Thwarting the Zombies

Security experts and companies eye remedies for large networks of machines compromised by "bots."

Eighteen thousand computers tied together in less than 24 hours; a virtual army of machines, standing ready to do the will of their new master. Think of the possibilities that kind of processing power holds: cracking immense encryption keys or helping to sequence the human genome or even aiding the search for transmissions from extraterrestrials.

But the controller of these zombie machines has a different purpose in mind: a massive, DDoS (distributed-denial-of-service) attack or perhaps several smaller attacks launched against key peering points or backbone routers on the Internet. Downstream ISPs and their end users will be suddenly shut off as technicians and engineers struggle to filter the tidal wave of traffic choking the target machines.

Traffic in several segments of the global network will slow to a crawl as the malicious packets keep on coming. It will be several hours before normal service is restored and experts can go about the business of assessing the damage and trying to find out what happened.

What sounds like a doomsday scenario concocted by a marketing executive desperate for sales, is, unfortunately, real life. And the harsh reality, experts say, is that it could be far worse than the situation described above.

Vendors are trying to do their part. Security companies such as Arbor Networks Inc. are rolling out applications with sophisticated defensive features designed to detect and throttle DDoS attacks at the service provider so that downstream networks and users never feel the attacks effects.

But even with these new defenses, some experts say it will take a sea change in the way end users and administrators think about security to truly solve the DDoS problem.

"There needs to be a fundamental change in the way we educate users on security and the way they use a PC," said George Bakos, a senior security expert at the Institute for Security Technology Studies at Dartmouth College, in Hanover, N.H. "Were going to get spanked over and over again with this. Hopefully, it wont take too many more lessons, but I fear it will."

For several weeks now, experts at government agencies, private security companies and universities have been monitoring several very large networks of machines that have been compromised and loaded with "bots," which are tiny applications that allow remote attackers to control the machines via Internet Relay Chat. Hundreds or thousands of these machines can then be used in concert to launch DDoS attacks.

Bill McCarty, an associate professor of Web and information technology at Azusa Pacific University, in Azusa, Calif., said a Windows 2000 "honey pot" machine that he runs has been added to several bot networks, or botnets, in recent weeks. (A honey pot is a machine connected to the Internet and left defenseless so that security experts can observe hackers activities or methods.) One of these networks amassed more than 18,000 PCs in about 24 hours. Meanwhile, officials at the CERT Coordination Center, in Pittsburgh, said they are aware of several large botnets, one of which stood at more than 140,000 machines earlier this month.