December 20, 1999 1:30 PM PST
Computer security teams brace for attacks
- Related Stories
"Smurf" attack hits MinnesotaMarch 17, 1998
Concern is mounting that the two malicious programs, called Tribe Flood Network and Trinoo, will show their colors in coming weeks. Experts fear that the holidays are a likely time, because computer administrators on vacation will be harder to locate and likely won't be paying as much attention to systems under their control.
In addition, some suggest attackers are likely to strike in the midst of confusion that people expect with the arrival of the Year 2000 computer problem.
Tribe and Trinoo also may be more powerful than previous programs of the same kind. The duo, which started appearing in recent months, "are a step above what has happened before," according to Dave Dittrich, a computer security technician at the University of Washington who wrote analyses of the programs.
When installed onto hundreds or thousands of computers, the programs simultaneously bombard a select point on the Internet. If the information from the attackers comes fast enough, the target computer freezes up.
Flooding attacks such as Tribe and Trinoo are examples of so-called denial-of-service attacks, a method that's been around as long as there have been networks to inundate. And launching attacks from several computers too has been tried before, for example with the "Smurf" attacks of last year.
But Tribe and Trinoo give a new level of control to the attacker, and they are being improved, Dittrich said.
Moreover, because the origin of the program is obscured, it's hard to counteract, said Quinn Peyton of the Computer Emergency Response Team (CERT) at Carnegie Mellon University.
"There are machines now sitting there, prepared to attack somebody else," Peyton said. "Now one person can do a massive denial-of-service."
CERT warns that the Trinoo and Tribe attack tools "appear to be undergoing active development, testing and deployment on the Internet."
Tribe Flood Network and Trinoo launch their attacks from a host of innocent computers that already have been broken into. Then, on a signal from a master computer, the computers simultaneously bombard the victim machine with packets of information so fast that it becomes unresponsive. At that point, the target computer won't respond to commands and can't be taken off the network.
To monitor computer attacks and vulnerabilities, the FBI in 1998 set up an office called the National Infrastructure Protection Center (NIPC). Although FBI officials did not comment on the Tribe or Trinoo attacks, the FBI is holding a news conference tomorrow about Y2K issues, a spokesman said.
"There's a lot of paranoia for the Y2K stuff," said David Crawford of the Energy Department's Computer Incident Advisory Capability.
CIAC is working hard to prepare a description of how to identify Trinoo and Tribe in the next few days. "We're looking for a unique signature that will identify these types of attack," he said.
Dittrich might know. He had to respond when 27 computers at his university were among 227 that attacked the University of Minnesota during three days in August.
"I was having a hard time finding all the people and getting all the systems cleaned up," he said, and that was just for the a small fraction of the systems involved.
"During that time, their network was pretty much unusable for 100,000 users," Dittrich said. "There isn't much of a defense against these denial-of-service attacks."
University of Washington computers also were used for attacks on computers in France, Norway and Australia, he said.
The attack software was installed primarily on computers using Sun Microsystems' Solaris and Linux--both variations of the Unix operating system. To break into those computers, the intruder took advantage of known vulnerabilities that allowed him or her to take almost complete control of a computer then erase his or her tracks, Dittrich said.
"The core message is that people who have systems on the Internet need to know how to deal with them," Dittrich said. "You can't expect your computer to be running for years, like a microwave. It's more like a really expensive car, where you've got to be taking it in for maintenance all the time."
In the attack on the University of Minnesota, 114 of the 227 attacking systems were part of the Internet 2, a higher-speed successor to the current Internet. Using Internet 2 was important, because its higher-speed network can deliver more volleys in the denial-of-service attack.
"Whoever has the bigger pipe wins," Dittrich said.