Networks hit by co-ordinated attack

New denial of service attack involves simultaneous strikes from large number of remote machines

Further evidence of a new type denial of service (DoS) attacks with unparalleled potential for causing havoc has been uncovered by Internet Security Systems (ISS).

The attack involves co-ordinating a simultaneous DoS strike from an unusually large number of compromised and remotely controlled machines. ISS has issued an alert warning that a number of high capacity networks have already been subjected to this radical new type of onslaught.

This new approach to attacking a network was uncovered at the National Information Systems Security Conference in the US. Now, however, there is more evidence of how significant the approach is becoming.

The ISS alert describes the attack in uncompromising terms, calling it "more powerful than any previous DoS attack observed on the Internet," and adding that "ISS considers this attack as a high risk since it can potentially impact a wide number of organisations. It has proven to be successful and is difficult to defend against."

According to ISS, two exploit applications are being used particularly to formulate this sort of attack: trin00 and Tribe Flood Network (TFN).

John Hayday, director of knowledge services at ISS's X-Force research labs outlines the significance of this emerging trend in computer attack saying: "These tools are designed to take attacks a stage further. They allow someone to stand back from the machined. It is automating the process that much more."

Hayday also says that there are two ways of countering this particular style of assault. First of all it is possible to have a piece of software that will analyse traffic and recognise that you are being targeted in a co-ordinated DoS attack. Secondly, you run something on your host that will make sure you don't have broadcast agents on it. ISS is currently working on such counter-measures and estimates that an update to its Internet Scanner application will enable it to scan for such behaviour as well as TFN and trin00 will be available from 30 December.

One professional security consultant, Ian Johnston-Bryden of Oceanus security says that although this isn't a ground-breaking discovery, it does illustrate an important direction because it makes it far more difficult trace an attack efficiently. "It's certainly quite easy to put this sort of thing together," he says. "But it is very difficult to be completely sure that it is actually a denial of service attack. I'm fairly sure it's going to be used much more for political attacks on Web sites. In HM government this is something that they are becoming increasingly concerned about."

Take me to the Hackers news special