From: InfoSec News (isn@C4I.ORG)
By Max Smetannikov, Inter@ctive Week
August 6, 2000 9:22 PM PT
Internet service providers and dot-coms hit by a storm of
denial-of-service attacks earlier this year should brace for another
onslaught, said knowledgeable security experts. Simple Nomad, aka Mark
Loveless, a senior security analyst at information management and
security company BindView, unveiled a new attack blueprint at Def Con,
the annual hacker convention. Held last week in Las Vegas, Def Con is
billed as the place where so-called white-hat and black-hat hackers
Simple Nomad, a white hat, is a leader in the field of hacker-attack
methodology research. His last presentation on distributed
denial-of-service (DOS) attacks, delivered in October 1999, laid out a
roadmap that was followed almost exactly in February by those who
struck Amazon.com, Buy.com, CNN.com, eBay, E*Trade Group, The
Microsoft Network, Yahoo! and ZDNet within a 72 hour period.
"If I can imagine it, they certainly would," Simple Nomad said of the
new DOS scheme he laid out. The presentation serves to warn
nefarious-minded hackers that the security community is aware of their
latest exploits, he said, and to tip off service providers to the new
Security experts said it is hard to establish a direct link between
Simple Nomad's past presentation and the attacks that followed. He
seems to be knowledgeable, they said, judging by his ability to
predict significant advances in hacker attack patterns.
"Maybe his particular talk did influence some people that heard it,
but I doubt that it influences everybody [participating in attacks],"
said Elias Levy, senior technical officer at consultancy
SecurityFocus.com. But the twisted beauty of a DOS assault is that a
single perpetrator can inflict widespread damage - and be almost
impossible to catch. Searching for the guilty parties in the February
attacks, authorities apprehended Mafiaboy, a Canadian youth who was
later written off as a copycat, and Coolio, a New Hampshire
17-year-old who happened to deface a Web page around the same time the
attacks occurred. The real masterminds of the attack are still
believed to be at large. Computer snatchers invade
According to Simple Nomad, step one is to hack into a large Internet
service provider's (ISP's) system and set up a server that works as a
command center and a strategic listening point. That server is then
used to sniff the traffic going into and out of the network that has
been marked for destruction or invasion.
The goal is to find the Internet Protocol addresses of the ISP's
trusted partners in order to create a packet trail that makes the
partners appear to be the attackers.
"Since I am looking for an address to forge, I could go after their
biggest competitor, or some foreign country - I could be pretty evil
about this," said Simple Nomad.
Next, a separate computer on a different network is attacked and set
up as an attack manager. With some of the distributed attack tools
available, this process can be as easy as point and click. Once
online, the attack manager can start attacking other computers and
setting them up as assault nodes, or zombies, automatically.
What happens next is up to the hacker. If a distributed DOS attack is
the goal, this architecture could be used to collect data about the
target network with minimal risk of getting caught, said Simple Nomad.
The attack's data trail would revolve full-circle without the location
of the command center, and therefore the malicious hacker, ever being
identified. "This adds a level of complexity to the attack, and while
the technique has been known for a number of years, up to now it has
not been implemented on the actual tools used for a distributed
denial-of-service attack," said SecurityFocus' Levy.
The audience at Def Con listened to the new layout in dead silence.
Simple Nomad stressed he has not developed a tool that would automate
the process. But he did build a tool, as a proof of his concept, he
said, that does two-thirds of the job. He also said that after his
presentation at least three other hackers told him they have been
researching distributed attack architectures for port scanning. This
means, he said, that his new blueprint simply connected the dots for
the benefit of the commercial Internet community before hackers were
able to develop software.
Judging by the response of ISPs aware of Simple Nomad's new blueprint,
preventing assaults won't be easy.
The last wave of attacks prompted large backbones to try to catalog
all the addresses they use to communicate with partners and customers.
If they know all of the addresses that are trusted, the logic goes,
they will still be able to exchange traffic with partners and steer
clear of the attacks. The process is called ingress filtering. Never
mind that Simple Nomad's new blueprint compromises this initiative by
enabling hackers to tap into this stream of communication for
Simple Nomad offered a new tool to combat such attacks, called
de-spoof. The tool would detect packets suspect of being used in a
circular network-attack scheme. Kelly Cooper, Internet security
officer for Genuity, indicated that de-spoofer most likely won't be of
any use to Genuity, because it is designed for protecting individual
hosts, not large networks. Simple Nomad concurred, indicating that
research is under way to build a tool suitable for large-scale
ISN is hosted by SecurityFocus.com
--- To unsubscribe email LISTSERV@SecurityFocus.com with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b29.