Are you an unwitting
accomplice to DoS attacks ?

posted onJuly 13, 2001
by hitbsecnews

You can be a cracker - no experience needed, all tools
supplied. If you don't take security seriously malicious
outsiders could use your systems to launch an attack,
writes Mike Barwise

Business people sometimes worry about what they
would do if Internet crackers attacked them, but who is
ready to face law enforcement officers at the door
suggesting that the firm has participated in an attack on
another organisation? This scenario is becoming
increasingly likely...

Copyright 2001 Reed Business Information Ltd.

Computer Weekly

SECTION: MANAGEMENT; Pg. 28

LENGTH: 1055 words

HEADLINE: ARE YOU AN UNWITTING

BYLINE: Mike Barwise; Accomplice?

BODY:

Over three weeks from 4 May this year a major US Internet security research organisation - Gibson Research Corporation - was subjected to a series of crippling denial of service attacks on its Internet connection. The technical details are recounted on http:/grc. com/dos/grcdos.htm and are well worth reading.

For those less technically-minded (with thanks to GRC) here is an executive summary of events and their implications for business.

The attacks on GRC used a relatively simple approach to swamp the firm's Internet connection with so much dummy traffic that no one else could get in. By working with its Internet service provider, GRC eventually managed to filter out the dummy traffic, before exercising serious ingenuity to trace the attacks to source.

Before you decide not to worry about it, let's look at how it was done and the implications for the future.

The damage was caused by distributed denial of service (DDoS) attacks which aim to swamp the victim with so much meaningless traffic that no real messages can get through. What makes this so devastating is that critical word "distributed". Attackers had implanted garbage traffic generators called bots (known as zombies to the general media), on the computers of hundreds of unsuspecting ordinary users.

Bots announce themselves to a central point of control, then sit around doing nothing much, until they are woken, in this case by a 13-year-old from Wisconsin issuing a couple of commands from his PC. This simple act unleashed about a terabyte of malicious data per day on GRC's Internet connection - about 30 times its capacity - solely because the kid in question (wrongly) thought GRC's founder had called his friends "script kiddies" in a news group posting.

It soon emerged that the child, although smart, was no all-powerful master hacker, nor the author of the tools. He had "borrowed" them from a hidden library of hundreds of similar tools, probably one of many such. Lots of kids know about these repositories, and the tools themselves are getting easier to use all the time.

While writing bots requires expert knowledge, deployment is fairly straightforward (like persuading a naive end-user to run a spoof e-mail) and triggering them is frighteningly simple.

Although bot-generated DDoS is not new the use of vast numbers of computers with relatively low-speed Internet connections is. Previously, much smaller numbers of very high bandwidth connections were hijacked, mostly Unix machines. The increase in cable and DSL connections has contributed to a change of strategy.

The 470-odd PCs which unwittingly participated in the attack on GRC were all running a current version of Windows which, unlike Unix, does not facilitate the worst and least-stoppable attacks, which use IP spoofing to hide their source and SYN flood to block Web page traffic.

The only types of malicious traffic that could be sent by this attacker were relatively easy to filter out and trace to their sources. So whereas in the past small numbers of sources used very devastating attack types, now we have large numbers of sources using less dangerous attacks.

But newer versions of Windows are reported to have a modified networking system that allows IP spoofing and SYN flood. Combining the attack vulnerabilities of Unix with the scale of the Windows client pool is a frightening threat that could materialise by the third quarter of 2001. As soon as there are enough computers running these operating systems connected to the Internet, attacks like these will become unstoppable.

The solution is to avoid contamination by the bots in the first place. The unwitting attackers "co-victims" must bear the responsibility if they maintain insecure systems that can be penetrated and used by crackers. Most of the vulnerabilities that allow bots, Trojan horses and viruses in result from ignorance and lack of determination to control the problem.

Certain kinds of Internet services vastly increase the risks so ban their use and take steps to block them. The ordinary office worker does not need applications like FTP, which allows files to be downloaded off the Web, or instant messaging services and chatrooms. These should be blocked at the firewall.

Clueless people opening silly-looking e-mails are a serious threat. Train them not to, and make it stick with incentives. Some personal firewalls can stop bots talking so ensure you deploy them. Up-to-date reports on most of these threats are available from reliable sources on the Net. Study them and follow their advice.

Tools exist that test for contamination and loopholes - use them and keep them up to date. Consider whether you need that corporate operating system or browser upgrade, or whether you've just fallen for the hype. Above all, get the board, management and technical staff talking to develop a corporate security strategy that adapts promptly to the changing pattern of threats.

The bottom line is that corporate information security is not a nuisance issue to be dumped on the IT manager's desk. It must become an enterprise-wide culture involved in all strategic planning and policy-making or the boys in blue may one day turn up at your front desk.

Computer Weekly.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs