| The following is a July 1999 email excerpt from a user who decided to monitor a hacker channel dedicated to Back Orifice activity. I went into IRC one night last August and looked for people that were playing with Back Orifice. I found them. It was a carnival-like atmosphere. People were swapping compromised IP addresses, they were offering/asking for different kinds of information, such as porn, credit card numbers , shell accounts, dialup accounts, etc. I logged these channels for a few months. I saw hundreds, if not thousands of machines popping into IRC to advertise their invasion. You would also see people that were building up private networks of compromised machines. The writer, O'Neil Brooke, went on to warn people that their networks could be compromised and to watch out for professionally sponsored " info -wars" where combatants use innocent machines and networks as launching points for more attacks. In February 2000, that warning became a reality. Many large, popular web sites, like Amazon, Yahoo, E*TRADE, and the FBI were significantly impaired by coordinated denial of service attacks launched from hundreds to thousands of compromised computers and routers. The compromised machines contained a hacker program that would wait for a predefined command and then begin to send thousands of bogus network packets that would overwhelm the web sites. The web computers became so busy responding to bogus traffic that they could no longer service legitimate customers. The attacks were done during the busiest hours of the day to inflict the most commerce damage they could. The coordinated attacks kept coming every day and night, against different sites, for two to three weeks. Fortunately, the attacks only lasted a few hours at a time. Most denial of service attacks are relatively easy to stop. Network administrators use their router logs to find out from what IP address the attacks are coming from, and then deny all traffic from the specific address. The hacker's ISP can be contacted and his account disabled. Unfortunately, in this case, the attacks were coming from hundreds of networks, from computers that had been compromised without the owner's knowledge. Putting in enough filters to stop the bad attacks would interrupt too much legitimate business, and ISP's don't want to disable innocent user accounts. The attacks were being perpetrated by a hacker program called Trin00 Flood. The utility, Unix or Windows-based, is uploaded to a compromised machine. It contains dozens of predefined events that can be set off by one command. The initiating hacker can sit back and send out one command that tells all the compromised machines to begin attacking a single source all at once. Compromised computers and routers were found everywhere. Under-utilized computers at universities were a popular host. Home computers with a high-speed connection to the Internet (i.e, the cable modem, DSL) were also used. The Trin00 Flood attack program was discovered and thoroughly documented almost a year before the attacks took place. Most of the nation's security organizations warned about the new type of attacks months before they occurred. The NTBugTraq mail list was more concerned about the distributed attack threats than Y2K concerns during the turn of the century. The attacks shook the nation to its core . Attorney General Janet Reno went public and promised swift justice . President Clinton held a special meeting with many of the world's top security experts to find out what the nation could do to prevent these types of attacks. The FBI and all the major Internet security resources responded, but everyone, including Reno publicly stated that the nature of these attacks would make it difficult to track the original culprits. Indeed, many months later, one lone teenager was arrested and charged with several crimes. But everyone involved knows the sophisticated attacks could not have been perpetrated by just one person, much less a teenager. Or could they have been? Since the teenager's arrest, the largest attacks have virtually ceased. It took someone very knowledgeable in Unix and networks to make the original Trin00 Flood program, but the necessary tools to initiate an attack are easy enough for any hacker wannabe to use. Just download the appropriate program, attach it to a joke program, and send around the Internet. Within days, you are guaranteed to break into hundreds of machines. Most of the largest, successful attacks on global networks have been perpetrated by worms and Trojans. |
