Since 2003, the U.S. Department of Homeland Security (DHS) has provided funding for states and urban areas across the country, under its Homeland Security Grant Program, in an effort to improve emergency preparedness, at the local level, in the event of a terrorist attack. Such funding has been available through two types of programs known as the State Homeland Security Grant Program (SHSGP) and the Urban Area Security Initiative (UASI). Both types of funds have consisted of myriad formulas and application requirements which have caused disputes between members of the United States Congress as well as between state governors regarding the amount of allocations doled out, both in the past and presently.

In 2006, when it was thought that the program could not get any more confusing and unfair to certain states and urban areas, the DHS has topped itself yet again. Many lawmakers have been left dumbfounded, since they have so little information and criteria available in the decisions that the DHS has made for Fiscal Year 2006, which began October 1, 2005. In addition, the decisions for FY 2006 will have a direct impact on any forthcoming funding beyond FY 2007, for those urban areas which have been deleted from the eligible list for 2006.

If the aforementioned has left you confused, you are not alone. It is important to note that the two distinctly separate funding programs, although Homeland Security Grant Programs, are more apt now to become supplements to each other, as the amount of funding has been cut for not only 2006 distributions but projected to be further reduced in 2007 as well. The UASI grants for 2006 allot $765 million to 35 urban or metropolitan areas, comprised of various counties, cities and towns in their immediate vicinities. In 2005 there included 50 urban areas and thus the initial outcries this year.

The 2006 eligible urban areas list has left off some major urban regions which were included in 2005 and since the program’s inception in 2003, leaving lawmakers and law enforcement with lots of questions. Among the big question marks are San Diego, CA, Las Vegas, NV and Phoenix, AZ, prompting federal, state and local officials to demand answers from the DHS.

The Homeland Security Appropriations Act, originated in 2002, established the SHSGP, which in the past allocated one-half of its funds to be equally divided between all 50 U.S. states including U.S. territories and possessions, with the remaining funds distributed to states based upon population. The system in place in 2006, however, guarantees a minimum amount to each state, but requires each to apply and qualify the need for additional risk-driven funding. Thus, it is incumbent upon each state to essentially prove its case to the DHS for additional allocations. For FY 2006, each state is guaranteed a baseline minimum distribution of $7.13 million in the SHSGP, reserved to concentrate on law enforcement training and preparedness. And since UASI grants are now pared down from 50 to 35, state grants loom even more important, as each year since 2004 the amount of funding for both programs has de-escalated.

In its effort to temper the criticism of pork-barrel rewards for certain states and urban areas least expected to be hit by a terrorist attack, the DHS has reframed its criteria in order for states and urban areas to either qualify for additional funding or in the case of the UASI, for any funding at all. With respect to San Diego, for example, which was eliminated from eligibility for 2006 UASI grants, when questions were asked by state and local lawmakers and officials, it became clear that the formula will not be disclosed because it is classified information, according the Secretary of Homeland Security, Michael Chertoff. In its zeal to remove all doubt that it is not being unfair in its analysis and that politics has not played a part in its decisions, the DHS states that the formula used for risk assessment was derived scientifically by computer calibrations and algorithms, yet so confusing that the DHS cannot even begin to explain them.

It is primarily the confusing new rules, which remain unexplained by the DHS, which has upset officials from both federal and state levels of government all over the country, with quite vocal protests coming from California and Nevada. Governor Arnold Schwarzenegger, and Senator Diane Feinstein of California along with Governor Kenny Guinn and Senator Harry Reid of Nevada have all been outspoken on the issue and have demanded more answers.

San Diego’s federal contingent of representatives, which includes Congressman Duncan Hunter, Congressman Darrell Issa, Congresswoman Susan Davis and Congressman Bob Filner, met in February with Homeland Security officials. But frustration was clearly expressed by Representative Filner. Most objectionable was the perceived disregard by the DHS that the county of 3 million residents, sits on an international border, is an international port, houses the largest marine base in the U.S. along with being a major naval base. As well as being a choice tourist destination, it would seem that these factors would be qualifiers for UASI funding for San Diego.

Filner recalls, “San Diego’s military bases and ships could be sitting ducks for a terrorist and aren’t factored into Chertoff’s “disciplined” analysis. I asked whether anyone has the [same] concentration of nuclear things that are a perfect target for terrorists,” he said. “Does any other city have three nuclear carriers in their harbor, a dozen or more nuclear submarines and a nuclear power plant? They said, “We don’t have those figures, but all of those military assets are “invisible to us,” in the DHS’ risk calculations,” according to Filner.

