Return-Path: <sentto-279987-3950-1006816598-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 26 Nov 2001 15:19:08 -0800 (PST) Received: (qmail 30000 invoked by uid 510); 26 Nov 2001 23:17:02 -0000 Received: from n30.groups.yahoo.com (216.115.96.80) by all.net with SMTP; 26 Nov 2001 23:17:02 -0000 X-eGroups-Return: sentto-279987-3950-1006816598-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.220] by n30.groups.yahoo.com with NNFMP; 26 Nov 2001 23:16:38 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 26 Nov 2001 23:16:37 -0000 Received: (qmail 27219 invoked from network); 26 Nov 2001 23:16:37 -0000 Received: from unknown (216.115.97.167) by m2.grp.snv.yahoo.com with QMQP; 26 Nov 2001 23:16:37 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 26 Nov 2001 23:16:36 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAQNIH506652 for iwar@onelist.com; Mon, 26 Nov 2001 15:18:17 -0800 Message-Id: <200111262318.fAQNIH506652@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 26 Nov 2001 15:18:17 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:How.hack.attacks.are.getting.smarter--and.harder.to.stop] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit How hack attacks are getting smarter--and harder to stop By Robert Vamosi, AnchorDesk, 11/26/2001 <a href="http://dailynews.yahoo.com/h/zd/20011121/tc/how_hack_attacks_are_getting_smarter--and_harder_to_stop_1.html">http://dailynews.yahoo.com/h/zd/20011121/tc/how_hack_attacks_are_getting_smarter--and_harder_to_stop_1.html> Last month, without much fanfare, Carnegie Mellon University's CERT Coordination Center (news - web sites) released a white paper on current trends in denial-of-service (DoS) attacks. While much of the report merely chronicles the alerts and warnings the organization has published over the last two years, a few pages toward the end--where the authors point out new tactics taken by malicious users--are downright troubling. For those of you who don't know, a DoS attack is an event that prevents users from accessing a Web site. It is often the result of hundreds of computers overwhelming that site with bogus traffic. THE WHITE PAPER, written by CERT's Kevin J. Houle and George M. Weaver, as well as Neil Long and Rob Thomas, found that the means necessary to enlist computers (commonly known as "zombies") in this sort of attack has changed. Whereas DoS attacks used to result from the manual insertion of code via a Trojan horse into the targeted computer, now they are the result of autonomous network worms. The authors found that central source-based network worms like Lion, which transfer hostile code via http, ftp, or rpc directly to the infected computer from a central source, are on the decline. Meanwhile, two other types of worms are on the rise: back-chaining worms like Ramen, which infect computers by connecting to a central source, and then transferring the DoS tools to the target systems; and the more sinister autonomous worms like Code Red, which pass the DoS code directly from victim to victim, allowing much faster infection and less opportunity for detection. The authors also noted that the zombies involved in recent attacks were less likely to be Unix (news - web sites) or Linux (news - web sites) machines. Malicious users now favor Windows-based machines, which are co-opted via blind targeting, when malicious users randomly attack all systems running an OS such as Windows, or selective targeting, when malicious users choose to attack a specific block of IP addresses . MALICIOUS USERS ARE also starting to target network routers--devices that transfer data between local area networks. Unlike personal computers, routers do not benefit from security policies or monitoring technology. Routers also do not care what data they handle, only where it is going. Because routers are the linchpins of larger networks, there is real concern that future, targeted DoS attacks on such routers could disrupt the Internet by isolating whole sections. The effect of shutting down a network router would be like closing a vital freeway between two large cities during rush hour. I found the authors' "time-to-exploit is shrinking" argument compelling. The reason attacks are happening more quickly has to do with the fact that intruder exploit tools--software that helps malicious users take advantage of computer vulnerabilities--are not as widely available on the Web as they once were. It used to be that you could find them on hacker sites without too much trouble. Also, the tools are now equipped with anti-forensics features that make reverse engineering much harder. This means it takes longer for a software vendor to create a workaround or fix when a new vulnerability is discovered. The authors also found that malicious users are now turning to Internet Relay Chat (IRC) to help plan their DoS attacks and set up networks to carry them out. Because there are so many messages being sent over IRC, communications sent by malicious users and the machines they have infected go unnoticed. Better yet, IRC servers keep logs, so the malicious user can easily keep track of all the compromised machines in the DoS network he is creating. I FOUND ONE OBSERVATION missing from the report: that the original targets of the Code Red worm didn't always suffer an outage. Rather, it was the intense Web traffic produced by these worms that caused local DoS attacks on random sites. Given the success of this scattershot approach, I think in the future malicious users might settle for widespread local DoS attacks, as opposed to targeting high-profile sites such as www.whitehouse.gov. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/ltH6zA/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST