Denial-of-service attacks employ "zombie" PCs

Hackers may never be confused with voodoo priests, but try telling that to the legions of computer 'zombies' they have commanded to do their network clog-up bidding.

Hackers may never be confused with voodoo priests, but try telling that to the legions of computer "zombies" they have commanded to do their network clog-up bidding.

A new form of Denial of Service (DoS) attack caused by the trin00 and Tribe Network Flood programs has been wreaking havoc on bandwidth on a larger scale than ever before, according to Chris Klous, founder and chief technology officer of Internet Security Systems Inc. (ISS).

This DoS attack employs a simple concept: sending bogus packets from a remote location to IP (Internet Protocol) routers, where they collect and eventually plug up a pipe. The danger is manifested in this version because the hackers are gaining control of as many as thousands of vulnerable zombie computers in order to magnify and direct their full-scale assault against a single victim from all directions.

"A ping flood against a single machine may be an annoyance against someone's network, but with a thousand zombie machines, it's a thousand times stronger," said Klous. "You can't even communicate because your routers and your connections are filled with trash. This thing is known to clog the biggest [pipe], like a T3 connection."

Klous said his company has seen such an attack hit hardest in sectors including universities (because of lack of proper firewalls and often unattended systems), government, e-commerce, military, and financial networks. He said that typically these attacks, from a zombie perspective, are Unix- and Linux-based, but the denial of service can penetrate any machine because the bandwidth, not the host, is being targeted at that point.

"If you can't do business, especially at this time of year, that can become costly," he added, of the many different systems that could be shut down for days if left defenseless against such an armada of unrelenting bogus data bits. "Too many companies are jumping onto the e-commerce bandwagon, without putting any thought to security."

Matt Kovar, an analyst with Yankee Group Inc. in Boston, said that this type of DoS attack is among the hardest to coordinate and discover by a company because the distributed dynamic source of the onslaught is not being repeated from the same IP address or origin point. He said the very fact that a machine can be taken command of, and used for an ulterior purpose, only opens the door for more dangerous forms of "Trojan Horse" computer manipulations to come.

"Once you figure (out) how to gain access to a lot of things, it opens (up) a bunch of other opportunities to go out into the world," said Kovar. "The reality of the situation is (that) some of these attacks may happen all at once, or over time. You can create attacks that will recur during significant times of the day."

According to ISS, the trin00-distributed DoS program consists of three parts: the client, the master, and the broadcast. The DoS attack that trin00 broadcasts use is a User Datagram Protocol (UDP) flood. Trin00 sends a large number of UDP packets from one source port to random destination ports on the target host. The target host returns Internet Control Message Protocol (ICMP) Port Unreachable messages. The target host then slows down because it's too busy processing UDP packets, and at this point there is little, if any, bandwidth left to operate in.

Klous said ISS has received reports that this type of DoS attack is affecting everyone, from small to large companies.

Elias Levy, chief technology officer of Inc. and moderator of Bugtraq, a computer security mailing list, said it's difficult to fix the damage and try to save the good packets being dropped by routers in lieu of the DoS-induced network logjam.

"You have to figure who's sending those packets to you, contact them one by one, and (contact) their systems. It could be hundreds of machines on the Net that are just sitting there. People might not even know they're being affected," said Levy.

One way to detect the attack is to look for a number of UDP packets with the same source port and different destination ports. Another method is to keep an eye out for a number of ICMP Port Unreachable messages with the same source and destination IP.

Klous recommended that the best way to prevent such an attack is to conduct a security-risk assessment on a network to find out if it is vulnerable to DoS or other "back door" attacks. He said that installing an intrusion and detection "burglar-alarm" system that could detect where the master controller computer is cloaked that is directing the zombie brigade, is also a good idea.

"Hackers are always going to be in this constant spy vs. spy battlefield, and right now, companies aren't even coming close to putting a lock on their door. It's a pretty dangerous situation where critical assets of companies are being put at serious risk."

International Security Systems, in Atlanta, is in the Internet at

(Brian Fonseca is an InfoWorld reporter.)

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments