October 15, 2004 -- (WEB HOST INDUSTRY REVIEW) -- When implementing perimeter security on a network, one of the first things a network administrator will do is configure firewalls and routers. Since the main purpose of the firewall is to protect the internal or trusted network from external Internet traffic, the firewall rule set traditionally focuses on ingress filtering, which inspects incoming data, and blocks or denies any unwanted packets. What hosting providers often neglect to consider however is the filtering of unwanted outgoing network traffic, known as "egress filtering."
Due to the lack of egress controls, one hosting reseller of my acquaintance was subjected to server compromise this week. According to his upstream service provider, one of his leased dedicated servers was hijacked and used to initiate a denial of service attack. Because of this ongoing activity, his server was deactivated and law enforcement called in to investigate, causing him plenty of grief, mainly involving the migration of multiple customers to another server.
This situation could have been avoided if his upstream provider had taken steps to protect his server from attack and from launching attacks. Service providers can reduce the risk of denial of service attacks launched from their own networks if they introduce egress filtering.
Egress address filtering works by denying all directed broadcast packets from being forwarded. An egress filtering system also only permits IP addresses assigned by the network administrator as trusted hosts to pass broadcast packets outbound through a firewall. In other words, egress filtering prohibits bad packets from escaping a network.
Egress port filtering functions by denying all traffic forwarded to ports, other than a specific list of well-known ports that are implicitly permitted, according to a service provider's network policy.
For example, a provider may only permit use of HTTP, POP/SMTP and DNS ports for corporate end-users. If egress port filtering denies all other ports, then attempts by malicious code to communicate over any temporarily assigned or ephemeral port will be blocked. Reviewing the firewall logs for all denied egress port traffic will help a network administrator determine if an application is trying to send data outside the network.
This type of filtering is important since it prevents packets that contain invalid or incorrect addresses from leaving a server and prevents communication to unauthorized or questionable TCP and UDP ports from valid addresses.
While bad packets could originate from a poorly configured router, the most common reality is that they emanate from Trojan or backdoor programs on compromised systems. Compromised systems can also be made to initiate distributed denial of service attacks. This is problematic for Web host resellers, as they must implicitly trust that their leased servers, and the networks on which they operate, are both properly configured to withstand attacks and compromise.
The sad reality, as my acquaintance's story illustrates, is that many smaller upstream service providers who provide services to resellers lack either the expertise, experience, knowledge, or financial resources to implement egress filtering on their systems, or implement safe versions of Web hosting automation software for that matter.
As a result, much customer frustration and loss of revenue can result. Instead of implementing a proper security regime as an insurance policy against egress attacks, many service providers instead rely on their acceptable usage policies, which simply results in the termination of a legitimate reseller's user account. The effect of termination is that the reseller is effectively punished when a DDoS attack is implemented on their server by a criminal third party.
This should not be the case. Since DDoS attacks are one of the most destructive of all classes of cyber-security threat, all service providers should take concrete action to combat it. According to the National Cyber Security Alliance, the odds of becoming a victim of a computer security breach is 7 in 10. The implementation of egress filtering could reduce this statistic.
To save headaches, resellers should only sign hosting contracts with providers who conduct egress filtering on their networks.
