Webscreen Technology

Intoduction: Webscreen Technology

Webscreen Technology Ltd develops and sells specialist internet solutions for organisations who take their IT security seriously. Their unique products guard against Distributed Denial of Service (DDOS), the WS series, are all based on what is called ‘CHARM technology’.

CHARM technology uses their patented heuristic algorithms to produce a new class of intelligent protection. With one of these WS solutions you can sleep easily knowing that your visitors can access your web site, even when your web server is under attack.

Webscreen With CHARM Technology

The Webscreen WS100 is a black box solution working at a true 100Mbit/s, to defend against Distributed Denial of Service attacks. Through its heuristic algorithms it analyses all traffic stopping an attack while letting legitimate data through. All configuration and monitoring is accessible through a browser interface For more information on this solution click here.

The Webscreen Range

YOUR WEB SERVER IS VULNERABLE

Distributed Denial Of Service (DDoS) is a new breed of attack that could cripple your web server. This malicious technology will cost you money, customers and take crucial resources to fix. DDoS attacks are dangerous because:

• DDoS attacks use the infrastructure of the internet to attack en masse
• DDoS slaves or zombies can self propagate and distribute themselves
• DDoS attack tools can disguise themselves by spoofing their identity
• DDoS tools can use any number of tactics to break through your firewalls
• DDoS tools exploit the weaknesses in applications
• DDoS attacks are constantly evolving

NOBODY IS SAFE

WHAT IS A DDOS ATTACK?

A DDoS attack is when many Internet Connected Computers (ICC's) located anywhere in the world attack a web server with using bogus data. The consequence is a dramatic slowing or failure of your web connected business.

For an attack to happen, the malicious user needs to enslave as many ICC's as they can. A daemon is installed onto the ICC using various techniques. Once infected these ICC's (often termed zombies or slaves) are used to launch attacks on an address chosen by the malicious user.

WHO CAN LAUNCH AN ATTACK?

You do not need technical skills to launch an attack. The DDOS attack tools are downloadable in 'kit' form off the Internet.

They even come with help screens so all you need is the address of your unprotected victim. They are so simple to alter in one reported case on the 4th May 2001; a 13-year-old attacked GRC.com because he had a grudge against an employee.

Using DDoS attacks, a Canadian boy of 16 brought down the web sites of Amazon.com, eBay, Yahoo, Charles Schwab, CNN and eTrade. This proves how devastating DDoS can be. How would your organisation be effected by the loss of your web site for three days?

WHO DO THEY ATTACK?

Anyone they want to. High profile targets have included Microsoft, Yahoo, the FBI, the White House, Network Associates, CNN, New York Times and eBay. The message here is that no one is safe.

A lot of companies will not want the world to know how vulnerable their networks and systems are. Unless you have dedicated protection and analysis against DDoS, it may seem just like poor service from your ISP.

Traditional methods do not protect against the problem of DDoS. WebScreen provides the solution.

Top

THE DDOS PROBLEM: TYPES OF ATTACK

SYN Flood
When one computer system wants to establish a connection with another, a process is used called a three-way-handshake.

The source sends a packet of data (a SYN) to the destination, the destination acknowledges and replies (SYN ack) to the source and waits for the source address to send a final acknowledgement (another ack).

Attackers have used this to send bogus SYN packets containing spoofed source IP addresses to targeted web servers. This means that the destination server waits for a response that is not going to happen.

When this is done multiple times from multiple sources it floods the destination server, which has a limit of unacknowledged SYN's or responses it can handle. This will ultimately bring down the server.

Page Flood
A page flood is when one or web pages are requested enough times to excede the servers capacity to download the data.

Smurf Attack
A Smurf attack floods your router with Internet Control Message Protocol (ICMP) echo request packets (pings). The destination address of each packet is the broadcast address of your network therefore creating a large amount of ICMP echo request and response traffic. Some Smurf attacks spoof the source IP address compounding the problem.