Rep. Susan Davis’ account was similar to Filner’s. “The DHS have certain principles they use when evaluating communities, such as transportation systems and populations, but that they haven’t really figured in [defense] facilities. What was so darned frustrating was that we expected them to come in with a rationale, but they basically said the [defense] facilities don’t quite factor into their assessment. It did seem very strange to us,” Davis said.

California Governor, Arnold Schwarzenegger, believes that military installations are not necessarily immune from terrorist attack. And the Mayor of San Diego, Jerry Sanders, points out the vulnerability of the U.S.- Mexican border, especially with recent discovery of sophisticated underground tunnels, in which drugs, contraband and potential terrorists can be funneled into the U.S.

Nevada officials were allowed access to a classified meeting with Secretary Chertoff on March 9, 2006, including Congressman Jim Gibbons, Congressman Jon Porter, along with two top police administrators one of whom was the Las Vegas Metro Police Homeland Security Deputy Chief, Mike McClary. “When their calculations were done, there were areas where there was no data available,” according to McClary. “It’s a mystery how 10’s of millions of hotel guests were left out of the equation,” he said. According to Frank Siracusa, Nevada Emergency Management Director, “Different officials at Homeland Security often give contradictory recommendations or simply refuse to answer the questions.”

On any given weekend throughout the year, there are upwards of 300,000 hotel occupants on the Las Vegas Strip, many of whom are part of the more than 44 million tourists that arrived at Las Vegas McCarran International Airport in 2005, and growing each year. Why such data was not part of the equation in the assessment for Las Vegas could not be explained by the DHS, but it did offer to provide Las Vegas with another review. Whether or not the security of Hoover Dam was also overlooked in the DHS analysis remains a mystery as well. Las Vegas officials were not given a time frame in which they would get any future official communication from the DHS.

The UASI program is now focused primarily on enhancing the capabilities of local government to prevent, protect against, respond to and recover from any number of catastrophic events. But planning for law enforcement training programs and equipment purchases for localities such as San Diego and Las Vegas will now have to rely solely on “Sustainment” risk funds or “Tier 2″ eligible funding, versus “High risk” or “Tier 1″ funding.

This means that localities may receive the balance of funding only for those projects which remain incomplete from 2005. Should the DHS find that its oversight of not including tourists in its eligibility analysis of Las Vegas was not an error, thus finding it only eligible for Tier 2 funding in 2006, Las Vegas will have to reapply from scratch in 2007. And if any urban area has two consecutive years of either denied funding or Tier 2 funding, it then remains permanently ineligible for any future UASI funding. Meanwhile, urban areas newly added to the eligible list for UASI funding in 2006 include Orlando and Ft. Lauderdale, FL and Columbus, OH.

And finally, given all of their formulas and 37 capabilities requirements of “investment justification” in order for states and urban areas to be considered for funding from the DHS, it has yet to come up with such a measure of accountability, once funding has been dispersed, in order to realize the effectiveness of its funding. For without follow-up analysis, the DHS, the Congress, and state and local governments and law enforcement will have no clear indicators as to whether their law enforcement programs and preparedness purchases has been money well spent through the funding programs.

And without transparency between the federal and state levels of government, requiring necessary input from local government, the DHS will remain hamstrung in its own red tape, thus weakening the original intent of its grant programs. In order to expedite emergency response preparedness to those areas most likely at risk in the event of catastrophe, without such commitment to accountability the DHS spending programs will serve to create a false sense of security, and ultimately put the U.S. at far greater risk.

Diane M. Grassi is a freelance columnist, reporting and writing commentary on current events of the day providing honest and often politically incorrect assessments. From U.S. public policy to Major League Baseball, she is an eclectic thinker, and demanding of her readers to reflect on their own thinking patterns from an alternative perspective. Whether you agree with her or not, Diane M. Grassi will have you coming back to note her opinions, and if at best she wakes you up, then her goal will have been accomplished.

