Zombie attacks can be traced

The overwhelming amount of system logs that must be combed through to locate the culprits in last week's denial of service attacks on the Internet undoubtedly has slowed the FBI's investigation and created a formidable obstacle to compiling forensic evidence.

The overwhelming amount of system logs that must be combed through to

locate the culprits in last week's denial of service attacks on the

Internet undoubtedly has slowed the FBI's investigation and created a

formidable obstacle to compiling forensic evidence.

But security experts say technologies are available that could have aided

the companies that found themselves the targets of such attacks, as well as

the FBI, which is now involved in a frantic search for the hackers.

Parhe Pruthi, president and chief executive officer of Niksun Inc., said

his company offers a tool called Net Detector that could detect denial of

service attacks and compile a log of electronic footprints leading back to

the originator of the attack.

"It's a network security appliance that filters data in real time," Pruthi

said. "It's like a recorder.... So when something like this happens, it is

able to detect it and alert you right away, and it has all of the packets

recorded so that you can reconstruct where the hacker came from."

However, such tools have yet to be widely adopted by Internet companies.

Although the FBI has offered its own tool for companies to download, many

are skeptical of the FBI's motives because it has not released the code

behind the tool for inspection.

Paul Bresson, an FBI spokesman, said the FBI does not release the source

code so that the bureau can prevent hackers from seeing the electronic

signatures the agency looks for. "We don't want to provide a roadmap for

someone to basically penetrate any vulnerabilities that we might have," he

said.

Niksun recently installed Net Detector on a university network, similar to

the ones used as a launch pad in last week's denial of service attacks, and

tracked a hacker who compromised the university's server. "We were able to

go in and recreate where the hacker came from, how he picked the lock on

the secure server he compromised, what type of Trojan Horse he put in the

system and how he initiated a denial of service attack," Pruthi said.

More importantly, the product's recording and storage capabilities enable

companies to compile volumes of data that can later be used to make the

FBI's job of tracing the culprits more efficient, Pruthi said.

Other companies offer similar tools, but experts say that automating an

enterprise's intrusion detection and tracking mechanism is key to assisting

the law enforcement investigation during such incidents.

— L. Scott Tillett contributed to this story