Zombies attack networks

Hackers may often be mistaken for voodoo priests, but don't tell that to the computer "zombies" they've commanded to do their network clog-up bidding.

A new form of denial-of-service (DoS) attack caused by the trin00 and Tribe Network Flood programs has been wreaking havoc on bandwidth on a larger scale than ever before, according to Chris Klous, founder and chief technology officer of Atlanta-based Internet Security Systems (ISS).

This DoS attack employs a simple concept: sending bogus packets from a remote location to IP routers, where they then collect and eventually plug up a pipe. The danger is manifested in this version of the DoS attack because the hackers are gaining control of as many as thousands of vulnerable zombie computers to magnify and direct their full-scale assault against a single victim from all directions.

"A PING flood against a single machine may be an annoyance against someone's network, but with a thousand zombie machines, it's a thousand times stronger," Klous said. "You can't even communicate, because your routers and your connections are filled with trash. It is known to clog the biggest [pipe], like a T3 connection."

Klous said ISS has seen this type of attack hit university, government, e-commerce, military, and financial networks. He said that these attacks are typically Unix-and Linux-based, but the DoS can penetrate any machine because the bandwidth, not the host, is being targeted.

"If you can't do business, especially at this time of year, that can become costly," Klous said. "Too many companies are jumping onto the e-commerce bandwagon without putting any thought to security."

Matt Kovar, an analyst at the Yankee Group, in Boston, said this type of DoS attack is among the hardest to discover because the distributed dynamic source of the onslaught is not being repeated from the same IP address or origin point.

Kovar said the very fact that a machine can be taken command of and used for an ulterior purpose only opens the door for more dangerous forms of Trojan horse computer manipulations to come.

"Once you figure [out] how to gain access to a lot of things, it opens a bunch of other opportunities to go out into the world," Kovar said. "The reality of the situation is some of these attacks may happen all at once or over time. You can create attacks that will recur during significant times of the day."

Klous said ISS has received reports that this type of DoS attack is affecting everyone, from small to large companies.

Elias Levy, chief technology officer at SecurityFocus.com and moderator of Bugtraq, a computer security mailing list, said it's difficult to fix the damage and try to save the good packets being dropped by routers in lieu of the DoS-induced network logjam.

"You have to figure [out] who's sending those packets to you, contact them one by one, and [contact] their systems," Levy said.

"It could be hundreds of machines on the Net that are just sitting there. People might not even know they're being affected," Levy said.

Fighting DoS attacks

Use the following to prevent and combat denial of service attacks: search for many User Datagram Protocol packets with the same source, but different destination, ports; identify Internet Control Message Protocol "port unreachable" messages with the same source and destination IP; block backdoor network attacks; use intrusion and detection software.