Some thoughts on the solutions to Distributed Attack Technology --------------------------------------------------------------- Problem: Distribited ownership tools [DOT] exist that scan numerous hosts for vunerabilities that give system ownership. Such tools are programmed to build array of trojaned machines. DOT's are designed to communicate using strong crypto protocols, preventing the interception of communication betweek the owned machines. DOT's tools are designed to be flexable enough execute the owners choice of code. Thus the distributed array in question may be employed for a variety of tasks for which the denial of service attack is only one example. Other examples might include mass inteligence gathering and the potential for large scale number crunching. Such tools could be written to be polymorphic. This their signatures change to avoid detection by the virus detection products. This means that such weapons are by their very nature grow ina geometric manner and are difficult to detect. How to solve the problem. Identify the lowest common denominator. All these tools have some basic attributes in common. 1. They are designed to take advantage of exploits that achieve root permission of a host. 2. They approach their task in a geometric manner. By the use of owned hosts to find other owned hosts. Potential Solutions Shore up the networks 1. The current network based approach continues to prevail and the number of machines that are owner rises or remains the same. (It is most likely to rise). In this instance we find people weathering the packet storms and basically remaining disconnected from the internet for their duration. Denial of service continues. Fix the compromised machines 2. The number of owner machines is reduced as the result of better security practices. This is unlikely as many of the owned machines are not aware of the problem. The nature of the computer technology invloved means that new exploits will continus to be found. The polymorphic natuer of these tools makes them difficult to decect. Fix the internet technology 3. The internet it self is redisigned to remove it's basic anonimity. This would require massive changes to the infrastructure and a co-operation at an un precidented level between the standards bodys vendors and general public. This is itself a denial of service attack, though like all good wars would generate a vast amount of revenue for those providing the solutions. Legistate 4. An authority with the llegal power to inact such measures, decrees that only machines secured to a certain well designed and specified standard are allowed to be connected to the internet. The only organisations that realy have the ability to leverage such a situation are Insurance compaines that would have to be backed by llegal measures on an international basis. Vendor resistance could be large. Fight fire with fire. 5. As good internet citizens we help to protect those who cannot protect themselves and utilise the same technologies present in the DOT's. The highly flexable nature of the toolkits to manufacture middleware, capable of executing functions to fix vunerable machines. Ether by actually adjusting the configuration of the affected/potentialy affected boxes or by alearting the owner that the box is vunerable. IN SHORT WE AUTOMATICALLY OWN AND FIX AS MANY MACHINES AS POSSIBLE USING THE SAME TOOLKIT THAT PRODUCES THE PROBLEM. Fire with fire. As previously stated the best way to attack this problem is to utilize the geometric automated nature of these tools to fight the problem. By launching a series of counter-DDOS tools based upon the same DOT technology we can remediate the situatuion. Such counter offensive behaviour might consist of the the execution of the following simple command. (unix platform) mail: root@localhost cc: info@nsa.gov Subject: Your machine can be illigally owned, through a root exploit. Machine: "hostname" IP address: "10.192.172.1" has the following vunerablity that was exploited to gain root access necessary to execute this command. Exploit: rpc service XXX is running un controlled on port YYY Corrective action: Read the expoist page of a common hacking site and RTFSM (read the security pages). Of course the affore mentioned technique is not only the cheepest and most efficent method of dealing with the problem but by it's very nature totally ILLEGAL. Whether the authorities and security organisations would actually tollerate such a tools remains to be seen. But it rides a very thin lines between being a reason to 'lock you up' and hailing the originator as a saviour. In techincal terms this tools has to deal with two additional problems that do not effect the orginal DDOS arrays. 1. Due to the head start of the current suite of DDOS tools available there will be an owner ship gap. It is possible to changed the odds however by coding in a more efficent manner thus increasing the speed at which disownership can take place. Ownership of high bandwidth hosts on the internet would also help with the incresed execution speed of the tools. 2. The highly illegal (though morraly sound) nature of the tools would mean that the communication between the teirs of owned machines would have to be encrypted . The tools used would also benifit for m being polymorphic as they thems selves wuold have to evade detection by the host. Possible countermeasures. If such tools were to be coded then we have to expect countermeasures by the authors of the DDOS tools. Such a countermeasure's would be the interception of the disownment tools and removal of their benificial effect. Or more likely: The DDOS tools themselves would be modified to remove the vunerabliities from the hosts that they have owned. There maybe possible countereffects to this action, eg it invloved more modifications to the machine in question and therefore is by it's nature more likely to be detected. tmcb1971@yahoo.com