Deadly hacking tool discovered

Security experts have warned that hackers are developing a distributed denial of service (DDoS) tool that could be even more devastating than those used to paralyse eBay, Yahoo and other major internet sites in February.

The tool, called Mstream, joins Trinoo, TFN2K, Stacheldraht and other programs that can be used to launch DDoS attacks.

Using these programs, a hacker can make infected hosts send a series of messages to a target computer. The volume of messages arriving at the same time is enough to overwhelm that server, making a website inaccessible.

Although Mstream is believed to be in the early stages of development, the core engine is more powerful than existing DDoS attack tools, said Dave Dittrich, a University of Washington computer administrator who took part in an analysis of Mstream.

Despite numerous bugs and an incomplete feature set, the tool is still powerful enough to disable a website with only a handful of agents.

"An Mstream agent was discovered in late April 2000 on a compromised Linux system at a major university. This system was identified to be flooding packets using forged source addresses, targeted at over a dozen IP addresses," said Dittrich in a posting to online security website, Packetstorm.

Despite the use of filtering by the university, which meant only a very small number of packets were being launched, "the traffic caused the router [which served 18 subnets] to become non-responsive", Dittrich's posting noted.

"The lesson here is that there is no 'quick fix' to DDoS in the form of simple technical filtering solutions," he said.

Neil Barrett, technical director of security consultant Information Risk Management, said further development of DDoS tools made "a very good case for the introducing of intrusion detection systems with more sophisticated log files".

He said members of the internet community must ensure that their own websites are not compromised or vulnerable to attacks.

DDoS attacks have waned since a series of high-profile assaults in February, but they have not ceased. For example, internet hosting firm AboveNet was attacked last week.

A Canadian teenager, known as Mafiaboy, has been arrested in connection with an attack on CNN's website. However, it is not clear whether he was involved in the other attacks.