New Windows tools fend off denial-of-service attacks
Last week saw the release of distributed denial-of-service (DDoS) attack agents for the Windows platform, agents that had previously been known to work only on Unix and Unix-like systems. These were first discovered at James Madison University, and the news has been widely reported. But security experts say the Windows port of the tools was not really surprising.
"Nobody [in the security community] was surprised that there was a Windows port," says Carole Fennelly, a partner in Wizard's Keys Corporation and a security columnist for SunWorld magazine. "What was surprising was that it surprised everyone else."
Trend Micro was the first to release updates to its virus detection software that would eradicate such Windows-based trinoo agents as troj_trinoo and wintrinoo; other antivirus companies quickly followed. The company has also published information on how to detect and remove the Windows-based DDoS tools manually.
BindView, a company that provides administrative and security tools, has released updates to its Zombie Zapper program, a tool that helps fend off denial-of-service attacks. The program works by duplicating the command a cracker would send to the attacking DDoS agents (called zombies) to stop the packet attack. In the downloadable configuration, Zombie Zapper sends the default message zombies expect to hear from their masters when told to cease an attack.
Although Zombie Zapper hasn't yet been tried out in the field, it has performed well in simulations, according to security analyst and BindView Razor team member Mark Loveless. Loveless is also known in security circles as Simple Nomad.
The tool has been released free and accompanied by source code so that security professionals can alter the stop-attack message in cases where a cracker has altered an attack tool's default settings. The stop-attack command can be salvaged from an attack program by using disassembly or other methods. As new agents and agent messages are discovered, they will be added back into the original Zombie Zapper source tree.
Currently, Zombie Zapper can send cease-and-desist orders both to Unix- and Windows-based zombies. The tool should be downloaded in advance of an attack.
When used in conjunction with new tools such as Zombie Zapper, a solid set of security practices can do the most to protect computers from becoming unwitting dupes in DoS attacks.
Loveless explains, "For the most part, most operating systems off the shelf are insecure. You do have to go in and tweak them up a little bit," no matter what you are running.
But while security is not necessarily an operating system-specific issue, there are important OS-dependent differences to keep in mind.
"It's a lot harder to secure NT than it is to secure Unix," according to Loveless, and he says that Windows 9x is even more difficult to secure. "The main thing that users of Windows 95 and 98 can do," says Loveless, is to "make sure they keep up with antivirus software. If they are in a corporate environment, they need to be behind a firewall
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
