Are government servers responsible for DOS attacks?

The network security and consulting firm Network Associates Inc. is offering a freeofcharge solution to uncovering the source of this week's denial of service attacks. Some fear government systems may contain the attack code

Network Associates Inc. Thursday released two updates to its information security products free of charge that will detect and remove the underlying vulnerability behind this week's cyberattacks on commercial Internet sites, a vulnerability that possibly turned federal agencies into launching points for the attacks.

A security gap in Solaris and Linux-based servers that allows hackers to place malicious code on a server without the administrator's knowledge is responsible for the series of denial-of-service attacks this week against the Yahoo, eBay, ETrade and Buy.com World Wide Web sites. The attacking code, in the form of an agent, is placed on many machines, which then send multiple requests to the victim's server, essentially flooding the system and forcing administrators to shut it down.

While federal sites have not yet been attacked in such a manner, many officials are concerned that agency systems are unwittingly hosting these agents and are therefore participating in the attack. The FBI, Commerce Department and the Federal Computer Incident Response Capability are working with agencies to determine whether their systems are hosting the agents, and the FBI's National Infrastructure Protection Center has posted a tool that agencies can download and run on their systems to detect the code.

Following the first attacks earlier this week, Network Associates started working on updates to its VirusScan and CyberCop products and services, said Peter Watkins, president and chief executive officer of Network Associates. The company is now offering all of these updates, including a free one-time scan and report, for download through their Web site.

The CyberCop Zombie scan is an extension of the Network Associates' new myCIO.com managed security services offerings. Although now part of the CyberCop ASaP vulnerability scanning service, users can perform a free, one-time CyberCop Zombie scan that will check a system for the agent and the vulnerability. If anything is found, it will be reported back to the system administrator via e-mail, along with the method to remove the agent and the patch to fix the vulnerability, said Zach Nelson, CEO of myCIO.com.

Network Associates has also added the scan for this vulnerability to its VirusScan product, which can be downloaded as an update and will run along with the rest of the checks whenever a scan is scheduled.

MORE INFO

Denial-of-service attacks are when a system is rendered unusable for legitimate users because a resource is "hogged," damaged or destroyed. Denial-of-service attacks may be caused deliberately or accidentally.

Three common forms of network denial-of-service attacks are service overloading, message flooding and signal grounding. Although they are difficult to prevent, many denial-of-service attacks can be hindered by restricting access to critical accounts, resources and files.

(From the National Institute of Standards and Technology's Computer Security Resource Clearinghouse)

Related Stories

Dot-com attacks seen as wake-up call for feds

Proactive e-security

Related Sites

NIPC tool

Network Associates CyberCop Zombie scan

Carnegie Mellon University CERT advisories