Experts warn of multiple computer attacks

The danger of a mass Web attack may have been underestimated according to experts monitoring the spread of so-called denial of service (DoS) hacking tools.

There have been numerous reports and warnings in recent weeks concerning machines being taken over for the launching distributed denial of service (DDoS) attacks, and experts say new evidence shows the danger is growing.

A distributed denial of service attack forces a Web server or similar computer system offline by overwhelming it with fake traffic from many remotely controlled, or "zombie", computers. The technique does not require great expertise, is hard to trace and is especially difficult to stop.

Phillippe Bourcier, who co-maintains Cyberabuse, a site dedicated to tracking computer hacking activity, says that there has been a steady rise in the number of computers that have been compromised and fitted with popular denial of service tools such as Trinity, Tribe Flood Network and Stacheldraht in recent months. "I would say that this summer it's the first time we've see so many boxes hacked running DDoS tools," he says.

One system administrator who contacted the renowned security mailing list Bugtraq, after discovering and disabling hundreds of machines with DDoS tools installed on them, sees trouble ahead. "I believe it has gotten worse than CERT [Computer Emergency Response Team] expected it to be," he says. "Do I believe there's another DDoS brewing? I am positive there is. The people I chat with on IRC tell me many things and I do know there's going to be more havoc."

The next major distributed Web attack is likely to have many-sides to it, according to Bourcier. He says that one feature of many new tools that has been largely overlooked is that which enables new tools to allow many machines to be attacked at once, in what is called a multithreaded attack.

Trinity v3, a new tool which has been reported targeting particularly IRC (Internet Relay Chat) channels recently, allows a multithreaded attack command.

"To tell the truth, a lot has been said about Trinity and its coder's skills, but the code is not so nice," says Bourcier. "One new thing never mentioned is that it's multithreaded. So it's no more DDoS, but DDoMS, Distributed Denial of Multiple Services." The process further multiples and complicates the impact of an attack and Bourcier says that Cyberabuse has witnessed one client computer carrying out an IRC attack on 16 separate machines simultaneously.

Head of services at Swedish-based computer security company Defcom agrees that this is a dangerous development. "This is definitely a worry," says Spencer Pratt. "The way that the tools are being developed makes it harder for them to be stopped."

CERT issued an alert in September to warn about the number of computers that had been hacked with the same techniques and fitted with the same DDoS applications. It suggested that the situation could pose a threat to both Web sites and critical Internet infrastructure.

Although another major DDoS attack has yet to materialise, there are many who believe that another attack is just around the corner. Bourcier believes that as script kiddies' DDoS activity increases, these crackers will grow in confidence, looking towards ever larger targets. He describes this as the "Superman Syndrome" because DDoS tools effectively gives an average computer superpowers.

Take me to the Hackers News Special

What do you think? Tell the Mailroom. And read what others have said.