::::::::::::::::::::::::::::::::::::::::::::::::::::::April/99
::: The Discordant Opposition Journal ::: Issue 4 - File 7 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

 :Distributed Attacks:
  cronus

  Many high profile targets are getting attention from hacking groups.
In past hackers would be individuals that targeted a specific machine
or network. If hackers were involved in groups, the partnership would
more likely involve information swapping and discussion of different
techniques. But modern day 'Tiger Team' groups actually co-ordinate in
probing the system and gather huge amounts of information about the
systems integrity.

  Dozens of hackers working together with a common goal, amassing huge
amounts of data about the target system. Port scans, bandwidth usage
and even network scans. All the information can be later combined to
give a more detailed account of the system. This is the definition of
a distributed attack.

  Using any form of basic encryption, the group can communicate and
co-ordinate. No form of encryption is perfectly secure. But e-mails
that are encrypted with PGP will sufficiently protect anyone's plans
OF network intrusion. These hacking groups can use any form of basic
encryption or alternative communication to hide their intentions. And
since hackers aren't working on any time schedule they can draw out 
the probing process and eradicate the fear of drawing attention to
their work. 

  The timing of any attack can be, and in the past has been, handled
with military precision. By co-ordinating with each other, the hackers
can each probe with a single connection. When each hackers results 
are combined, a more general view of the system starts to become 
clear. And as said before, the whole attack can be drawn out. The 
longer the probing of the server takes, the less likely the admin
will notice. Or the alternative approach could be taken. The whole
process could take place in a matter of hours and be done before 
anyone would have a chance to notice.

  The more spread out the attackers, the more diverse the entries in
the system logs. The main way a system administrator would know that
their system was being probed would be the system logs. The logging
of connections and data transfers is done by default on most systems.
If the probes come from multiple sources, the likely hood of detection
is decreased.

  Because no one hacker is probing the system, the logs would reflect
multiple connections without any seamless thread of consciousness. The
lack of coherent thought in the probing would make detection of the
probe more difficult. Although the mentalities of the individuals
involve in the attack would be based on the common goal. The range of
tactics and ideas to probe the weaknesses of the system will improve
the chances of finding a hole and also help hide the attack.

  Anyone with a server that's online or a network of online machines
needs to be aware of the threat of distributed attacks. I have given
a general outline of the distributed attack. To protect against it
is simply a matter of more directed attention at your system.

   ... intoxicated with the madness ...
         cronus (at) iol (dot) ie
  ___________  ____   ____  __ __  ______
_/ ___\_  __ \/  _ \ /    \|  |  \/  ___/
\  \___|  | \(  <_> )   |  \  |  /\___ \ 
 \___  >__|   \____/|___|  /____//____  >
     \/                  \/           \/ 
      http://homepages.iol.ie/~cronus