Zombie attacks can be stopped, but the way to do it is complicated
Shawn P. McCarthy
Distributed service-denial attacks are a high-profile threat to Internet security. They can be the most difficult threat to fend off because new tools make it easy to attack from several locations using service pirated from other people's servers.
A hacker merely sends a message to the software agent previously installed on an innocent server, without logging in or leaving tracks.Packet deluge
A distributed attack has nothing to do with firewall security or lack thereof on the target site. It simply means that thousands of packets flood in from multiple points, overloading the target server until it cannot interact with legitimate traffic.
The most popular attack tools have cryptic names: Fapi, Shaft, Trank, Blitznet, Trinoo, Tribal Flood Network, TFN2K and Stacheldraht. Some people call them zombie agents and their activity a zombie attack. Older terms for the activity are smurfing, trinooing and fragging.
The huge attacks on major Web commerce sites in February could theoretically have been the work of just one person who set up software agents in several pirated locations, then sent a single command to all of them to start flooding particular addresses.
Service-denial tools send raw, single IP packets. They aren't connection-oriented, so it's easy to insert a false source address and make tracing very difficult.Innocent carriers
Many of the owners of the pirated servers had no idea the zombie software was present. There will always be Web servers with sloppy security, but the government has a responsibility to prevent its hardware from being used in such attacks.
The U.S. Justice Department and the FBI recently told a Senate panel they need more money and new powers to fight Net crime. Read the details at www.senate.gov/~appropriations/commerce/hrgtest.htm
What can your network administrator do?
Look for telltale signs of service-denial traffic on your network, such as oversized packets and highly specialized control packets that could be aimed at a hidden agent.
For guidelines to anomalous traffic, read the white paper at packetstorm.securify.com/distributed/tfn3k.txt
. The anomaly list is at the end. Look in that file's parent directory for more analysis papers.
If your Web site comes under attack, examine suspicious packets to see what sort of tool is used. For example, TFN2K sends a pattern of repeating A's.
Download copies of the zombie tools themselves to see how they work. Find blitznet at ftp://ntua.gr/pub/security/
technotronic/denial/blitznet.tgz. Find pointers to variations of Trank at ftpsearch.lycos.com/cgi-bin/search?form=lycosnet&type=Case+insensitive+multiple+substrings+search&filetype=All+files&query=Trank&hits=10
. Or download Stacheldraht from ftp://sunsite.cnlab-switch.ch/mirror/nessus/
Check free screening software posted by the FBI at www.fbi.gov/nipc/trinoo.htm
. It looks for specific signatures within data traffic, like antivirus software on a PC.
and request a free zombie scan of your network. This site tracked down at least one of the computers used in a recent high-profile attack.
Study the ways that packet traffic gets to your server. This helps in tracing the packets upstream. Internet providers can track some types of packets if they are notified during an attack.
You must know exactly what you are screening for and then find a way to follow it back up to the next hop on the Net, which is tough when your server is bogged down from the overload.
It's nearly impossible to prepare to screen out service-denial packets ahead of time because you don't know where they will come from.
Download and install Project Zombie Zapper software for Microsoft Windows NT from packetstorm.securify.com/distributed/Project_ZombieZapper.zip
. You can see the day's most popular tools for combating service denial at packetstorm.securify.com/today.shtml
.Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at [email protected].