Scared of "Zombies"? You Should Be

Hacker-launched denial-of-service attacks using hijacked computers are becoming increasingly dangerous -- but they can be stopped

By Alex Salkever

It was akin to the fire station burning down. On May 21, Web surfers trying to access the site of the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University encountered an error message. The reason? CERT had been effectively wiped from the Internet by malicious hackers who barraged it with bogus queries for information, a technique known as a denial-of-service (DOS) attack.

Like callers trying to reach a popular radio-station request line and getting the busy signal instead, those who attempted to view CERT's Web site were rewarded with nothing but error messages. For two days, CERT's staff struggled to find the source of the attack and contain the problem.


  The attack on CERT is far from an anomaly. The Defense Dept., the White House, Yahoo!, Microsoft, and other big-name entities have watched helplessly as their sites went down under DOS attacks. According to a study released last week by scientists at the University of California-San Diego's supercomputing facility, more than 4,000 DOS attacks happen each week. The most sophisticated and serious last for days as dozens, hundreds, even thousands, of hijacked "zombie" computers pour forth an unceasing barrage of Web-page requests, all unbeknownst to the machines' owners.

But the situation with CERT underscores how vulnerable to DOS attacks computer networks really are. The federally funded center is one of the key organizations sending out warnings to tech companies about computer-related security hazards. Each day, thousands of systems administrators check CERT's site to see what new security flaws have cropped up. And CERT staffers perform and coordinate analysis of a wide array of pending and public Internet system vulnerabilities.

What's more, CERT's staff comprises some of the most security-savvy people in the country. Yet they were virtually helpless in the face of an attack that could have been launched from virtually anywhere on the globe.

As more and more critical functions, from international phone traffic to early-warning systems, go onto the Internet or networked systems, the potential damage from a DOS attack rises -- from lost business at Yahoo! to communications blackouts between government entities, even between countries.

How could this happen? Although the attack on CERT keyed on the unique Internet address -- also called the Internet protocol address -- of that organization's Web server, all devices that are nodes on the Internet have such a number.


  That means the backbone routers used to direct massive amounts of data traffic through phone companies and Internet service providers (ISPs) each have an individual IP address, which makes them potential casualties for DOS attacks. Something similar happened on May 24, when routers for the Weather Channel's were hit with a DOS attack that slowed traffic and impeded access for almost eight hours. Those routers were hosted by Exodus Communications, one of the largest hosting companies in the business.

Microsoft, too, was hit by a router DOS attack earlier this year, an assault launched after hackers figured out the IP address of one of the main Microsoft routers and then bombed it with data packets. Because a number of Microsoft sites, including, Hotmail, and Expedia, relied on that router for access, the entire Microsoft Network of sites was affected for days.

These scenarios are relatively mild compared to what could happen if sophisticated hackers ever figure out the IP address of a backbone router for AT&T's transoceanic traffic. That would affect not only data but voice traffic as well. "A lot of people don't realize it, but they are routing a lot of their voice traffic over those lines," explains Ted Julian, the chief strategist for Arbor Networks, which makes equipment to fend off DOS attacks. According to Julian, special equipment and software can filter and foil most nuisance hacks.


  For more sophisticated attacks -- the ones where hackers take control of larger clusters of machines and generate random IP addresses with no discernible pattern -- Arbor can only try to isolate which of the main Internet connection points feeding into a network is carrying most of the DOS traffic, then cut off the data. The downside? "We would end up screening out some legitimate traffic," admits Julian.

Over time, as systems such as Arbor's become more widely deployed, controlling DOS attacks should become easier. Ideally, the key operators of Internet infrastructure and the backbone data pipes will share information about what's happening on their networks through a woven mesh of DOS-prevention systems. That information could allow them to spot attacks more quickly.

Increased cooperation is far more promising than the current approach, where network engineers for a single company, or a host, pore over reams of logged events to determine how the DOS happened and where it originated. A widespread approach would also allow network operators to more easily spot the origin of big bursts of traffic that mark a DOS attack. This capability would help alleviate the problem of sophisticated hackers generating random IP addresses that elude filters.


  Equally important is getting computer users -- especially those individuals and institutions with broadband connections -- to lock down their computers. Left insecure, the machines can be turned into zombies. "A large number of vulnerable systems can easily be marshaled by an attacker to create large networks. Anyone who owns a computer needs to understand that," stresses Dave Dittrich, a network engineer and security expert at the University of Washington who maintains a Web site on DOS techniques. For now, Dittrich warns companies to maintain redundant connection points and prepare their contingency plans. (He recommends the CERT Distributed Intruder Toll Workshop final report.)

The upshot of all this? Just as Visa is making it mandatory for any merchant processing credit cards online to encrypt their databases and use firewalls, ISPs and telcos should insist that those who buy data connectivity become part of the DOS detection-and-prevention network. This could create some thorny privacy issues: Any device watching packets of data traveling over a network comes perilously close to an electronic wiretap.

Considering that the Internet is rapidly becoming the most essential communications tool in the world, securing it against DOS attacks through cooperation will benefit anyone who's connected -- and quite possibly save billions of dollars in economic damages. It may even save lives one day.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE