From: William Knowles (wkC4I.ORG)
Date: Mon May 01 2000 - 23:06:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.cnet.com/news/0-1003-200-1798064.html?tag=st.ne.1002.tgif.1003-200-1798064?st.ne.fd.gif.e

By Stephen Shankland
Staff Writer, CNET News.com
May 1, 2000, 5:30 p.m. PT

A potent new software tool has emerged for launching attacks similar
to, but more lethal than, the ones that took down Yahoo and other
major Web sites in February.

The new tool, called "Mstream," joins Trinoo, TFN2K, Stacheldraht,
Shaft and other programs made to launch "distributed denial of
service" (DDoS) attacks.

In a DDoS attack, a programmer secretly embeds software into hundreds
or thousands of computers. At a designated command or time, infected
host computers send messages to a target computer. The volume of
messages arriving over the Internet effectively knocks out the target
server, making the Web site inaccessible to other Net surfers.

Although Mstream apparently is still in the early stages of
development, the core attack engine is more powerful than the existing
attack software tools, said Dave Dittrich, a University of Washington
computer administrator who helped in an analysis of Mstream.

One side effect of the new program is that it potentially can complete
a successful attack using fewer computers than did earlier tools. The
software "will be disruptive to the victim...even with an attack
network consisting of only a handful of agents," Dittrich said.

The new software is the latest episode in an ongoing battle between
the programmers who continually create more powerful versions of
attack tools and the companies and law enforcement officials trying to
stay a step ahead.

DDoS attacks have waned since a series of high-profile assaults in
February, but they have not ceased. AboveNet was attacked last week,
for example.

A Canadian teenager has been arrested in connection with an attack on
CNN's Web site, but it's not clear whether he was involved in the
similar attacks that brought down the FBI's Web site, Yahoo,
Amazon.com, eBay, Buy.com, E*Trade and Datek Online.

Often, the person launching an attack and the programmer who invented
the software are not associated. Instead, programmers often develop
these tools and then post them on the Web.

Mstream can hurt not only the target computer but also the network of
attacking host computers. At root is a protective technique called
"egress filtering," in which the computers try to discard the packets
sent in the attack. But egress filtering itself can burden the network
equipment of the attacking computer's Internet site.

"The lesson here is that there is no 'quick fix' to DDoS in the form
of simple technical filtering solutions," Dittrich said.

Dittrich based his analysis on a copy of Mstream found running on a
Linux computer at a major university in late April, Dittrich said. The
computer was attacking more than 12 Web sites at the time, he said.

Mstream is "in early development stages, with numerous bugs and an
incomplete feature set compared with any of the other listed tools,"
Dittrich said.

Dittrich, the victim of a 1999 DDoS attack, said he discovered Mstream
two weeks ago. He was prompted to post his analysis earlier than
planned because an anonymous person posted the 987-line program to the
Bugtraq computer security mailing list Saturday.

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]