As a part of his work for the Honeynet Research Alliance, Bill McCarty, an associate professor of Web and information technology at Azusa Pacific University in Southern California, deployed a series of vulnerable Windows based systems on the Internet. These "honeypots" were compromised by Internet worms and malicious hackers over and over, and led McCarty on a whirlwind tour through a series of sophisticated DDoS networks, one after the other.
"You put up a honeypot and it gets knocked over... again and again and again," he told ZDNet Australia.
Once his honeypot had been compromised, it joined what's called a botnet, or bot network. These networks are used by malicious hackers to conduct denial of service attacks by issuing single commands to huge numbers of systems through internet relay chat commands.
A program "dropped" on to the infected host connects to a chat server as any normal chat program would. Once it is connected it joins a pre-defined chat channel and listens for instructions. It is not unheard of to see channels with up to 100,000 slave computers in them.
The commands can be as simple as telling all of the drones to attack a specific target. The technique is remarkably effective even when relatively small networks are used, according to McCarty.
"One was 8,000... [another] one was around 2,000. Either way they're big enough. Even on dial-up that can put out around 300mbps," McCarty said.
That means that 8,000 infected computers connected to the Internet through dial-up connections can pump out enough data to knock over a Web site such as that of Arab news network Al-Jazeera. Al-Jazeera staff claimed malicious traffic levels of 300mbps were sufficient in volume to knock their systems offline for days. If the infected hosts are cable or DSL connections, the bot network's output multpilies.
While he was in the botnets, McCarty saw them attack several targets, and found the people controlling the networks were more often interested in fighting with each other than trying to knock out commercial or government interests.
"I saw them hitting Microsoft, and several obscure sites... most likely these people are motivated by their own petty rivalries," he said.
But McCarty says the threat is somewhat overstated. Whilst these networks could theoretically "DoS anything you wanted to DoS", that isn't necessarily something that we should be overly worried about. Even if an attacker can knock out some ATMs for a few hours, Internet infrastructure is resilient enough to ensure that such an attack will only ever amount to an inconvenience, and not a catastrophe.
"You could inconvenience and upset people by attacking a series of rolling targets," he said. "[But] it's less serious than it sounds".
Most honeynet research has typically focused on Linux and Unix based systems, but McCarty says that deploying Windows based machines has been a real eye opener.
"It's a bigger pond where the fish are eating one another - it's insane," he told ZDNet Australia.
