Experts warn of new-style cyber attack

Over the past six weeks, network servers have come under assault by a fundamentally new style of computer attack, said experts at the National Information Systems Security Conference in the US.

Known as "distributed co-ordinated attacks," this new style is particularly good at defeating present-day defenses against those intent on stopping Internet traffic to a particular company or Internet service -- a result known as denial of service.

"It's possible to detect the attack, but it is very hard to block it using current software," said Thomas Longstaff, senior technical researcher for Software Engineering Institute at Carnegie Mellon University, during a panel presentation Tuesday.

A garden-variety denial-of-service attack uses a single server to attempt to tie up a network's connection, denying its users access to or from the Internet. Distributed coordinated attacks, however, use hundreds or thousands of servers co-opted by a malicious programmer to tag-team a single server. Because so many servers are used, each attack can be camouflaged as a legitimate connection attempt, making it difficult for the victim's intrusion software to identify that it is under attack and impossible to identify just who is attacking.

"Typically, you block the single network address that is attacking you," said Longstaff, whose group works with the Computer Emergency Response Team Coordination Center at Carnegie Mellon. CERT/CC tracks and responds to network attacks. "By spreading out the attack over a large number of addresses, it becomes much harder to deal with."

Longstaff and others have already locked horns with intruders using the distributed coordinated method of attack. In the past six weeks, a "handful of sites" have been attacked, taking them off the Internet for an unspecified amount of time, he said. He would not give any more details. Getting the access necessary to compromise hundreds of servers is not as difficult as it sounds, said Barbara Fraser, consulting engineer to the CTO at Cisco Systems Inc. With "always on" connections to the home becoming more and more common, the number of insecure computers connected to the Internet full-time is increasing. "With the average home user knowing very little about security, this problem is going to get worse," she stressed.

In addition, hackers are more frequently automating the software used to gain access to systems through known exploits. A whole host of programs exist to scan networks connected to the Internet for previously discovered security holes that system administrators have not patched. "This method attacks the lowest common denominator in security," said CERT's Longstaff. "It will never be hard to find a thousand servers that don't have the most up-to-date patches." In fact, prevention may rely more on protecting computers from being used by malicious programmers, rather than protecting the target, he said.

Stephen Cobb, vice president of research and education for InfoSec Labs, stressed that network attackers, be they hackers or criminals bent on espionage or terrorism, have only temporarily thwarted the security software. "The security arena is a steady progression of more sophisticated attacks followed by better defenses," he said. "There is an evolution at work here."

The conference, put on by the National Institute of Standards and Technology, collects the United States' foremost professionals in network security. A glance through the attendee list shows that more than one attendee out of every 10 is an analyst for the computer-focused National Security Agency.

Take me to the Hackers news special