Fraggle Attack
A Fraggle attack uses UDP packets to unwittingly use ICMP echo requests in the same way as a Smurf attack.

UDP Attack
UDP floods happen when many packets of data are sent via UDP with a spoofed source address. This results in a backlog of UDP responses.

ICMP Flood Attack
A victim is sent a huge stream of ICMP packets. There are so many that the server cannot handle them exhausting bandwidth and hanging the server.

Ping of Death
Certain systems will crash if they receive an ICMP packet that has been maliciously corrupted.

Teardrop
Many systems will crash when they receive IP packets that have been corrupted so that the data overlaps.

Land
Certain systems will exhaust their resources when they receive a packet with the same source and destination address.

Chargen
Certain systems will crash when they try and process a packet with the same source and destination address, similar to a Smurf attack.

Top

THE DDOS PROBLEM: DDOS ATTACK TOOLS

These DDoS tools are freely available to download off the Internet. Documented cases will show how often attacks have been down to these DDoS tools. In fact they are being used NOW, perhaps against your web site.

Trinoo
Trinoo works by an attacker breaking into a system and installing scanning software. This finds vulnerable systems that have security holes in them and installs 'Root Kits' on them. These are then called Masters. The Master listens to its host's ports and installs daemons on various slaves or Zombies. This creates the Trinoo network. When an attack is instigated the attacker communicates to the Master to send UDP Floods to a victim's address.

Tribal Force Network (TFN) or TFN2K
Similar to Trinoo TFN, uses Clients (Masters) and daemon hosts (zombies). However, TFN uses ICMP to communicate and can launch a number of attacks including ICMP flood, UDP flood, SYN flood, and Smurf attacks. More recent versions such as TFN2K include encryption, stealth attacks, denial-of-service attacks designed to crash the target host, and the ability to send shell commands to the daemons. TFN also has the capability to generate packets with spoofed source IP addresses.

Stacheldracht
This is also based on Trinoo. It incorporates the encryption features and also can automatically update the agents. Stacheldracht can launch UPD Floods, SYN Floods, ICMP floods and smurf attacks.

Shaft
Shaft has a number of new features over its related families of Trinoo and TFN. It has the ability to switch handler servers and handler ports on the fly, thus making detection by intrusion detection tools difficult. Finally Shaft has a particular interest in packet statistics. This means that an attacker can work out when they have enough agents to overwhelm a victim. Attacks consist of UPD Floods, SYN Floods, ICMP floods and smurf attacks, or a combination of them.

Mstream
Mstream is a three-tiered DDoS attack tool, capable of flooding numerous target systems with high volumes of TCP packets.

Trinity
Although this launches attacks in a similar way to other DDOS tools, Trinity has one major advantage. It allows the hacker to control the zombies or agents through Internet Relay Chat (IRC) channels or America Online Inc.'s ICQ online chat service. This means that the master does not have to hold a list of agents as they all report back to a specified chat room. Trinity can launch all types of DDOS attack.

Top

WS100 and CHARM Technology

The WS100 is the world's most advanced solution to defend against Distributed Denial of Service (DDoS) attacks. Using its patented CHARM technology, the WS100 will ensure that genuine users/customers of the website always have access while attack traffic is dropped.

ADAPTABLE
Unlike conventional anti-virus software, WS100 uses heuristic algorithms to detect DDoS attacks. WS100 looks at the nature of the access rather than their exact signature, so an update is not required every time a new DDoS attack tool is developed. You can rely on WS100 to keep protecting your website under any circumstances.

PROTECTING YOU ON THE EDGE OF YOUR NETWORK
WS100 sits beyond your firewall which itself could be a target of a DDoS attack.

It is only at the last point before your connection to the internet that 'every' packet of data can be checked for a possible attack.

The WS100 uses CHARM technology. This uses patented heuristic algorithms to determine if the packet is an attack and then makes the decision to reject or accept the packet.

CHARM
CHARM is a measure of how much Webscreen trusts a packet. If a packet has a high CHARM Webscreen is more likely to let it pass through.

Top