While Mafiaboy's recent guilty plea has brought to a close one chapter in the DDoS saga of 2000, another more disturbing chapter remains open: the fact that many of the same sites are still virtually powerless to stop such attacks.

Mafiaboy, the Canadian teenager accused of launching a series of distributed denial of service attacks against a septet of the Internet's most popular sites last year, pleaded guilty last week to 56 of the 66 charges against him -- just before his trial was set to start in a Montreal court.

While the action brought to a close one chapter in the DDoS saga of 2000, a year in which seven leading sites were hacked, another more disturbing chapter remains open: the fact that many of the same sites are still virtually powerless to stop such attacks.

The early February 2000 strikes -- which hit Amazon.com, Buy.com, CNN.com, eBay.com, E-Trade.com, Yahoo.com and ZDNet -- employed an army of "zombie" computers across the Internet to flood the Web servers with thousands of simultaneous requests for service, forcing them to shut down for several hours.

Despite vendors' efforts in the wake of last year's incidents to prevent future attacks, security experts say there's still no solution available that can fully protect a site from DDoS, a fact not lost on the sites hit last year.

Weak link is human
"There's still a vulnerability to this on every site," said Alan Phillips, who was CIO of ZDNet, at the time of last year's attack. "If someone is smart and dedicated, they can find a way in."

Web site administrators at the other attacked sites declined requests for interviews for this story. But experts point out that typically the weak link for sites is more human than technological.

While virtually all corporate networks employ some kind of firewall, few home users take such precautions, making them easy prey for hackers looking for machines from which to launch their attacks. At the other end of the line, experts say network administrators take too many chances and are inviting trouble by leaving open unnecessary ports on their networks, among other things.

"A powerful computer can send a lot of packets in a short amount of time and it becomes an arms race to counteract it," said Tom Noonan, CEO of Internet Security Systems. "It's careless not to protect your network from this stuff."

In fact, it would not take much work to repeat the damage of last year's attacks, said Bruce Schneier, CTO of Counterpane Internet Security. He said that the real problem is the number of hubristic administrators who rely on software and don't see the need for constant, proactive network monitoring.

"This is a problem, and it always will be," Schneier said. "These people have a false sense of security with all of this software they have, so they don't keep an eye on things the way they should. You get security through detection and response, not by building bigger and bigger walls."

Internal security comes first

In addition, many sites consider internal security to be a priority. "To be honest, we know we're vulnerable, but we worry more about people opening e-mail viruses and things like that than we do about DDoS attacks," said a network administrator at Viacom, who requested anonymity. "We don't get a lot of revenue from the Web sites, so it's more of a problem if our internal network is shut down."

kers count on that lack of vigilance by administrators, knowing their attack will be well under way before it's detected. And, as shown by the fact that last year's attacks took place over several days, they also know that administrators have no way to share information with one another in a crisis situation.

help remedy that situation, the U.S. Department of Commerce and 19 high-tech companies this week established the Information Technology-Information Sharing and Analysis Centre. The centre is designed to enable industry leaders and the government to share resources and information before, during and after catastrophic hacks.

Can anything else be done? A Seattle startup has what it thinks is one answer. Asta Networks will unveil later this year new software that monitors a network, looking for specific traffic signatures that are indicative of a DDoS attack.

But even with this type of solution, the real backbone of any network security system should be constant monitoring, said Lance Hayden, manager of secure consulting services at Cisco Systems.

"Proactive vulnerability assessment is the key," Hayden said.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.