While Thursday produced no confirmed instances of new denial of service
attacks on major Web sites, the FBI has
renewed its call for Web server
operators to tighten security.
According to Ron Dick, chief of the computer investigation and operations
section of the FBI’s National Infrastructure Protection Center, “The key to
this is prevention and implementing appropriate security measures, such that
you do not allow your system to be used in these attacks and to be a
contributing factor.”
The FBI believes that the recent bandwidth-consumption attacks on Yahoo! Inc. (YHOO)
,
eBay Inc. (EBAY)
, E*Trade (EGRP)
and other high-profile sites may have been staged from
unsuspecting third-party servers that had been previously compromised by the
attackers, who then installed one of the widely available distributed denial
of service (DDoS) tools.
Officials at the Computer Emergency Response
Team said the federally-funded
security information center normally receives three or four reports each day
of bandwidth-consumption attacks. CERT also said there
doesn’t appear to be one specific tool or method of attack common between
all the recent victims.
To detect and eradicate such DDoS remote-control utilities, last December
the NIPC released a software tool, find_ddosv31,
for system administrators that scans a Web server for signs of Trinoo,
Tribal Flood Network, Stacheldraht, and
other common DDoS programs.
Some site operators, however, have expressed reluctance to use the FBI’s
free scanning tool, because it has been provided only in binary executable
form, without source code.
“Would you install a program which says ‘The tool must be run as root’
without the source code on your machine if you were the least bit concerned
about the security of your machine?” wrote one contributor to INET-ACCESS, a
mailing list for Internet access providers. Others are suspicious of
FBI-developed software, noting that the FBI has recently pushed for laws
giving it “back doors” into various communications systems. (A DDoS scanner,
including C source code, authored by University of Washington software
engineer Dave Dittrich, is available here.)
While the FBI utility currently scans for 10 popular DDoS programs, that’s
only half the number currently in circulation, according to the author of
Tribal Flood Network, who goes by the hacker nickname Mixter. A 21-year-old
resident of Germany, Mixter said underground authors are rewriting existing
tools specifically to avoid detection by scanners such as the one from NPIC.
“That is why these tools can’t be easily tracked back and people shouldn’t
waste time worrying about this” and instead should focus their efforts on
closing well-known security holes that enable attackers to plant the DDoS
tools, said Mixter.
Mixter said he developed and publicly released the source code of TFN in 1998
after
attackers began to develop denial of service tools to force others off chat
servers. He claimed his intent was to bring the technology out into the
open, and that he isn’t responsible for the recent attacks.
“I do not condone in any way the use of these tools. I wrote them to show
people what could be done with them — that was the only purpose. It had to
get public and then organizations could talk to the administrators of these
weak servers and fix
them,” said Mixter, who took top honors in a recent contest for articles on
the best way to defend against distributed denial of service
attacks.