 |
|
 | technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
Experts identify new denial of service tool
(CNN) -- Two groups of security experts have obtained and analyzed a new distributed denial of service (DDoS) tool that may be more effective in jamming Web sites than current programs.
The program, called mstream, was found "in the wild" on networks at the University of Washington, Penn State and Indiana University.
While similar to other readily available DDoS tools such as Trinoo and Tribal Flood Network, mstream is reportedly more efficient than its predecessors, even in its pre-release stages. It uses a relatively new type of DDoS assault, known as a "stream" attack. Until now, only one other program attacks in this fashion, one called stream.c. It has only been out for approximately six months and is not widely used.
 | INTERACTIVE | |
|
| ||
 | MESSAGE BOARD | |
|
| ||
The mstream source code was posted to open, unmoderated mailing lists on Saturday. This prompted a University of Washington researcher to release an analysis of the tool on Monday, earlier than he planned. The X-Force team, as the research arm of Atlanta-based Internet Security Systems is known, got hold of part of the code last Thursday and immediately posted an antidote. They released their separate analysis on Tuesday.
David Dittrich of the University of Washington saw what he called a "primitive" version of the program, still fraught with bugs and missing features common to the genre. However, a check of the engine showed that mstream needs far fewer zombie computers in order to disrupt a target.
A DDoS attack works by first surreptitiously placing client programs on a multitude of computers connected to the Internet, turning them into zombies. This can happen days or months before the attack is to occur. Then the attacker remotely triggers the client programs, assigning them a target. Those programs force their host computers to flood the target computer with data. With so much bogus data coming in, the target cannot handle legitimate traffic. To a user, the target Web site seems to be inoperable.
This sort of attack happened to several popular Web sites in February, including Yahoo!, ZDNet, Buy.com, Amazon and CNN.com. A 15-year-old Canadian boy who goes by the handle "Mafiaboy" has been arrested and awaits trial in connection with the CNN.com attack.
In a "stream" attack, the clients assault both processing time on the target host as well as network bandwidth. This makes for a more potent attack, requiring far fewer clients. Most other DDoS tools need several hundred or even several thousand compromised zombie computers in order to take down a target.
"The effectiveness of (mstream) means that it will still be disruptive to the victim (and agent) networks even with an attack network consisting of only a handful of agents," Dittrich wrote in the report posted on his Web site.
The X-Force currently rates "mstream" as a level 3 risk on a scale of 1 to 5. The moderate rating was given partially because the group doesn't believe the tool is being "actively used."
Also, "mstream" can only launch one type of DDoS attack. Other tools have more than one in their arsenals. Further, Chris Rouland, director of the X-Force, says it's not hard to find.
"It should be much easier to detect, because they don't use encryption for their client-to-master communications," Rouland says. Both analyses published "signature" portions of the program to aid detection.
Like other DDoS tools, it's not difficult to use.
"Anybody with a cursory knowledge of Unix could install this," Rouland says. "There's no Windows version."
The author of the code is still unknown, as it was anonymously posted to the Bugtraq and VULN-DEV computer security mailing lists. But Rouland does have one small clue.
"I know they can't spell very well," he said. "There were some really bad spelling mistakes."
RELATED STORIES:
FBI investigates cyberattack against AboveNet
April 28, 2000
'Mafiaboy' faces up to 3 years in prison
April 19, 2000
Canadian juvenile charged in connection with February 'denial of service' attacks
April 18, 2000
More cops on the Net beat? Privacy groups say not so fast
April 10, 2000
Feds ask Congress for help in trapping hackers
April 10, 2000
RELATED SITES:
University of Washington Home Page
Penn State
Indiana University
Internet Security Systems, Inc.
VULN-DEV: FAQ
BUGTRAQ: FAQ
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.