Ms. Grassi is featured with the online publications: New Media Journal.us; American Chronicle; Mich News.com; the Federal Observer; Opinions Editorials; the Conservative Voice; the Las Vegas Penny Press; the Sierra Times as well as many others. She also writes regular columns on Major League Baseball where she is a featured online columnist with The Diamond Angle Baseball Ezine and Sports-Central.org. Ms. Grassi may contacted at: dgrassi@cox.net

During the release of a new software product specialized to track spam, ACME Software
Inc notice that there was not as much traffic as they hoped to receive. During further
investigation, they found that they could not view their own website. At that moment, the
VP of sales received a call from the company’s broker stating that ACME Software Inc
stock fell 4 point due to lack of confidence. Several states away, spammers didn’t like the
idea of lower profit margins do to an easy to install spam blocking software so they
thought they would fight back. Earlier that day, they took control of hundreds of
compromised computers and used them as DoS zombies to attack ACME Software Inc’s
Internet servers in a vicious act of cyber assault. During an emergency press conference
the next morning, ACME Software Inc’s CIO announced his resignation as a result of a
several million dollar corporate loss.

Scenarios like the one above happen a more then people think and are more costly
then most will admit. Denial of Service (DoS) attacks are designed to deplete the
resources of a target computer system in an attempt to take a node off line by crashing or
overloading it. Distributed Denial of Service (DDoS) is a DoS attack that is engaged by
many different locations. The most common DDoS attacks are instigated through viruses
or zombie machines. There are many reasons that DoS attacks are executed, and most of
them are out of malicious intent. DoS attacks are almost impossible to prevent if you are
singled out as a target. It’s difficult to distinguish the difference between a legitimate
packet and one used for a DoS attack.

The purpose of this article is to give the reader with basic network knowledge a
better understanding of the challenges presented by Denial of Service attacks, how they
work, and ways to protect systems and networks from them.

Instigation:

Spoofing – Falsifying an Internet address (know as spoofing) is the method an attacker
uses to fake an IP address. This is used to reroute traffic to a target network node or used
to deceive a server into identifying the attacker as a legitimate node. When most of us
think of this approach of hacking, we think of someone in another city essentially
becoming you. The way TCP/IP is designed, the only way a criminal hacker or cracker
can take over your Internet identity in this fashion is to blind spoof. This means that the
impostor knows exactly what responses to send to a port, but will not get the
corresponding response since the traffic is routed to the original system. If the spoofing is
designed around a DoS attack, the internal address becomes the victim. Spoofing is used
in most of the well-known DoS attacks. Many attackers will start a DoS attack to drop a
node from the network so they can take over the IP address of that device. IP Hijacking is
the main method used when attacking a secured network or attempting other attacks like
the Man in the Middle attack.

SYN Flood – Attackers send a series of SYN requests to a target (victim). The target
sends a SYN ACK in response and waits for an ACK to come back to complete the
session set up. Instead of responding with an ACK, the attacker responds with another
SYN to open up a new connection. This causes the connection queues and memory buffer
to fill up, thereby denying service to legitimate TCP users. At this time, the attacker can
hijack the system’s IP address if that is the end goal. Spoofing the “source” IP address
when sending a SYN flood will not only cover the offender’s tracks, but is also a method
of attack in itself. SYN Floods are the most commonly used DoS in viruses and are easy
to write. See http://www.infosecprofessionals.com/code/synflood.c.txt

Smurf Attack- Smurf and Fraggle attacks are the easiest to prevent. A perpetrator sends a
large number of ICMP echo (ping) traffic at IP broadcast addresses, using a fake source
address. The “source” or spoofed address will be flooded with simultaneous replies (See
CERT Advisory: CA-1998-01). This can be prevented by simply blocking broadcast
traffic from remote network sources using access control lists.

Fraggle Attack – This types of attack is the same as a Smurf attack except using UDP
instead if TCP. By sending an UDP echo (ping) traffic to IP broadcast addresses, the
systems on the network will all respond to the spoofed address and affect the target
system. This is a simple rewrite of the Smurf code. This can be prevented by simply
blocking broadcast traffic from remote IP address.

Ping of Death – An attacker sends illegitimate ICMP (ping) packets larger than 65,536
bytes to a system with the intention of crashing it. These attacks have been outdated since
the days of NT4 and Win95.

Teardrop – Otherwise known as an IP fragmentation attack, this DoS attack targets
systems that are running Windows NT 4.0, Win95 , Linux up to 2.0.32. Like the Ping of
Death, the Teardrop is no longer effective.

