New Denial-of-Service Tool Uncovered

A powerful new distributed denial-of-service (DDoS) tool has surfaced in as many as 400 hosts, creating a new threat of crippling cyber assaults, electronic security management firm Internet Security Systems (ISS) said Tuesday.

DDoS attacks can bring down a network by overwhelming target machines with large amounts of traffic. In February, several of the Internet’s largest and most heavily trafficked sites, including Yahoo!, Amazon.com, eBay and Buy.com, were taken down for extended periods of time by tools that, according to ISS, are similar to Trinity.

The recently discovered tool, dubbed Trinity v3 by its author, is controlled by Internet Rely Chat (IRC). In the version examined by ISS research team X-Force, Trinity was installed in a Linux system, but any system on which the Trinity agent turns up may be completely compromised, X-Force found.

It is not known how many different versions of Trinity are in existence, but according to ISS, new hosts with the agent are cropping up daily.

DDoS Tools Cause Havoc

With the potential to wreak system-wide havoc on almost any Web site, DDoS tools have generated a significant amount of concern.

The readily available tools allow hackers to invade networks and place malicious code on those systems, turning those systems into agents (also known as “zombies”). Network operators typically are unaware that these tools have been placed on their systems and unwittingly become involved in the intended crime.

“Without appropriate intrusion-detection tools in place, over 400 systems infected with zombie agents could potentially shut down any e-commerce site for an arbitrary amount of time,” X-Force director Chris Rouland told the E-Commerce Times.

Notably, according to Rouland, it is speculated that only around 100 hosts were responsible for the February shut down.

Servers are Trigger Unhappy

To activate their DDoS ability, the hacker uses either remote or internally programmed triggers, such as a command to begin an attack at a preset time, to send a disabling onslaught of data to the targeted site. The agents then act in unison to generate a high volume of traffic from several sources.

The Web server on the receiving end is duped into responding to all of the incoming traffic, believing it to be normal. However, the sheer volume of the many requests is enough to overload even the most powerful servers, thereby diminishing or denying their ability to complete service with legitimate users.

Throughout the attack, the hacker program falsifies the origin of its malicious data sources by using fictitious or spoofed Internet Protocol addresses. This process not only makes it difficult to track down the hacker’s identity, but also limits the ability of the sophisticated network security software to thwart such acts of cyber sabotage.

E-Commerce Sites Vulnerable

While such an attack could be harmful to all sites, the impact on Internet marketers might prove to be financially disastrous since unimpeded service is critical to their ability to conduct business.

The potential impact of the tools, if deployed, could be most acutely felt during the upcoming holiday season, said Rouland. A large e-tailer that is knocked out of commission for a day during that period could lose tens of millions of dollars in revenue.

“It seems like IRC operators are taking an initiative and contacting sites that are infected with Trinity,” Rouland added.

Precautions Only Go So Far

According to Carnegie Mellon University’s Computer Emergency Response Team, denial-of-service attacks can generally be handled by actively maintaining system security, implementing up-to-date patches for known vulnerabilities and preparing for extended network or system outages.

However, even these precautions might not be enough to prevent the attacks, according to Michael A. Vatis, director of the FBI’s National Infrastructure Protection Center.

“In the cyber equivalent of an arms race, exploits evolve as hackers design variations to evade or overcome detection software and filters,” Vatis explained to a U.S. Senate judiciary committee earlier this year. “Even security-conscious companies that put in place all available security measures therefore are not invulnerable.”