Zombie attacks can be stopped, but the way to do it is complicated

Shawn P. McCarthy

Distributed service-denial attacks are a high-profile threat to Internet security. They can be the most difficult threat to fend off because new tools make it easy to attack from several locations using service pirated from other people's servers.

A hacker merely sends a message to the software agent previously installed on an innocent server, without logging in or leaving tracks.

Packet deluge

A distributed attack has nothing to do with firewall security or lack thereof on the target site. It simply means that thousands of packets flood in from multiple points, overloading the target server until it cannot interact with legitimate traffic.

The most popular attack tools have cryptic names: Fapi, Shaft, Trank, Blitznet, Trinoo, Tribal Flood Network, TFN2K and Stacheldraht. Some people call them zombie agents and their activity a zombie attack. Older terms for the activity are smurfing, trinooing and fragging.

The huge attacks on major Web commerce sites in February could theoretically have been the work of just one person who set up software agents in several pirated locations, then sent a single command to all of them to start flooding particular addresses.

Service-denial tools send raw, single IP packets. They aren't connection-oriented, so it's easy to insert a false source address and make tracing very difficult.

Innocent carriers

Many of the owners of the pirated servers had no idea the zombie software was present. There will always be Web servers with sloppy security, but the government has a responsibility to prevent its hardware from being used in such attacks.

The U.S. Justice Department and the FBI recently told a Senate panel they need more money and new powers to fight Net crime. Read the details at

What can your network administrator do?

• Look for telltale signs of service-denial traffic on your network, such as oversized packets and highly specialized control packets that could be aimed at a hidden agent.

For guidelines to anomalous traffic, read the white paper at The anomaly list is at the end. Look in that file's parent directory for more analysis papers.

• If your Web site comes under attack, examine suspicious packets to see what sort of tool is used. For example, TFN2K sends a pattern of repeating A's.

• Download copies of the zombie tools themselves to see how they work. Find blitznet at
technotronic/denial/blitznet.tgz. Find pointers to variations of Trank at Or download Stacheldraht from

• Check free screening software posted by the FBI at It looks for specific signatures within data traffic, like antivirus software on a PC.

• Visit and request a free zombie scan of your network. This site tracked down at least one of the computers used in a recent high-profile attack.

• Study the ways that packet traffic gets to your server. This helps in tracing the packets upstream. Internet providers can track some types of packets if they are notified during an attack.

You must know exactly what you are screening for and then find a way to follow it back up to the next hop on the Net, which is tough when your server is bogged down from the overload.

It's nearly impossible to prepare to screen out service-denial packets ahead of time because you don't know where they will come from.

• Download and install Project Zombie Zapper software for Microsoft Windows NT from You can see the day's most popular tools for combating service denial at

Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at [email protected].


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected