Last week saw the release of distributed denial-of-service (DDoS) attack agents for the Windows platform, agents that had previously been known to work only on Unix and Unix-like systems. These were first discovered at James Madison University, and the news has been widely reported. But security experts say the Windows port of the tools was not really surprising.
"Nobody [in the security community] was surprised that there was a Windows port," says Carole Fennelly, a partner in Wizard's Keys Corporation and a security columnist for SunWorld magazine. "What was surprising was that it surprised everyone else."
Trend Micro was the first to release updates to its virus detection software that would eradicate such Windows-based
trinoo agents as
wintrinoo; other antivirus companies quickly followed. The company has also published information on how to detect and remove the Windows-based DDoS tools manually.
BindView, a company that provides administrative and security tools, has released updates to its Zombie Zapper program, a tool that helps fend off denial-of-service attacks. The program works by duplicating the command a cracker would send to the attacking DDoS agents (called zombies) to stop the packet attack. In the downloadable configuration, Zombie Zapper sends the default message zombies expect to hear from their masters when told to cease an attack.
Although Zombie Zapper hasn't yet been tried out in the field, it has performed well in simulations, according to security analyst and BindView Razor team member Mark Loveless. Loveless is also known in security circles as Simple Nomad.
The tool has been released free and accompanied by source code so that security professionals can alter the stop-attack message in cases where a cracker has altered an attack tool's default settings. The stop-attack command can be salvaged from an attack program by using disassembly or other methods. As new agents and agent messages are discovered, they will be added back into the original Zombie Zapper source tree.
Currently, Zombie Zapper can send cease-and-desist orders both to Unix- and Windows-based zombies. The tool should be downloaded in advance of an attack.
When used in conjunction with new tools such as Zombie Zapper, a solid set of security practices can do the most to protect computers from becoming unwitting dupes in DoS attacks.
Loveless explains, "For the most part, most operating systems off the shelf are insecure. You do have to go in and tweak them up a little bit," no matter what you are running.
But while security is not necessarily an operating system-specific issue, there are important OS-dependent differences to keep in mind.
"It's a lot harder to secure NT than it is to secure Unix," according to Loveless, and he says that Windows 9x is even more difficult to secure. "The main thing that users of Windows 95 and 98 can do," says Loveless, is to "make sure they keep up with antivirus software. If they are in a corporate environment, they need to be behind a firewall ... and there are even firewall products available for home use."
Fennelly agrees that personal firewalls are probably the best protection Windows users can employ. She adds that Tripwire, a sort of computer-intruder burglar alarm that has long been available for Unix and Linux, is now available for Windows NT.
"There are a lot of different things, [such as] routing and firewall rules, that are not necessarily specific to Unix," Loveless says. "These will certainly help in the NT world, and the Windows world in general."
Windows users should also follow the advice commonly given to Unix and Linux users: they should turn off unneeded services, close ports, and take other precautions to secure their computers from intrusion and misuse.
"I would advise anyone who's in a corporate environment to at least have a scanner," says Loveless. "A security scanner will scan your systems and tell you where you've got holes and flaws, and where you need to be fixing stuff. And it will do it remotely -- you can set it up and scan all your corporate systems. [BindView's] Hacker Shield isn't the only one; there are a number of others."
According to YTCracker, believed responsible for having altered several federal government Websites late last year with a message calling for better security on the part of administrators, "Users with dial-up modems aren't at risk" in the way media reports would suggest. Rather, the DDoS attack tools are more of a threat to someone, whether business or home user, who has a full-time connection to the Internet.
YTCracker has since donned a white hat and now works as a security consultant. "People -- even the casual user -- should think again about what information they put online, or in their computers, more carefully than they do now," YTCracker says.
"Users also need to be in contact with [their ISP] and make sure that their ISP is taking some kind of precautions," says Loveless. "There are things like filtering techniques that ISPs can do to help prevent a lot of this type of denial of service traffic. If the ISPs [and corporate sites] prevented outbound forged packets, [which can allow a malicious user to falsify his or her machine's IP address to avoid detection], that would kill three-fourths of this problem."
But even once you are secure, your work is not done. "Keep an eye on advisories," YTCracker says. "Everyone should be up to date on security. Take care of your systems as you would your home. And separate the myths from the facts. Malicious hackers can't break in and take advantage of your systems unless you let them."
- Zombie Zapper download site, from BindView Development
- DDoS security alert, Trend Micro
- Summary information on
troj_trinoo, from Trend Micro
- "Internet Connection Security for Windows Users," Steve Gibson, Gibson Research
- "Consensus Roadmap for Defeating Distributed Denial of Service Attacks," SANS Institute
- "Network Ingress Filtering: Defeating Denial of Service Attacks," RFC 2267, The Internet Society
- "TFN2K -- An Analysis," Jason Barlow and Woody Thrower, Axent Technologies
- Index of distributed attack tools, Packet Storm
- "Distributed Denial of Service Defense Tactics," BindView Razor Team, BindView Development
- "Packet Flooding Denial of Service Attacks," CERT Coordination Center
- "CERT Advisory CA-2000-01 Denial-of-Service Developments," CERT Coordination Center