dcsimg
RealTime IT News

Is Scanning the Answer to Web Attacks?

While Thursday produced no confirmed instances of new denial of service attacks on major Web sites, the FBI has renewed its call for Web server operators to tighten security.

According to Ron Dick, chief of the computer investigation and operations section of the FBI's National Infrastructure Protection Center, "The key to this is prevention and implementing appropriate security measures, such that you do not allow your system to be used in these attacks and to be a contributing factor."

The FBI believes that the recent bandwidth-consumption attacks on Yahoo! Inc. (YHOO) , eBay Inc. (EBAY) , E*Trade (EGRP) and other high-profile sites may have been staged from unsuspecting third-party servers that had been previously compromised by the attackers, who then installed one of the widely available distributed denial of service (DDoS) tools.

Officials at the Computer Emergency Response Team said the federally-funded security information center normally receives three or four reports each day of bandwidth-consumption attacks. CERT also said there doesn't appear to be one specific tool or method of attack common between all the recent victims.

To detect and eradicate such DDoS remote-control utilities, last December the NIPC released a software tool, find_ddosv31, for system administrators that scans a Web server for signs of Trinoo, Tribal Flood Network, Stacheldraht, and other common DDoS programs.

Some site operators, however, have expressed reluctance to use the FBI's free scanning tool, because it has been provided only in binary executable form, without source code.

"Would you install a program which says 'The tool must be run as root' without the source code on your machine if you were the least bit concerned about the security of your machine?" wrote one contributor to INET-ACCESS, a mailing list for Internet access providers. Others are suspicious of FBI-developed software, noting that the FBI has recently pushed for laws giving it "back doors" into various communications systems. (A DDoS scanner, including C source code, authored by University of Washington software engineer Dave Dittrich, is available here.)

While the FBI utility currently scans for 10 popular DDoS programs, that's only half the number currently in circulation, according to the author of Tribal Flood Network, who goes by the hacker nickname Mixter. A 21-year-old resident of Germany, Mixter said underground authors are rewriting existing tools specifically to avoid detection by scanners such as the one from NPIC.

"That is why these tools can't be easily tracked back and people shouldn't waste time worrying about this" and instead should focus their efforts on closing well-known security holes that enable attackers to plant the DDoS tools, said Mixter.

Mixter said he developed and publicly released the source code of TFN in 1998 after attackers began to develop denial of service tools to force others off chat servers. He claimed his intent was to bring the technology out into the open, and that he isn't responsible for the recent attacks.

"I do not condone in any way the use of these tools. I wrote them to show people what could be done with them -- that was the only purpose. It had to get public and then organizations could talk to the administrators of these weak servers and fix