Massive Denial-of-Service Attack Looming - CERT Report
Malicious hackers have hijacked hundreds of computer systems
that could be used to help wage large-scale attacks similar to those that
brought down Amazon.com, Yahoo and other high-profile Web sites
last February, according to an alert issued by the CERT Coordination
Center, a government-funded security project.
CERT warned that over the past two months it has received reports that
computer vandals are scouring the Internet for computers containing a
type of vulnerability that allows for the installation of automated
"toolkits"
that permit the intruder to control the affected computer for use in an
attack
against another computer or network.
Such exploits, known as distributed denial-of-service attacks (DDOS), are
used
to bring down a network by flooding it with a high volume of traffic,
and often involve hundreds of affected computers - or "zombies" - directed
at
a single network or computer simultaneously. In the most recent incident,
CERT
officials recorded more than 560 hosts at 220 Internet sits around the
world that
unwittingly participated in a single DDOS attack.
DDOS attacks are particularly difficult to defend against, and are often
nearly impossible to trace. The attacker(s) who launched the series of
DDOS attacks that crippled several big name e-commerce sites in
February remain at large.
"The combination of widespread, automated exploitation of two
common vulnerabilities and an associated increase in distributed
denial of service tool installation poses a significant threat to
Internet sites and the Internet infrastructure," said CERT
Incident Response Team Leader Kevin Houle.
Houle said most of the affected hosts were running various versions
of Red Hat, a brand of the Unix-based operating system known as Linux.
A majority of the compromised systems relied on insecure default
configurations that were automatically enabled when the systems were
installed or upgraded.
The CERT alert notes that intruders appear to be methodically searching
for vulnerable systems across large blocks of Internet address space. CERT
also said the intrusion methods in most instances were very similar,
indicating
that the intruders were using downloadable "scripts" - or short executable
programs - and a set of programs called "toolkits" to automate searches
and attacks. Many of these scripts and toolkits appear to be the same
ones used in February's DDOS attacks, one CERT official confirmed.
While the targets of such attacks can do little to defend themselves, save
for shutting down their systems, system administrators can download
patches to ensure their systems are not being used as one of the
"zombie" attackers.
CERT is encouraging all Internet sites to check out the advisories at
http://www.cert.org/advisories/CA-2000-17.html, and
http://www.cert.org/advisories/CA-2000-13.html to ensure workarounds
or patches have been applied on potentially vulnerable hosts.
To see the CERT warning, check out
http://www.cert.org/incident_notes/IN-2000-10.html
Reported by Newsbytes, http://www.newsbytes.com
