New hack attack is greater threat than imagined
And it may be only a warm-up
It was news a month ago; days later it vanished. The mainstream press may have forgotten it, but security specialists gathered in California last week for the sixth RSA Conference to consider the growing trend in malicious computer assaults called distributed denial of service (DDoS) attacks. Using tools called trin00 and tribe flood network (TFN), intruders can commandeer hundreds, possibly thousands, of separate, unsuspecting clients to launch a flood which can bring a network down in a torrent of packets all appearing to come from different sources, making it impossible to identify the origin. Dealing with this sort of assault can be maddening for the primary victim. The clients from which the attack is launched are themselves intermediate victims who rarely know that their systems have been compromised. They are in diverse locations around the world, administered by people who speak different languages, making it nearly impossible for one victim to explain to another how to cope with the threat. Security experts are not optimistic. The tools do not require an intruder to gain root access to a system, but can be uploaded via a number of simpler exploits, many of which can be scripted to run automatically, and even multi-threaded to run very, very fast. Finding weak systems to use as clients for a distributed attack is neither difficult nor prohibitively time consuming. More ominously, DSL and cable modems, which remain connected around the clock, make it possible to launch attacks through the growing number of private Linux boxes now online. "We've already seen these attacks coming through Linux boxes," ISCA Director of Research Services David Kennedy told The Register. "And there's no reason why it can't be ported to the Win-32 [operating system]," he added. To further complicate matters, merely killing the process during a distributed flood attack is not adequate to end it. So long as the hundreds of clients remain infected, an attack can be resumed, Kennedy says. We note that communicating with the owners and administrators of hundreds of compromised clients, and gaining their cooperation, would be virtually impossible. The victim is, for all practical purposes, at the mercy of the attacker. The FBI's National Infrastructure Protection Center (NIPC) has developed an application to detect the malicious tools, though the first indication that they've been installed will usually be a phone call from a frantic sysadmin trying desperately to block the onslaught of packet traffic. We say 'phone call' because a distributed attack capitalises on so much bandwidth from so many sources that it literally overwhelms entire networks. Under those circumstances, e-mail is hardly going to work. An ISP can turn off the attack, provided its administrators are well enough acquainted with the problem; but there again, nothing can stop an attacker from firing up his hundreds of compromised clients hours or days later if he chooses. It gets worse; most of the more obvious defences are problematic. For example, a firewall configured to catch a distributed flood attack would also interrupt such utility functions as ping and traceroute, which are commonly used by administrators and power users, Kennedy noted. The tools are in constant development within the hacker underground; new and better versions are released regularly. Most worrying is a shift to scripted attacks which allow unsophisticated users, such as bored teenagers, half-assed hacker wannabes and clueless script kiddies to launch them. The tools are getting more powerful, slicker and easier to use. Defences are not. Defences require the infected clients, not the end victims, to take action. Human nature being what it is, we reckon the end victims are pretty well on their own. The NIPC offers an unsettling insight: "Possible motives for this malicious activity include....preparation for widespread denial of service attacks." We wonder what "widespread" means here. If one malicious hacker can exploit hundreds of clients worldwide and retain them for repeated abuse, what might a hundred accomplish? And what effect might that have? Could enough bandwidth be gobbled up to crash large portions of the Net? Could ISPs be overwhelmed for hours, even days? Could infrastructure be at risk? The NIPC refuses to say, but our imaginations are very much stimulated by the possibilities. And we reckon yours ought to be as well. ®
Sponsored: RAID: End of an era?