When computer hackers attacked Estonia earlier this year -- shutting down numerous Web sites connected to the country's electronic infrastructure, including government, commercial banks, media outlets and name servers -- the event was nothing new in the world of cyber-security.
Since the mid-1990s, denial-of-service (DoS) attacks -- generally a computer assault that floods a network or Web site with unnecessary traffic, rendering it slow or completely interrupted -- have caused serious problems for the Internet. DoS attacks are often waged by "botnets," which are a series of computers that have been hijacked by viruses and take part in attacks without their owners' knowledge. Attackers often launch attacks from unallocated IP addresses so the assailants can't be found.
The attack on Estonia has been called "cyber-warfare" and the first time botnets threatened the security of an entire nation. Over the years, similar attacks have closed some of the largest e-commerce companies, such as Amazon.com, eBay and Buy.com, as well as federal and state government Web sites.
With an estimated 2,000 to 3,000 DoS attacks daily worldwide, large corporations, small Web-based businesses and governments have been forced to take precautions to defend against DoS attacks or face costly shut downs and/or the demands of "cyber-extortionists," a new breed of Internet criminal who demands payment in exchange for not launching a DoS attack.
Dark Address Space
In 2003, the federal government established the U.S. Computer Emergency Response Team (U.S.-CERT), an arm of the Department of Homeland Security that protects the nation's public and private Internet infrastructure, in response to DoS and other harmful cyber-attacks. To help prevent DoS attacks, or at least warn private and public sectors of impending attacks, U.S.-CERT uses its Einstein program to monitor federal network "dark address space" on the Internet. Dark address space, which is sometimes referred to as "darknet," is the area of the Internet's routable address space that's currently unused, with no active servers or services. On computer networks, darknet is the addresses held in reserve for future network expansion.
Often when DoS and other cyber-attacks occur, blocks of Internet address space, including darknet space, briefly appear in global routing tables and are used to launch a cyber-attack, or send spam, before being withdrawn without a trace. By monitoring all traffic to and from dark space, U.S.-CERT and other cyber-security organizations gain insight into the latest techniques and attacks.
The U.S.-CERT's Einstein program provides information about darknet activity originating from state and local government systems, helping notify states of potential cyber-attacks and other malicious activities.
New York is in the process of implementing its own plan to combat cyber-attacks by collecting malicious cyber-attack information directed at the state's IT infrastructure, which can provide early warning intelligence about the nature and characteristics of the attacks.
New York state receives warnings of potentially malicious cyber-activity from U.S.-CERT on a daily basis, said William Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination. His office is working with the University atAlbany to create the Multi-State Information Sharing and Analysis Center (MS-ISAC) Darknet Sensor system, which will help New York and other states prevent cyber-attacks by monitoring dark space and other nonallocated IP addresses. A darknet server will be configured to capture all traffic destined for this unused space. The server listens to all traffic directed at the unused address space and gathers the information packets that enter the dark space.
"Just the fact that we are seeing state-targeted traffic in federal dark space is definitely worth the investment to deploy this program to monitor state dark space," said Pelgrin. "Our goal is not only to do this for New York state, but for all other states."