latest pawns of malicious intruders intent on launching denial of service
attacks online, an expert from Carnegie Mellon's CERT Coordination Center
warned network operators here Monday.
Attackers have begun favoring particular chunks of Internet address space
that are more likely to contain Windows machines than others, said Kevin
Houle, a researcher with the government-funded center, speaking to
approximately 600 engineers and network administrators at a meeting of the
North American Network Operators' Group (NANOG). "If I'm an intruder and
I want to install my tools on Windows machines, its very easy to find
subsections of the network to search," said Houle.
So-called distributed denial of service (DDoS) attacks rely on an
attacker's ability to install malicous agents on a large number of
computers, and use them to simultaneously flood a victim with overwhelming
traffic. The shift from Unix machines to Windows computers began in late
2000, said Houle, and has grown noticeably in recent months.
The mechanisms for controlling large numbers of compromised boxes have
also changed, said Houle, becoming vastly more sophisticated since DDoS
attacks began in 1999. Attackers increasingly use IRC -- the Internet's
chat room systems -- to direct attacks, sometimes using domain name
records as a kind of dead drop for directing their agents to a particular
More disturbing to network operators, attackers have taking over the
machines that route and direct the flow of Internet traffic, to use them
as weapons, Houle said.
"What we see are routers with default and weak passwords being targeted,"
Houle said. After cracking a router, attackers can use it to launch
straightforward denial of service attacks against an Internet site.
Because routers can generate enough traffic to impede an end host, while
standing up well to a similar counterattack, it's become a valued platform
for cyber vandals engaged in online skirmishes in the mostly-juvenile
"If I'm an intruder and I want to be well protected against people DoSing
me, a router is somewhat better than an end host," said Houle.
The development is foreboding, Houle said, because of the possibility that
attackers could begin targeting the protocols that link routers to one
another, potentially leading to disruptions in the Internet's fundamental
infrastructure. "This is stuff that's being talked about, not just within
the security community, but also the intruder community," said Houle.
Generally, speakers at NANOG agreed that conditions haven't improved much
since February 2000, when a fifteen-year-old Canadian boy used distributed
denial of service tools to flood sites like eBay, CNN.com and Yahoo! with
traffic, knocking them offline.
In fact, attackers are now able to marshal so many machines in a DDoS
attack, that they seldom bother to tamper with the packets to disguise
their source. "If you have 200 compromised machines, it doesn't matter if
the source addresses are spoofed or not," said Jason Slagle, network
administrator at Toledo Internet Access, an Ohio ISP. By Kevin Poulsen