Return-Path: <sentto-279987-2497-1001718591-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 28 Sep 2001 16:11:07 -0700 (PDT) Received: (qmail 16816 invoked by uid 510); 28 Sep 2001 23:10:05 -0000 Received: from n26.groups.yahoo.com (216.115.96.76) by 204.181.12.215 with SMTP; 28 Sep 2001 23:10:05 -0000 X-eGroups-Return: sentto-279987-2497-1001718591-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by fg.egroups.com with NNFMP; 28 Sep 2001 23:09:51 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 28 Sep 2001 23:09:51 -0000 Received: (qmail 55978 invoked from network); 28 Sep 2001 23:09:50 -0000 Received: from unknown (10.1.10.27) by l7.egroups.com with QMQP; 28 Sep 2001 23:09:50 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 28 Sep 2001 23:09:50 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id QAA17373 for iwar@onelist.com; Fri, 28 Sep 2001 16:09:50 -0700 Message-Id: <200109282309.QAA17373@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 28 Sep 2001 16:09:50 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Beware.the.Pulsing.Zombies] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Beware the Pulsing Zombies By John Leyden, The Register, 9/28/2001 <a href="http://www.theregister.co.uk/content/55/21930.html">http://www.theregister.co.uk/content/55/21930.html> Distributed denial of service attacks, one of the most difficult security risks to guard against, could become even harder to detect with the development of tools that turn agents on and off during an attack. So called 'pulsing zombies' (which sounds like something from the Night of the Living Dead) will be difficult to detect as they will not be always active, making the isolation and removal of malware from infected machines even harder. Als, users may not even notice they are subject to such an attack, because it would result in service degradation, not outright failure. Pulsing Zombies Alexander Czarnowski, chief executive of Polish security firm Avnet, told the Virus Bulletin Conference in Prague today that viruses that drop pulsing zombies on vulnerable boxes can be expected as DDoS tools evolve. He singled out Doser, a Windows virus, that carries a ping flood as its payload, and the Sadmind worm, which affects Unix boxes, as examples of the direction that virus writers are taking. Email-borne worms could become used in DDoS attacks too. Intrusion detection systems (IDS), and egress filtering (to drop outgoing packets with a false IP address) at the router level can help, but are not a complete solution to the problem. For one thing IDS tools can themselves become subject to DDoS attacks via tools such as Stick. Czarnowski's presentation re-emphasised the importance of detecting DDoS components on hosts because just a few compromised boxes, carrying agents that bounce attacks off reflector servers to disguise their origin, can have a disproportionately large effect. The possible emergence of 'pulsing zombies' make disinfection more important than ever, especially since there's little sign (or hope) of a complete solution to DDoS attacks. ® ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT