Real DoS Hack Victims Weren't Web Sites

BOSTON (02/11/2000) - Here's a sobering thought to end this week of hacking attacks: while attention has focused on the top-name e-commerce sites that were stunned by the denial of service (DoS) attacks, thousands of computers with constant Internet access were compromised to carry out the cyber crimes. Those computers are most likely in corporate offices, small businesses, universities and, perhaps, homes with high-speed Internet access.

"I can say with absolute confidence that the vast majority of those corporations do not know that they have been breached," said Simon Perry, director of security at Computer Associates International Inc. (CA).

In other words, many, if not most, of the computers that were actually hacked remain compromised. It is worth bearing in mind, Perry noted, that computers at Yahoo Inc., Amazon.com Inc., eBay Inc., CNN and other e-commerce and popular Internet news sites attacked this week were not the machines that were actually hacked into. Instead, hackers got into computers elsewhere and placed Trojans or zombie software in them, which were used to launch the attacks from those machines -- and whose users are probably unwittingly going about their business.

DoS attacks do not involve stealing data or compromising personal information.

Instead, hackers overload Internet sites with so much traffic that the sites cannot function and bona fide users cannot gain access. Security experts and security tools vendors have been warning that DoS attacks are likely to be on the upswing.

Computers most vulnerable to be used in DoS attacks have three characteristics, Perry said. They are turned on all of the time and connected to the Internet; they have high bandwidth access; and they are located at places like universities, small businesses, corporations and, increasingly, in homes with DSL (digital subscriber line) or cable-modem service.

Hackers scan the Internet looking for computers that are always on and then select those from which to launch attacks. The hackers don't know, and don't care, where the computers are located. All they can see is that the machines are connected all the time and have high bandwidth, Perry said.

"They exploited well-known weaknesses," Perry said of the unknown hackers. "Who knows what else they did while they were there?"

The U.S. Federal Bureau of Investigation (FBI) undoubtedly would love to answer that question. The FBI has launched an investigation into the hack attacks, and U.S. President Bill Clinton, who has made protecting the national electronic infrastructure a priority, has called for a White House summit next week to explore the issue with government and Internet officials.

In the meantime, vigilant use of antivirus software, attack detection software and the like is the only way to begin guarding against such intrusions, according to vendors and security experts, who advise users to run antivirus and intrusion detection software daily. CA and other vendors offer such tools and software, capable of checking systems for Trojans, viruses and other malicious code, and which also can tell when a computer has been attacked or when an attempted attack has been made. Such tools typically will alert system administrators that a problem has been found, and also can help to reconfigure or reroute traffic to keep a system up and running.

"These organizations that have been attacked this week have suffered revenue loss," Perry said, but perhaps worse is that "their own customers' confidence in them has been shaken. It will have a ripple effect in the whole industry as far as confidence in e-commerce and e-commerce viability."

RSA Security Inc. has been working on countermeasures for DoS attacks for two years now. The approach there holds that detection software and tools might not be enough in this age of increasingly sophisticated and large attacks.

Mathematicians and cryptographers at RSA's labs have been working on something called a "client puzzle protocol." When an attack is mounted or when network resources are being taxed to such a degree that it appears an attack is being attempted, cryptographic puzzles will be sent back to each computer requesting entry to a server. One puzzle would be sent per request, in effect, turning the flood of malicious traffic back on the computers sending it, while computers of legitimate users will be able to solve the puzzles quickly and gain access without much of a lag in connecting with the desired Internet site, explained Joe Uniejewski, RSA senior vice president of engineering.

The client puzzle approach would also mean that massive volumes of traffic sent back to unwitting computer owners would result in an increase in CPU utilization in their machines that could then alert them that they are part of a broader DoS scheme.

The client-puzzle method is expected to be built into future RSA products, and the company said today that it will offer additional details in coming months.

More information on client puzzles and cryptographic theory is available at http://www.rsasecurity.com/rsalabs/staff/ajuels/papers/clientpuzzles.pdf/.

Although tracking the cyber criminals seems a daunting task, Bill McQuaide, vice president of product marketing at RSA, said that miscreants always leave tracks.

"Eventually, you can uncover those footprints," he said.

CA, in Islandia, New York, can be reached at +1-516-342-5224 or http://www.ca.com/. RSA, in Bedford, Massachusetts, can be reached at +1-781-301-5000 or http://www.rsa.com/.

SIDEBAR

U.S. Offers Free Help Against Hackers

The U.S. National Infrastructure Protection Center (NIPC) is asking all computer network owners and organizations to "rapidly" check systems for evidence of denial of service (DoS) tools, including known vulnerabilities, TRINOO and Tribe Flood Network, or TFN and tfn2k that might have been placed on machines by hackers.

The NIPC Web site and the sites of the System Administration, Networking and Security (SANS) Institute and the Carnegie Mellon Computer Emergency Response Team Coordination Center (CERT/CC) are providing technical and other information to help network owners and administrators determine if their systems have been used in the DoS attacks. NIPC is further offering a software application at its Web site that can be used to detect known vulnerabilities.

NIPC is asking that intrusion detection be done to identify computers that have been hacked, but also to assist the U.S. Federal Bureau of Investigation (FBI) and other law enforcement agencies in their probes of the DoS attacks.

The NIPC Web site is at http://www.fbi.gov/nipc/welcome.htm/, where information about the recent DoS attacks and other threats and vulnerabilities can be found. The CERT Web site is at http://www.cert.org/. SANS is at http://www.sans.org/.

NIPC, which is part of the FBI, is asking that suspected computer criminal activity be reported to local FBI offices or to the NIPC Watch/Warning Unit, which can be reached at +1-202-323-3204, 3205 or 3206 or via e-mail at nipc.watch@fbi.gov/.

Join the newsletter!

Error: Please check your email address.

More about Amazon.comCA TechnologiesCERT AustraliaCNNComputer Emergency Response TeameBayFBIFederal Bureau of InvestigationMellonNIPCRSA, The Security Division of EMCTribeYahoo

Show Comments
[]