The types of massive distributed denial-of-service (DDOS) attacks that knocked out several big e-commerce Web sites earlier this year remain a threat that could grow in sophistication, according to experts at the US government-sponsored National Information Systems Security Conference here this week.
DDOS attacks entered the public consciousness in February when commercial sites like those of eBay Inc. and Buy.com Inc. were brought down by an overwhelming flood of traffic.
Tom Longstaff, manager of research and development at Carnegie Mellon University's CERT Coordination Center in Pittsburgh, said DDOS attacks haven't disappeared and warned that the severity of attacks could increase.
In a DDOS attack, an intruder breaks into a system, turns it into a "zombie" and then uses that system in the attack. There are now indications that worms are being used to automatically propagate zombies, creating large numbers of attackers, Longstaff said.
A DDOS attack utilizing a worm will spread "much more quickly, and it is much more difficult to trace back to the intruder," he added.
According to experts at the conference, there are no adequate mechanisms for stopping DDOS attacks.
However, the major concern among attendees of the annual event remained insider threats from disgruntled employees.
The attention being given to external threats may be affecting the ability of government agencies to respond to insider threats, said Lee Brandt, a network security officer at the Federal Railroad Administration in Washington. "The internal threat is still the big threat, [but Congress] is concentrating on the external threat," he said.
The biggest threats to corporate systems are from foreign governments, competitors and insiders, said Jeff Moss, a security consultant and the founder and organizer of Def Con, the annual underground convention attended by hackers, security experts and law-enforcement officials.
Information technology managers also share some of the blame for the risks faced by companies, experts said.
"The No. 1 problem in security today is still staff that do not keep their systems up-to-date," said Michel Kabay, a computer security expert at AtomicTangerine Inc., a consulting firm in Menlo Park, Calif. "Most exploits use known vulnerabilities - and most known vulnerabilities have known fixes, and they are free. The problem lies in organizations where security is not yet assigned a high priority."