Information Security News mailing list archives
Specter Of Network Attacks Looms Anew
From: InfoSec News <isn () C4I ORG>
Date: Mon, 7 Aug 2000 14:53:01 -0500
http://www.zdnet.com/intweek/stories/news/0,4164,2612050,00.html By Max Smetannikov, Inter@ctive Week August 6, 2000 9:22 PM PT Internet service providers and dot-coms hit by a storm of denial-of-service attacks earlier this year should brace for another onslaught, said knowledgeable security experts. Simple Nomad, aka Mark Loveless, a senior security analyst at information management and security company BindView, unveiled a new attack blueprint at Def Con, the annual hacker convention. Held last week in Las Vegas, Def Con is billed as the place where so-called white-hat and black-hat hackers meet. Simple Nomad, a white hat, is a leader in the field of hacker-attack methodology research. His last presentation on distributed denial-of-service (DOS) attacks, delivered in October 1999, laid out a roadmap that was followed almost exactly in February by those who struck Amazon.com, Buy.com, CNN.com, eBay, E*Trade Group, The Microsoft Network, Yahoo! and ZDNet within a 72 hour period. "If I can imagine it, they certainly would," Simple Nomad said of the new DOS scheme he laid out. The presentation serves to warn nefarious-minded hackers that the security community is aware of their latest exploits, he said, and to tip off service providers to the new threat. Security experts said it is hard to establish a direct link between Simple Nomad's past presentation and the attacks that followed. He seems to be knowledgeable, they said, judging by his ability to predict significant advances in hacker attack patterns. "Maybe his particular talk did influence some people that heard it, but I doubt that it influences everybody [participating in attacks]," said Elias Levy, senior technical officer at consultancy SecurityFocus.com. But the twisted beauty of a DOS assault is that a single perpetrator can inflict widespread damage - and be almost impossible to catch. Searching for the guilty parties in the February attacks, authorities apprehended Mafiaboy, a Canadian youth who was later written off as a copycat, and Coolio, a New Hampshire 17-year-old who happened to deface a Web page around the same time the attacks occurred. The real masterminds of the attack are still believed to be at large. Computer snatchers invade According to Simple Nomad, step one is to hack into a large Internet service provider's (ISP's) system and set up a server that works as a command center and a strategic listening point. That server is then used to sniff the traffic going into and out of the network that has been marked for destruction or invasion. The goal is to find the Internet Protocol addresses of the ISP's trusted partners in order to create a packet trail that makes the partners appear to be the attackers. "Since I am looking for an address to forge, I could go after their biggest competitor, or some foreign country - I could be pretty evil about this," said Simple Nomad. Next, a separate computer on a different network is attacked and set up as an attack manager. With some of the distributed attack tools available, this process can be as easy as point and click. Once online, the attack manager can start attacking other computers and setting them up as assault nodes, or zombies, automatically. What happens next is up to the hacker. If a distributed DOS attack is the goal, this architecture could be used to collect data about the target network with minimal risk of getting caught, said Simple Nomad. The attack's data trail would revolve full-circle without the location of the command center, and therefore the malicious hacker, ever being identified. "This adds a level of complexity to the attack, and while the technique has been known for a number of years, up to now it has not been implemented on the actual tools used for a distributed denial-of-service attack," said SecurityFocus' Levy. The audience at Def Con listened to the new layout in dead silence. Simple Nomad stressed he has not developed a tool that would automate the process. But he did build a tool, as a proof of his concept, he said, that does two-thirds of the job. He also said that after his presentation at least three other hackers told him they have been researching distributed attack architectures for port scanning. This means, he said, that his new blueprint simply connected the dots for the benefit of the commercial Internet community before hackers were able to develop software. Judging by the response of ISPs aware of Simple Nomad's new blueprint, preventing assaults won't be easy. The last wave of attacks prompted large backbones to try to catalog all the addresses they use to communicate with partners and customers. If they know all of the addresses that are trusted, the logic goes, they will still be able to exchange traffic with partners and steer clear of the attacks. The process is called ingress filtering. Never mind that Simple Nomad's new blueprint compromises this initiative by enabling hackers to tap into this stream of communication for information. Simple Nomad offered a new tool to combat such attacks, called de-spoof. The tool would detect packets suspect of being used in a circular network-attack scheme. Kelly Cooper, Internet security officer for Genuity, indicated that de-spoofer most likely won't be of any use to Genuity, because it is designed for protecting individual hosts, not large networks. Simple Nomad concurred, indicating that research is under way to build a tool suitable for large-scale operations ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Specter Of Network Attacks Looms Anew InfoSec News (Aug 08)