By Laura B. Smith
Not everyone despaired over the Distributed Denial of Service (DDoS) attacks that hit some of the Web's biggest e-commerce sites in February. Security consultants and developers of security tools seized the opportunity to spotlight their solutions.
Simple DoS attacks are not new. During one, a hacker floods a system with packets of useless requests, making the system so busy it denies access to legitimate users. What's new are the hacker tools that enable DDoS attacks, in which a hacker uses dozens or hundreds of machines to worsen the attack. The hacker uses client software on one PC to install "zombie" or "back door" programs on other servers, which then flood a target system with useless packets. Zombie programs, including TFN (Tribal Flood Network), Trin00, TFN2K (Tribal Flood Network 2K) and Stacheldraht (Barbed Wire), arrived last fall destined for Solaris, Linux and Windows NT servers.
Until recently, most security packages designed to thwart such attacks were aimed at the Unix environment. Now, however, hundreds of programs are being designed for Windows NT, ranging from Internet Security Systems' (ISS) award-winning SAFEsuite software to BindView Corp.'s free and downloadable Zombie Zapper. Some programs scan the addresses of outgoing messages, intercepting wayward messages before they swamp a potential victim. Others allow administrators to block fake messages from entering a system, or stop the echo functions that help create the constant data flood in a DoS attack.
While the programs for NT are good news, the task of evaluating them can easily overwhelm an IS staff, according to Aberdeen Group, a consultancy in Boston. Adding pressure are unresolved issues of liability when one's computers have been compromised because of lax security. To organize efforts and provide a modicum of legal defense, leading security practitioners suggest these guidelines:
- Perform a security audit or risk assessment of critical systems using system- and network-based vulnerability tools.
- Identify and empower an Incident Response Team. Establish an Emergency Response and Escalation Plan.
- Install Intrusion Detection and Response systems.
- Examine legal liability exposure.
If systems are under attack:
- Alert your Incident Response Team.
- Contact your ISP; often, hosts can shut down your access line, stopping the attack.
- Notify CERT/CC.
- Notify law enforcement authorities at the FBI and the National Infrastructure Protection Center (NIPC).
- Monitor systems during the attack using network and host-based intrusion detection systems.
- Enable detailed firewall logging.
- Collect forensics to prosecute hackers later.
Laura B. Smith is a contributing editor based in Swampscott, Mass.
Related book Halting The Hacker, A Practical Guide To Computer Security
Author : Donald L. Pipkin
Publisher : Prentice Hall
ISBN/CODE : 013243718X
Cover Type : Soft Cover
Pages : 224
Published : Jan. 1997
When it comes to computer security, your livelihood and your company's future are on the line. It's not enough to simply follow a security "cookbook"; you need to get into the mind of your adversary, the hacker. In Halting the Hacker, a leading Fortune 500 security consultant shows you the approaches and techniques hackers use to gain access, privileges and control of your UNIX system. You'll learn to look at your system the way a hacker does, identifying potential vulnerabilities. You'll learn what specific countermeasures to take now. Even more important, you'll learn how to recognize and respond to future security concerns -- before they become catastrophes.