Application Attack – Thess are DoS attacks that involve exploiting an application
vulnerability causing the target program to crash or restart the system.

Kazaa and Morpheus have a known flaw that will allow an attacker to consume all
available bandwidth without being logged.
See http://www.infosecprofessionals.com/code/kazaa.pl.txt

Microsoft’s IIS 5 SSL also has an easy way to exploit vulnerability. Most exploits like
these are easy to find on the Internet and can be copied and pasted as working code.
There are thousands of exploits that can be used to DoS a target system/application. See
http://www.infosecprofessionals.com/code/IIS5SSL.c.txt

Viruses, Worms, and Antivirus – Yes, Antivirus. Too many cases where the antivirus
configuration is wrong or the wrong edition is installed. This lack of foresight causes an
unintentional DDoS attack on the network by taking up valuable CPU resources and
bandwidth. Viruses and worms also cause DDoS attacks by the nature of how they
spread. Some purposefully attack an individual target after a system has been infected.
The Blaster worm that exploits the DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) using TCP port 135 is a great example of this. The Blaster
targeted Microsoft’s windows update site by initiating a SYN FLOOD. Because of this,
Microsoft decided to no longer resolve the DNS for ‘windowsupdate.com’.

DoS attacks are impossible to stop. However, there are things you can do to
mitigate potential damages they may cause to your environment. The main thing to
remember is that you always need to keep up-to-date on the newest threats.

Mitigation:

Antivirus software – Installing an antivirus software with the latest virus definitions will
help prevent your system from becoming a DoS zombie. Now, more then ever, this is an
important feature that you must have. With lawsuits so prevalent, not having the proper
protection can leave you open for downstream liability.

Software updates – Keep your software up to date at all times. This includes antivirus,
email clients, and network servers. You also need to keep all network Operating Systems
installed with the latest security patches. Microsoft has done a great job with making
these patches available for their Windows distributions. Linux has been said to be more
secure, but the patches are far more scarce. RedHat is planning on incorporating the
NSA’s SE Linux kernel into future releases. This will give Mandatory Access Control
(MAC) capabilities to the Linux community.

Network protection – Using a combination of firewalls and Intrusion Detection Systems
(IDS) can cut down on suspicious traffic and can make the difference between logged
annoyance and your job. Firewalls should be set to deny all traffic that is not specifically
designed to pass through. Integrating an IDS will warn you when strange traffic is present
on your network. This will assist you in finding and stopping attacks.

Network device configuration – Configuring perimeter devices like routers can detect
and in some cases prevent DoS attacks. Cisco routers can be configured to actively
prevent SYN attacks starting in Cisco IOS 11.3 and higher using the TCP intercept
command in global configuration mode.

Access-list number {deny | permit} tcp any destination destination-wildcard
ip tcp intercept list access-list-number
ip tcp intercept ? (will give you a good list of other options.)

Cisco routers can prevent Smurf and Fraggle attacks by blocking broadcast traffic. Since
Cisco IOS 12.0, this is the default configuration. ACLs or access control lists should also
be configured on all interfaces.

No ip directed-broadcast

The Cisco router can also be used to prevent IP spoofing.
ip access-group list in interface
access-list number deny icmp any any redirect
access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255 any
access-list number deny ip host 0.0.0.0 any
See Improving Security on Cisco Routers – www.cisco.com/warp/public/707/21.html

Old Cisco IOS versions are vulnerable to several DoS attacks. The “Black Angels” wrote
a program called Cisco Global Exploiter. This is a great software to use when testing the
security of your Cisco router version and configuration and can be found at
http://www.blackangels.it/Projects/cge.htm

Security is not as mystical as people believe. DoS attacks come in many different
types and can be devastating if you don’t take the proper precautions. Keep up to date and
take steps to secure network nodes. Keeping security in mind can minimize damages,
downtime, and save your career.

Security Resources:
Black Angels: http://www.blackangels.it/
Cisco: http://www.cisco.com
Microsoft: http://www.microsoft.com/technet/security/current.aspx
Forum of Incident Response and Security Teams: http://www.first.org/
SANS Institute: http://www.sans.org/resources/

Author: Jeremy Martin CISSP, ISSMP, ISSAP, CEI, CEH, CHS-III, CCNA, Network+, A+
http://www.infosecwriter.com

Member of:
BECCA – Business Espionage Controls & Countermeasures Association
ISACA