Smartening Up the Routers
A Way to Put Cybervandals Out of Business?
by David Nevin
In February, hackers took remote control of thousands
of computers scattered around the world. Using a technique known as
a Distributed Denial of Service attack (or DDoS), they effectively shut
down two major Internet services -- Yahoo! and Ebay -- for several hours
and severely hampered another, CNN. Aside from the inconvenience to
users, it is estimated these attacks cost millions of dollars in lost
revenue for these e-businesses.
More recently, a computer virus known as ILOVEYOU caused
disorder around the world. The cost estimate of that damage is climbing
into the billions of dollars.
The Internet is vulnerable to such an attack because
of the way it works at the lowest levels. Fundamentally, the Internet
is a collection of simple computers known as routers connected by cables.
These routers are well-named: they route traffic along those cables.
That traffic is composed of small groupings of data
known as packets. Packets are composed of two parts, an addressing unit
and a data, or content, unit. A packet is sort of like a post card.
It typically takes several of them to constitute an entire e-mail message.
The easiest way to picture the movement of packets
from router to router is to recall the last trip you took to the drive-in
lane at your bank, especially the part where a vacuum tube scooted your
deposit right up to the teller.
Well, suppose that the Internet is a series of banks.
And instead of the Internet's being composed of routers connected by
cables, it's a series of tellers connected by vacuum tubes.
Next, imagine you're sitting in front of your computer
in Hutchinson, Kansas, and you send an e-mail requesting information
from a friend in Chicago.
The e-mail is sucked into a vacuum tube (the cable)
to a teller (the router). It arrives in a few chunks (the packets).
The teller is facing a group of vacuum tubes. The teller looks at the
address on the first chunk.
He then glances at a big chart that tells him which
tube goes towards Chicago. (He's very busy and not very bright, but
he does follow these directions well.) So one chunk gets routed to another
teller, who puts it in another tube. The process is repeated with the
other chunks. Finally, all the chunks reach the address on the card,
and the message can be delivered.
On the real Internet, this process is all invisible
to the computer user. A program on your computer is able to take those
chunks and reassemble them into the complete message you see on your
screen.
In a typical DDoS attack, a malicious hacker runs a
program that connects to several hundred or several thousand other computers.
Using those captured computers, the hacker sends thousands of packets
to one specific site as fast as all those computers can physically send
them. The targeted web site -- or the router at that website -- becomes
overwhelmed and can no longer respond to normal requests for information.
Think of one of our poor tellers above being buried under a stack of
postcards. (See "Hack Attack: How It Happens.")
Gary Minden and Joe Evans, professors of electrical
engineering and computer science at the University of Kansas Information and
Telecommunication Technology Center, are working to solve such problems.
Their solution: raise the I.Q of the tellers.
Smartening Up Routers
Their approach is to harness technological innovations
to create a system called active networking. Their project involves
KU and 30 other research facilities, including ones at MIT, Princeton
and the University of Arizona.
The concept of active networking was developed when
Minden was a program manager at the Defense Advanced Research Projects
Agency, or DARPA, in the mid 1990s. The concept was developed in response
to the rapid growth of the Internet and numerous new devices (personal
data assistants, mobile phones, pagers, etc.) that were starting to
connect to it. Minden said that security was a major issue as researchers
developed active networking.
"Even then we knew most of the attacks you're hearing
about these days," Minden said. "We knew of denial of service attacks.
We were aware of viruses. So security was very strongly emphasized from
the beginning."
So how does active networking work? It allows network
administrators to insert intelligence -- programs -- anywhere in the
network. In effect, they're able to train the routers (the tellers in
our example) to respond directly to attacks.
"Right now, the network is pretty dumb," Evans mused.
"It's designed to make decisions about sending traffic one way or another,
and that's it. Active networks allow you to have more dynamic responses
to these kind of attacks."
Movable Firewalls
Currently, certain routers are designed to make decisions
about the packets. One such decision-making router is known as a firewall.
It allows only "approved" packets -- packets from certain addresses
-- to pass through to certain sections of the network. Businesses set
firewalls in place where their private networks connect to the Internet.
But firewalls are limited.
"The problem with these types of defenses is that the
rules they run under are pretty static," Evans said. "You dump the firewall
in place once and change it every three months or so. Things like these
DDoS attacks come along, and you're really kinda stuck because you had
the rules in there for last month's attack but not today's attack."
Active networking would allow these rules to change
quickly. In special situations, it would allow a network administrator
in a system under attack to send instructions to routers outside her
network -- in effect moving the corporate firewall back to the source
of attack. In the recent ILOVEYOU virus attack, active networking could
have easily halted the rapid spread of the virus.
All this sounds great. But getting this put into effect
over the entire Internet would not be an easy task. Minden sees deployment
occurring in stages. Initially, he sees active networking being used
in network management, at a level below user connectivity. Then it will
spread out, becoming a series of new services offered by network companies.
Evans believes that initially there will be "islands"
of active networks connected by the traditional network. What will cause
the spread of active networking will be good old-fashioned marketing.
"If one networking service provider offers active networking
protection against things like DDoS attacks at the same price another
offers traditional, static networking, the customer is more likely to
be attracted to the active networking service provider," Evans said.
Piecing Together an Active Network
Currently, KU researchers are taking all the physical
components of an active network and assembling them into a prototype
system. That's not an easy task, Minden said:
"Fitting all these pieces together is very tedious.
We'll take a collection of circuit boards that half a dozen groups have
been working on for two to three years and pull them all together. You
know things are supposed to fit together, but the first time you try,
you find this hole's off a little bit, or this peg was supposed to bend
the other direction."
Building an active network is more than just piecing
together hardware components. To make active networking function, different
pieces of software need to work together. Plus, active networking needs
to be compatible with the rules, known as protocols, that existing networks
follow.
When these tasks are finished, the standard configuration
of an active networking router will be ready. The KU researchers' software
will be distributed to various test sites, along with instructions for
building the hardware to run it. And, of course, testing will follow.
It will still be several years before active networking reaches the
average user.
But the recent outbreak of attacks across the Internet
may be just the marketing strategy researchers need to get companies
to invest in the benefits offered by this new technology.
Nevin serves as chief information officer for the
KU Center for Research.
