Denial-of-Service Attack Threats Still Loom

BALTIMORE, MARYLAND -- The types of massive distributed denial-of-service (DDOS) attacks that knocked several big e-commerce Web sites out of action earlier this year remain a viable threat that could grow even more sophisticated, according to experts at this week's government-sponsored National Information Systems Security Conference here.

DDOS attacks entered the public consciousness last February, when commercial sites belonging to EBay, Buy.com, and other companies were attacked with an overwhelming flood of network traffic. (See "FBI, Industry Scramble to Stop Hack Attacks.")

Speaking at this week's conference, Tom Longstaff, manager of research and development at Carnegie Mellon University's CERT Coordination Center security advisory service, says such attacks haven't disappeared, and he warns that their severity could increase.

In a DDOS attack, an intruder breaks into a system and turns it into a "zombie," then uses that machine to target Web servers run by other companies. There are now indications that worm programs are being used to automatically propagate large numbers of zombies, Longstaff warns. A DDOS attack utilizing a worm will spread "much more quickly, and it is much more difficult to trace back to the intruder," he says.

Longstaff and other experts at the conference--which was sponsored by the National Institute of Standards and Technology and the National Security Agency's National Computer Security Center--say there currently are no adequate mechanisms for stopping DDOS attacks.

Disgruntled Employees Are Threat

But the major concern among some attendees of the annual event remains not the criminal hacker from outside a company or government agency, but the "insider" threat from disgruntled employees. All the attention being given to external threats may be affecting the ability of some agencies to respond to ones from insiders, according to Lee Brandt, a network security officer at the Washington-based Federal Railroad Administration.

"The internal threat is still the big threat," Brandt says. But he adds that Congress "unfortunately is concentrating on the external threat." Brandt says he worries that funding to address internal security matters will be de-emphasized by policy makers as a result.

The biggest threats to corporate systems are from other countries, competitors, or insiders, says Jeff Moss, a security consultant and the founder and organizer of Def Con, the annual underground convention attended by hackers, security experts and law enforcement officials. (See "The Worst Web Threats.")

"You can't be a lone computer hacker and try to fence stolen information," Moss says. "Hackers are great at technology; they're not great at being criminals."

But information technology managers also share some of the blame for the risks their companies face, security experts say.

The number-one problem in security today is still [IT staffs] that do not keep their systems up to date," says Michel Kabay, a computer security expert at consulting firm Atomic Tangerine. "Most [security] exploits use known vulnerabilities, and most known vulnerabilities have known fixes, and they are free. The problem lies in organizations where security is not yet assigned a high priority."