A May 5, 2001 advisory from NIPC (National Infrastructure Protection Center) reported an increase in “distributed denial of service” (DDOS) attacks around the country. In fact, even whitehouse.gov was laid low by such an attack on Friday, May 4. (For more information, please see http://www.cnn.com/2001/TECH/internet/05/08/dos.warning.idg/index.html)
Ordinary DOS attacks involve keeping a computer or network device so busy handling spurious requests that the device becomes unable to manage the business for which it is intended. Sometimes these attacks are launched from a computer directly under the control of an attacker. Other times the attack is indirect, where a hacker takes control of a remote computer and uses it to launch an attack. (This intermediate computer is called a Zombie). Distributed DOS goes one step further by using a fleet of Zombies to launch coordinated streams, or to send many small bursts so that no one Zombie is easily noticed. (More can be found at http://www.staff.washington.edu/dittrich/misc/ddos/elias.txt)
NACS is undertaking a project to upgrade the campus border router which will provide better management of incoming network traffic. This project includes an intrusion detection system and a firewall to help detect such traffic flows. Additionally, UCI’s border router has already been configured to limit certain types of network traffic which reduces the threat of DOS attacks.
But firewalls and intrusion detection are only part of the picture. The best defense against having a computer being broken into and turned into a Zombie is to keep the system software on it up-to-date (“patched”), turn off all unused network services (“ports”), and to log activity on the system and scan the logs regularly.
Recently, NACS ran a scan on campus subnets looking for Windows 2000 machines running Microsoft IIS5.0, which has a well-publicized vulnerability on port 80 that allows remote hackers to establish telnet sessions with the system. Over 100 potentially vulnerable machines were found on campus, and this information was made available to departmental Computing Support Coordinators. NACS also regularly updates all DCS-supported machines to protect them against known kinds of attacks, and monitors the logs of these machines looking for suspicious connections from the Internet. NACS offers security updates to key support personnel around campus as well. If you do your own support and do detect DDOS activity of the type described by NIPC, please contact nacs@uci.edu. NACS is responsible for evaluating attacks and reporting to the FBI when warranted.