Denial of service hackers take on new targets

February 9, 2000
Web posted at: 6:44 p.m. EST (2344 GMT)

In this story: RESOURCES RELATED STORIES, SITES

By D. Ian Hopper
CNN Interactive Technology Editor

(CNN) -- The denial of service (DoS) attacks Tuesday on major e-commerce Web sites and CNN Interactive represent a common type of cyber-attack, but one that is normally used against Internet service providers rather than retail or news organizations.

While it is a little more complicated than meets the eye, a DoS attack can be avoided.

A DoS attack is commonly referred to as a "hack" because it is a malicious offensive against another computer system; but unlike most other hacks, it does not involve the attacker gaining access or entry into the target server. Instead, a DoS is a massive stream of information sent to a target with the intention of flooding it until it crashes or can no longer take legitimate traffic.

The information is frequently in the form of "pings," which are small packets of data sent by one computer to another with the intention of checking to see if the other computer is accessible. The target computer responds to the pinger and the connection is made. But if the pinger gives a false address, the target computer can't return the ping to make the connection. In that case, the target waits and finally gives up. In great amounts, this can overwhelm a server.

Concerted effort

A distributed DoS attack is a concerted effort to take down a target. Instead of a one-to-one attack, many computers target a single one -- as would be necessary with a target as large as eBay or Amazon.

VIDEO Interview with CNN Technology Correspondent Ann Kellan about how the attacks hardly affect home computers. QuickTime Play Real 28K 80K Windows Media 28K 80K CNN's Catherine Callaway explains the Internet invasion. QuickTime Play Real 28K 80K Windows Media 28K 80K CNNfn correspondent Fred Katayama reports on the attacks on Yahoo! and Buy.com. QuickTime Play Real 28K 80K Windows Media 28K 80K     RESOURCES< /B> Check here to see how a denial of service attack works.     ALSO Government sees cyber-attacks as disruption of commerce TIME: Classic Hackers Decry Heavy-Handed Upstarts     MESSAGE BOARD Insurgency

Besides the obvious tactic of having many users simultaneously flood a target, certain publicly available programs can be used so that one user can perform a distributed DoS. The programs are placed on compromised systems -- computers that have been successfully entered by the attacker before. The attacker merely needs to run a "trigger" program that tells the planted programs to begin their assault on the target. That kind of attack is not only formidable, but very difficult to trace back to the original source.

The programs that execute distributed DoS attacks can be found on many hacker Web sites in the United States, Russia and several nations in between. Common in the community, these programs are easy enough that even an inexperienced tinkerer can use them.

Beyond the program, though, a hacker also needs to have a great number of compromised systems on which to place the satellite programs. According to Carnegie Mellon University's CERT coordination center, which monitors and advises system administrators on computer security, the systems used to execute DoS attacks "are often compromised via well-known vulnerabilities." The group urges administrators to update their systems with the latest patches and workarounds.

Also, many of these programs leave telltale signs that some say can be used to block the malicious traffic before it becomes a problem.

"These programs have known signatures and the servers should be able to filter out that traffic," according to Space Rogue, the editor of the Hacker News Network, a computer security site. "The servers could identify those IP addresses (of the systems making the attack), then put those filters in place. It should have been done before."

Law enforcement stresses community security

Ron Dick of the National Infrastructure Protection Center, at a news conference about the investigation of the attacks, confirmed the idea of many "zombie" computers being directed by a single hacker. He also mentioned two of the programs, "Tribal Flood Net" and "Trinoo," that are used in these large-scale DoS strikes.

Both programs, and many others, can be found on several Web sites and, according to Dick, aren't very difficult to use.

"A 15-year-old kid could launch these attacks. It doesn't take a great deal of sophistication to do," he said.

These programs were found on many machines over the new year while making Y2K fixes. The NIPC and CERT have taken action.

"We were able to develop tools to identify to see if those programs are residing on your system," Dick said. Those tools can be found on the NIPC and CERT Web sites.

While the victims can filter out the malicious data, Dick said the real problem is taking care of those hidden programs on the machines carrying out the attacks.

'Magnifying glass burning a bug'

Even filtering out the traffic can be futile if the attack is large enough, according to Paul Holbrook, director of Internet Technologies for CNN. CNN.com was targeted late Tuesday.

"In our case, what caused us trouble was not that we weren't filtering it out. We were filtering it, but the problem was that the routers were so busy filtering that that in itself compromised us. The routers still have to process each packet. The cure was putting the filter on a bigger router outside of our site," Holbrook said.

The distributed nature of the attack made it especially difficult to ward off the flood of data, Holbrook said, likening the mass assault to "a magnifying glass burning a bug on a hot summer day."

As to general Internet security, Holbrook echoes the sentiments of many network gurus charged with protecting such a huge and diverse target.

"The unfortunate truth is that it's an impossibility to ever completely close everything. There are so many systems on the Internet that it's just too hard to close them all."  

Avi Rubin, an Internet security expert with AT&T Labs and author of the "Web Security Source Book," has been preaching about this kind of threat for about eight years now.

Rubin explained how he installed Trinoo on two machines and used them to successfully assault a Solaris server in his office. He found the program in about 5 minutes, and he declares it "trivial" to accomplish.

"It's easy to install these things all over the place," he says. "All you really need is any site connected to the Internet that you've ever used in the past."

While more popular programs like TFN and Trinoo have signatures, another program encrypts traffic between the initiator and the hidden files that launch the attack. Worse yet, one would only have to get the source code to one of these and modify it slightly to change its signature and make it invisible to scanners.

Rubin expressed frustration in the "arms race" between attackers and computer security architects.

"If they create a mutating protocol, then we'll write a program that simulates that mutation," he says. "The problem is that the good guys always have to respond to what the bad guys do. They're always one step ahead of us."

Worst of all, despite CERT warnings, mailing list updates and entire conventions dedicated to network security, Rubin says network administrators kept putting off making the necessary fixes to prevent becoming either a target or an unwitting accomplice to a denial of service attack. Instead, they focused on protecting their site from full-scale intrusions or non-security matters. But after this streak of attacks, that's bound to change, Rubin hopes.

"Now they're going to pay attention," he says.

Cyber-attacks batter Web heavyweights
February 9, 2000
'Immense' network assault takes down Yahoo
February 8, 2000
Legendary computer hacker released from prison
January 21, 2000
Feds leave doors open for hackers
December 22, 1999
Hackers attack Senate Web site again
June 11, 1999
Feds warn hackers will be prosecuted; pro-Mitnick protest planned
June 2, 1999
Infamous computer hacker pleads guilty in deal with government
March 26, 1999
Legendary hacker signs plea bargain to win freedom in one year
March 18, 1999

HNN - H a c k e r N e w s N e t w o r k
CERT Coordination Center
Federal Bureau of Investigation
National Infrastructure Protection Center: CyberNotes

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.