FBI issues software to help detect Web attacks

The FBI may not have gotten its man yet, but it has the code to save your site.

The FBI's National Infrastructure Protection Center (NIPC) has issued an alert and software that can help systems administrators detect and repel the denial-of-service attacks that brought down seven Web sites last week. Both the NIPC and the Computer Emergency Response Team initially released versions of the alerts in December.

The FBI acknowledges that the software may not identify all the mutations of the attack that can change signatures. But security analysts say detecting attacks is an essential step in stopping the intrusions.

Greg Hawkins, CEO of Buy.com Inc. in Aliso Viejo, Calif., one of the sites invaded last week, said that once an attack was confirmed, its upstream service provider, Exodus Communications Inc. in Santa Clara, Calif., moved rapidly to shift traffic from overloaded border routers and restore service.

Distributed denial-of-service attacks use networks of master and slave machines created by attackers who insert malicious code into lightly defended computers. Crackers then used those machines to coordinate planned attacks, bombarding targets with large numbers of packets that block legitimate traffic.

According to David Remnitz, CEO of Ifsec LLC, a New York-based information security firm, the scripts provided by the FBI will also help systems managers determine whether their machines are being used as slaves to launch the attacks. "If you eliminate the slaves, the masters can't launch their code," explained Remnitz, who said slave machines feeding the attack have already been identified.

But tracing spoofed packets to attacking slave machines -- and perhaps the attacker -- will require tight coordination between government and private-sector systems managers, especially those at telecommunications companies and Internet service providers.

Remnitz said site managers need to monitor their bandwidth and the type of packets traversing their networks. That will help them determine whether they have detected the signature of a distributed denial-of-service attack or have computers that are unwittingly serving as slave machines. Attack signatures can be altered and packets spoofed.

Gary Grossman, director of security research and development at Exodus, said providers need to look at how they handle customer access in and out of their networks. "There are well-known principles of filtering traffic from source addresses that don't actually come from within the network, and it's the lack of that kind of filtering that permits this kind of source-address spoofing," said Grossman.

Remnitz noted that some intrusion-detection tools such as one from Network Flight Recorder Inc. in Woodbine, Md., can decode packets and signatures at high speeds as they attack a site. "But the vast majority of e-commerce companies don't have packages that can decode the signatures as fast as they flood the network," said Remnitz.

Jim Ransome, director of security architecture and operations at Pilot Network Services Inc. in Alameda, Calif., which provides secure hosting services for high-profile clients, including Peoplesoft Inc., CommerceOne Inc. and Newsweek, said Pilot halts nine or 10 denial-of-service attacks per week. "This is about business as usual," said Ransome.

Pilot uses a distributed security architecture and its Heuristic Defense Infrastructure to repel distributed denial-of-service attacks, which Ransome said often topple conventional firewalls. He suggested that companies defending against such attacks conduct code reviews of their extranet environments to detect weak links created by Common Gateway Interface code written in Perl, Visual Basic Script, Java or C scripts.

"We have to nip this in the bud. We need to find out where these slaves are installed, and it will take a real hands-on effort with systems administrators," said Remnitz.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon