FBI Investigates Cybercrime: Denial of Service
The following is a reprint of a government statement on cybercrime (including Denial of Service) and what steps are being taken to deal with it. The statement below dates back to February 29th, 2000. It is safe to assume that much more sophisticated means of detecting cybercrime have been put into effect and that catching and prosecuting hackers has been streamlined and is today a matter of routine federal business.
STATEMENT OF
MICHAEL A. VATIS,
DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER
FEDERAL BUREAU OF INVESTIGATION
ON
CYBERCRIME
BEFORE THE
SENATE JUDICIARY COMMITTEE, CRIMINAL JUSTICE OVERSIGHT SUBCOMMITTEE
AND HOUSE JUDICIARY COMMITTEE, CRIME SUBCOMMITTEE
WASHINGTON, D.C.
February 29, 2000
……
Distributed Denial of Service Attacks.
The recent distributed denial of service(DDOS) attacks have garnered a tremendous amount of interest in the public and in the Congress. Because we are actively investigating these attacks, I cannot provide a detailed briefing on the status of our efforts. However, I can provide an overview of our activities to deal with the DDOS threat beginning last year and of our investigative efforts over the last three weeks.
In the fall of last year, the NIPC began receiving reports about a new set of “exploits” or attack tools collectively called distributed denial of service (or DDOS) tools. DDOS variants include tools known as “Trinoo,” “Tribal Flood Net” (TFN), “TFN2K,” and “Stacheldraht” (German for “barbed wire”). These tools essentially work as follows: hackers gain unauthorized access to a computer system(s) and place software code on it that renders that system a “master” (or a “handler”). The hackers also intrude into other networks and place malicious code which makes those systems into agents (also known as “zombies” or “daemons” or “slaves”). Each Master is capable of controlling multiple agents. In both cases, the network owners normally are not aware that dangerous tools have been placed and reside on their systems, thus becoming third-party victims to the intended crime.
The “Masters” are activated either remotely or by internal programming (such as a command to begin an attack at a prescribed time) and are used to send information to the agents, activating their DDOS ability. The agents then generate numerous requests to connect with the attack’s ultimate target(s), typically using a fictitious or “spoofed” IP (Internet Protocol) address, thus providing a falsified identity as to the source of the request. The agents act in unison to generate a high volume of traffic from several sources. This type of attack is referred to as a SYN flood, as the SYN is the initial effort by the sending computer to make a connection with the destination computer. Due to the volume of SYN requests the destination computer becomes overwhelmed in its efforts to acknowledge and complete a transaction with the sending computers, degrading or denying its ability to complete service with legitimate customers - hence the term “Denial of Service”. These attacks are especially damaging when they are coordinated from multiple sites - hence the term Distributed Denial of Service.
An analogy would be if someone launched an automated program to have hundreds of phone calls placed to the Capitol switchboard at the same time. All of the good efforts of the staff would be overcome. Many callers would receive busy signals due to the high volume of telephone traffic.
In November and December, the NIPC received reports that universities and others were detecting the presence of hundreds of agents on their networks. The number of agents detected clearly could have been only a small subset of the total number of agents actually deployed. In addition, we were concerned that some malicious actors might choose to launch a DDOS attack around New Year’s Eve in order to cause disruption and gain notoriety due to the great deal of attention that was being payed to the Y2K rollover. Accordingly, we decided to issue a series of alerts in December to government agencies, industry, and the public about the DDOS threat.
Moreover, in late December, we determined that a detection tool that we had developed for investigative purposes might also be used by network operators to detect the presence of DDOS agents or masters on their operating systems, and thus would enable them to remove an agent or master and prevent the network from being unwittingly utilized in a DDOS attack. Moreover, at that time there was, to our knowledge, no similar detection tool available commercially. We therefore decided to take the unusual step of releasing the tool to other agencies and to the public in an effort to reduce the level of the threat. We made the first variant of our software available on the NIPC website on December 30, 1999. To maximize the public awareness of this tool, we announced its availability in an FBI press release that same date. Since the first posting of the tool, we have posted three updated versions that have perfected the software and made it applicable to different operating systems.
The public has downloaded these tools tens of thousands of times from the web site, and has responded by reporting many installations of the DDOS software, thereby preventing their networks from being used in attacks and leading to the opening of criminal investigations both before and after the widely publicized attacks of the last few weeks. Our work with private companies has been so well received that the trade group SANS awarded their yearly Security Technology Leadership Award to members of the NIPC’s Special Technologies Applications Unit.
Recently, we received reports that a new variation of DDOS tools was being found on Windows operating systems. One victim entity provided us with the object code to the tool found on its network. On February 18 we made the binaries available to anti-virus companies (through an industry association) and the Computer Emergency Response Team (CERT) at Carnegie Mellon University for analysis and so that commercial vendors could create or adjust their products to detect the new DDOS variant. Given the attention that DDOS tools have received in recent weeks, there are now numerous detection and security products to address this threat, so we determined that we could be most helpful by giving them the necessary code rather than deploying a detection tool ourselves.
Unfortunately, the warnings that we and others in the security community had issued about DDOS tools last year, while alerting many potential victims and reducing the threat, did not eliminate the threat. Quite frequently, even when a threat is known and patches or detection tools are available, network operators either remain unaware of the problem or fail to take necessary protective steps. In addition, in the cyber equivalent of an arms race, exploits evolve as hackers design variations to evade or overcome detection software and filters. Even security-conscious companies that put in place all available security measures therefore are not invulnerable. And, particularly with DDOS tools, one organization might be the victim of a successful attack despite its best efforts, because another organization failed to take steps to keep itself from being made the unwitting participant in an attack.
On February 7, 2000, the NIPC received reports that Yahoo had experienced a denial of service attack. In a display of the close cooperative relationship that we have developed with the private sector, in the days that followed, several other companies (including Cable News Network, eBay, Amazon.com, Buy.com, and ZDNET), also reported denial of service outages to the NIPC or FBI field offices. These companies cooperated with us by providing critical logs and other information. Still, the challenges to apprehending the suspects are substantial. In many cases, the attackers used “spoofed” IP addresses, meaning that the address that appeared on the target’s log was not the true address of the system that sent the messages. In addition, many victims do not keep complete network logs.
The resources required in an investigation of this type are substantial. Companies have been victimized or used as “hop sites” in numerous places across the country, meaning that we must deploy special agents nationwide to work leads. We currently have seven FBI field offices with cases opened and all the remaining offices are supporting the offices that have opened cases. Agents from these offices are following up literally hundreds of leads. The NIPC is coordinating the nationwide investigative effort, performing technical analysis of logs from victims sites and Internet Service Providers (ISPs), and providing all-source analytical assistance to field offices. Moreover, parts of the evidentiary trail have led overseas, requiring us to work with our foreign counterparts in several countries through our Legal Attaches (Legats) in U.S. embassies.
While the crime may be high tech, investigating it involves a substantial amount of traditional investigative work as well as highly technical work. Interviews of network operators and confidential sources can provide very useful information, which leads to still more interviews and leads to follow-up. And victim sites and ISPs provide an enormous amount of log information that needs to be processed and analyzed by human analysts.
Despite these challenges, I am optimistic that the hard work of our agents, analysts, and computer scientists; the excellent cooperation and collaboration we have with private industry and universities; and the teamwork we are engaged in with foreign partners will in the end prove successful.