls in place where their private networks connect to the Internet. But firewalls are limited.
"The problem with these types of defenses is that the rules they run under are pretty static," Evans said. "You dump the firewall in place once and change it every three months or so. Things like these DDoS attacks come along, and you're really kinda stuck because you had the rules in there for last month's attack but not today's attack."
Active networking would allow these rules to change quickly. In special situations, it would allow a network administrator in a system under attack to send instructions to routers outside her network -- in effect moving the corporate firewall back to the source of attack. In the recent ILOVEYOU virus attack, active networking could have easily halted the rapid spread of the virus.
All this sounds great. But getting this put into effect over the entire Internet would not be an easy task. Minden sees deployment occurring in stages. Initially, he sees active networking being used in network management, at a level below user connectivity. Then it will spread out, becoming a series of new services offered by network companies.
Evans believes that initially there will be "islands" of active networks connected by the traditional network. What will cause the spread of active networking will be good old-fashioned marketing.
"If one networking service provider offers active networking protection against things like DDoS attacks at the same price another offers traditional, static networking, the customer is more likely to be attracted to the active networking service provider," Evans said.
Piecing Together an Active Network
Currently, KU researchers are taking all the physical components of an active network and assembling them into a prototype system. That's not an easy task, Minden said:
"Fitting all these pieces together is very tedious. We'll take a collection of circuit boards that half a dozen groups have been working on for two to three years and pull them all together. You know things are supposed to fit together, but the first time you try, you find this hole's off a little bit, or this peg was supposed to bend the other direction."
Building an active network is more than just piecing together hardware components. To make active networking function, different pieces of software need to work together. Plus, active networking needs to be compatible with the rules, known as protocols, that existing networks follow.
When these tasks are finished, the standard configuration of an active networking router will be ready. The KU researchers' software will be distributed to various test sites, along with instructions for building the hardware to run it. And, of course, testing will follow. It will still be several years before active networking reaches the average user.
But the recent outbreak of attacks across the Internet may be just the marketing strategy researchers need to get companies to invest in the benefits offered by this new technology.
For more information, contact ITTC.