Scanning Systems for DDoS Attack Software Using a Zombie Zapper

Since late 1999, many sites have become the victims of devastating denial-of-service (DoS) attacks. A DoS attack is basically where an attacker finds a way to disable the services (in this case, the network's Web sites) so that they cannot be provided to anyone. In February 2000, a series of attacks against Web sites such as,, and caused these sites to be knocked off the Internet.

The specific type of attack waged against the preceding Web sites was unique, because it involved multiple attacking machines controlled by one attacker. Because of these attacks, a new security term, a distributed denial of service (DDoS) attack was born. In a DDoS attack, an attacker instructs several compromised systems to flood a target system with service requests.The resulting attack can bring down almost any Web site, or generate so much traffic that an entire network can no longer communicate with the rest of the Internet.

Attackers are able to wage these DoS attacks by first finding and hacking into insecure systems on the Internet. Then, they install programs such as Tribe Flood Network 2000 (Tfn2k), stacheldraht, and others.The compromised systems now have illicit programs, called zombies, installed on them.Traditionally, zombies have been Unix/Linux systems (because it is easy to program network services on these systems). Prime targets for zombies are computers used by colleges and universities. There are several reasons for this:

■ These systems typically have a large number of users—students. Consequently, it is easy to hide a rogue account/program.

■ These systems have user populations that change regularly. Again, this makes it easy to hide zombie programs. In addition, due to the turnover of students and courses, university networks often do not employ stringent security techniques.

■ Computers in academic environments typically have access to very highspeed Internet connections. This makes it possible for the zombie to blast the system under attack with an especially high volume of traffic.

For additional information about DDoS attacks, consult incident_notes/IN-99-07.html.

Was this article helpful?

0 0

Post a comment