http://www0.mercurycenter.com/svtech/news/top/docs/zombie012701.htm

Friday January 26, 10:25 pm Eastern Time

Web attacks show balance of power still favors crude hack

By Eric Lai

SAN FRANCISCO, Jan 26 (Reuters) - Despite a series of costly attacks that have shut down some of the Internet's best-known sites over the past year, experts say it is still easier to launch an assault like the one that stunned Microsoft this week, than it is to prevent it.

In fact, the type of denial-of-service attack reported by Microsoft this week has become so routine that major sites are the regular targets of similar, more limited attacks, experts say.

``Each site that we monitor is attacked almost every single day,'' said Amit Yoran, chief executive of network security firm, Riptech Inc. ``When I say the Internet is a hostile environment, it's a hostile environment.''

Denial-of-service attacks, in which a Web site is bombarded by a crippling burst of messages, are a blunt instrument in the hacker arsenal, but a proliferation of online tools has made it easier for a younger generation of hackers to use them to bring down major sites.

Meanwhile, commercial software that would intercept an attack before it could move past a crucial threshold -- providing a kind of defensive shield -- is still in development or has found a slow uptake on the Internet.

``If you're being attacked, there's not a whole lot you can do to stop it,'' said Mitch Hryckowian, head of network security for Interliant Inc. (NasdaqNM:INIT - news), which hosts Web sites. And ``even where tools and patches are available, people aren't taking advantage of them.''

That slow response comes despite wide-spread industry hand-wringing following last February's crippling denial-of-service attacks on seven major Web sites, including Yahoo! Inc. (NasdaqNM:YHOO - news), eBay Inc. (NasdaqNM:EBAY - news), Amazon.com Inc. (NasdaqNM:AMZN - news), and Excite (NasdaqNM:ATHM - news).

A Montreal 16-year-old operating under the nickname ``Mafiaboy'', last week pleaded guilty to 56 charges related to those attacks, which caused damages estimated as high as $1.7 billion in lost sales.

MICROSOFT A TARGET

Microsoft Corp. (NasdaqNM:MSFT - news) said that its Web sites were hit by denial-of-service attacks on Thursday and again on Friday morning.

In a statement, Microsoft's chief information officer, said that while no customer data was compromised by the attacks, the company had not deployed ``sufficient self-defense techniques'' at what it described as the front-end of its networks.

Denial-of-service attacks have plagued the Internet since 1987, when a computer virus written by a Cornell University student crashed e-mail servers worldwide.

``This is not a new problem to the Internet. It's one of the old classics,'' said Yoran.

Distributed denial-of-service attacks, used by Mafiaboy last year, involve a hacker taking control of hundreds or thousands of ``zombie'' computers to launch an attack.

The basic technique remains the same: flood the target - either the computer hosting the Web site or a router which directs traffic - with millions of junk messages. The result: sites that slow to a crawl or refuse to download at all.

Blocking the offending traffic is no easy task. The packets are virtually indistinguishable from legitimate Internet data, and can originate from many sources. To the untrained eye, a denial-of-service attack simply looks like an increasing mob of visitors to the Web site - until it is too late.

The potential damage caused by a denial-of-service attack is increasingly disproportional to the effort involved to launch one, industry watchers said.

``It's really the most mundane'' sort of hack, said Yoran.

The proliferation of sophisticated hacker tools are now allowing ``script kiddies'' - hackers barely in their teens - to get in the game, Hryckowian said.

Universities, with their big Internet pipes and lax security policies, have been seen as favorite sources of zombie computers from which to launch attacks. But many home users - especially those with broadband connections like cable modem or digital subscriber line (DSL) - may also be unwitting accomplices.

BETTER TECHNOLOGY, STIFFER PENALTIES

Some emerging companies, like Seattle-based Asta Networks and Boston-based Mazu Networks, are bringing out products which promise better prevention of denial-of-service attacks.

Mazu, for instance, is developing hardware that builds statistical models of traffic so that when deviations occur, as in a denial-of-service attack, it can block the packets before they hit the Web servers, said Phil London, Mazu's chief executive. The hardware also keeps legitimate traffic moving through quickly - unlike many firewall-type solutions.

Others say the solution is to force the Internet service providers which unwittingly transmit the bad traffic, to take some responsibility for shutting them down. But other experts doubt that ISPs have the ability to cooperate.

``ISPs are really like a highway system, they're not set up to do more than let traffic go through,'' said Yoran.

Which is why still others advocate the ultimate get-tough measure: making owners of computers repeatedly hijacked to launch denial-of-service attacks liable for damages.

``You see the government going after the perpetrator, but what about the bandwidth provider?'' London said. ``I think you'll see this tested in court this year.''

-- (news@of.note), January 29, 2001