DDOS: The WMD of the Net

[Bombardier]

DDoS - The Distributed Denial of Service attack. Quite the mouthful isn't it?

Some people just call it a "DoS" attack, as in "DoS"ing a site. As it's been shown over the last several years, it's been one of the most potent weapons used by cyber criminals on the internet. I stopped short of using the word 'hackers' because I feel that term gets misused in the media quote often.

Whenever a site gets attacked or software gets pirates, the news media always refers to the attack by "hackers'. In reality, hackers have gotten a bad wrap. A hacker, by definition is someone who likes to tinker with computers and knows the ins and outs of computer systems. A 'cracker' or 'script kiddie' on the other hand, are the types of people who run scripts to attack sites and break software. Just to make that distinction before I go on.

Back in 2000, Ebay, Yahoo, and E-Trade were amoung the sites completely knocked offline by DDoS attacks. I mean, those sites were inaccessable to everyone from the internet. It's a good thing the attacker bragged in chat rooms and was caught.

That is one rare instance of someone actually getting caught for doing a DDoS attack. These types of attacks cost companies millions of dollars to recover from.

From 2000 to 2004, there were numerous DDoS attacks on company and private web sites. Computer Security site GRC.com was blased off the web on January 11th, 2002. Here is what Steve Gibson, the founder of GRC.com had to say about it:

At 2:00 AM, January 11th, 2002, the GRC.COM site

was blasted off the Internet by a new (for us)

distributed denial of service attack.

Perhaps the most startling aspect of this attack was that the apparent source was hundreds of the Internet's "core routers", web servers belonging to yahoo.com, and even a machine with an IP resolving to "gary7.nsa.gov". We appeared to be under attack by hundreds of very powerful and well-connected machines.

Once we determined how to block this attack and

returned to the Internet, 1,072,519,399 blocked

packets were counted before the attack ended.

From http://www.grc.com/dos/drdos.htm

Even last year Microsoft & their Windows Update were the targets of numerous DDoS attacks. The RIAA homepage has been hacked and DDoSed too many times to count. Even within the last few days, the Spybot Search & Destroy homepage has been being DDoSed.

After at least three days of standing up against the attacks that have already hit some other anti-spyware sites (including our support forum at Net-Integration), safer-networking.org was temporarily down last night as well, while our provider was tightening the systems to make them proof against any further attacks. We apologize for the outtime.

http://www.safer-networking.org/index.php

Cyber crimials use threats of DDoS attacks as a way to extort cash out of businesses through blackmail.

With new variants of old Microsoft Windows worms comes the possibility of new worms. Kazaa and eDonkey had better duck!

Kazaa, eDonkey brace for attack

File-sharing Web sites Kazaa and eDonkey are steeling themselves for a distributed denial-of-service attack expected Wednesday from a clutch of new variants of the NetSky worm.

NetSky.Q, which first appeared last week, is designed to attack various Web sites that distribute either file-sharing clients or hacking and cracking tools. Kazaa and eDonkey are its best-known targets, and the attack is scheduled to last for six days. However, they will get only a short break. NetSky.T, which was discovered Tuesday, is set to launch a new distributed denial-of-service (DDoS) attack on April 14. This attack is scheduled to last for 10 days.

Mikko Hypponen, director of antivirus research at F-Secure, said he expects the targets to fare badly, because they are relatively small companies that will not have the necessary infrastructure to survive a large DDoS attack. "NetSky is widespread, so I wouldn't be surprised if the sites collapse under the load," he said.

Because these versions of NetSky are engineered to attack only Kazaa and eDonkey's main Web sites, their actual file-sharing networks will not be affected. This means that people should be able to continue swapping files without disruption.

Marco Righetti, virus coordinator at Trend Labs, the research arm of antivirus firm Trend Micro, said the NetSky.Q variant may cause the targeted sites some problems but that the NetSky.T is not spreading very fast and does not look like a serious issue at the moment.

However, NetSky contains a "back door" that lets the worm be automatically transformed to a newer variant by the authors, so people who have not removed previous NetSky infections are likely to be "upgraded" to the latest version of NetSky so that their machines can join the attack.

Besides launching DDoS attacks, recent NetSky variants have also stopped trying to remove the Bagle worm from infected machines, which is a behavior exhibited by the previous 16 variants of the worm. This may indicate that a different group of programmers is writing the worm.

Messages hidden inside NetSky.Q claim that the authors do not have any "criminals inspirations," because they do not use the worm to relay spam. They also deny that they are "children" using virus toolkits and say they want to "prevent hacking, sharing of illegal stuff and similar illegal content."

But Trend Micro's Righetti dismissed this moral high ground, saying the NetSky authors are doing more damage than the sites they are attacking may be doing. "Kazaa spreads music, and the other sites spread passwords and key generators for cracking programs. The worm's authors are trying to do something they may think is morally right, but this is actually 10 times worse," he said.

Kevin Hogan, senior manager for Symantec's Security Response division, said the messages contained in NetSky should be ignored, because he suspects that the source code for NetSky is circulating within the hacker underground, such that anyone could be creating the new variants. "It's hard to tell if it is the same group of people that wrote the previous variants. The guys that are writing these worms could be pulling the wool over all our eyes," he said.

http://news.com.com/2100-7349_3-5185783.html?tag=cd.lede

Possible reasons for the rise in the amounts of DDoS attacks could be increased use of broadband internet services and increased numbers of Windows worms. One of the reasons there are so many attacks, so many worms, so many viruses, and so much spam is due to the fact that people do not secure their computers!

That's right, they run swiss-cheese unpached Windows boxes with no firewall, no antivirus, and have broadband. It's a recipe for disaster!! A lot of them are probably not too computer saavy, so do not even know what firewalls and antivirus programs are.

According to eeye security,

EEYEB-20030910-A

Vendor: Microsoft

Severity: High

Date Reported: September 10, 2003

Estimated Number of Vulnerable Machines: 300 Million

http://www.eeye.com/html/Research/Upcoming/index.html

That's right, there are tons and tons of vulnerables windows machines around the globe. You read that right, an estimated 300 million machines. All crackers have to do is scan ports, run their special software on the machine, and take it over. Boom! Instant spam relay, worm spreader, and zombie machine to help DDoS whoever they see fit.

It seems to me that the DDoS is the perfect crime. All the attacker has to do is avoid getting caught. If they can do that, then they get away scott-free like most of the DDoS attackers that have caused damage in the past several years. With raw-socket support enabled in Windows 2000 and XP, spoofing your IP address couldn't be easier, according to GRC.com.

The armies of zombie and vulnerable machines around the world must be stopped and locked down!! Take away the zombie and vulnerable machines, and most DDoS attacks and a lot of spam will cease to exist. Everyone who knows about network security should try to educate those who don't when practical.

It'll take a global effort to stop the cybercrime that exists on the internet today. If it is not stopped, it will only get worse.

:(