Zombie attacks can be traced
- By Dan Verton
- Feb 17, 2000
The overwhelming amount of system logs that must be combed through to
locate the culprits in last week's denial of service attacks on the
Internet undoubtedly has slowed the FBI's investigation and created a
formidable obstacle to compiling forensic evidence.
But security experts say technologies are available that could have aided
the companies that found themselves the targets of such attacks, as well as
the FBI, which is now involved in a frantic search for the hackers.
Parhe Pruthi, president and chief executive officer of Niksun Inc., said
his company offers a tool called Net Detector that could detect denial of
service attacks and compile a log of electronic footprints leading back to
the originator of the attack.
"It's a network security appliance that filters data in real time," Pruthi
said. "It's like a recorder.... So when something like this happens, it is
able to detect it and alert you right away, and it has all of the packets
recorded so that you can reconstruct where the hacker came from."
However, such tools have yet to be widely adopted by Internet companies.
Although the FBI has offered its own tool for companies to download, many
are skeptical of the FBI's motives because it has not released the code
behind the tool for inspection.
Paul Bresson, an FBI spokesman, said the FBI does not release the source
code so that the bureau can prevent hackers from seeing the electronic
signatures the agency looks for. "We don't want to provide a roadmap for
someone to basically penetrate any vulnerabilities that we might have," he
Niksun recently installed Net Detector on a university network, similar to
the ones used as a launch pad in last week's denial of service attacks, and
tracked a hacker who compromised the university's server. "We were able to
go in and recreate where the hacker came from, how he picked the lock on
the secure server he compromised, what type of Trojan Horse he put in the
system and how he initiated a denial of service attack," Pruthi said.
More importantly, the product's recording and storage capabilities enable
companies to compile volumes of data that can later be used to make the
FBI's job of tracing the culprits more efficient, Pruthi said.
Other companies offer similar tools, but experts say that automating an
enterprise's intrusion detection and tracking mechanism is key to assisting
the law enforcement investigation during such incidents.
— L. Scott Tillett contributed to this story