Index
18 U.S.C. §1030 (Computer Fraud and Abuse Act), 244-246
18 U.S.C. §2510 (Wiretap Statute), 244
18 U.S.C. §1030(a)(3) (Trespassing on Government Computers), 244
18 U.S.C. §1030(a)(6) (Trafficking in Passwords), 244
ACC (aggregate congestion control), 222-223
Access, legal definition, 266-267
ACM SIGCOMM, 283
ACM TISSEC (Transactions on Information and System Security), 284-285
Active Network Defense (AND), See Active Response Continuum.
Active Response Continuum, 263-265
“Active Response to Computer Intrusions,” 263
Active queue management, 39
Agents
See also armies, botnets, bots, handlers.
controlling
attack phase, 75-79
direct commands, 69-71
indirect commands, 71-73
malware updates, 73-74
unwitting agents, 74-75
definition, 289
discovery, tools for, 18
recruiting
backdoors, 66-67
bots, 62-66
finding vulnerable machines, 62-66
malware propagation, 67-68
propagation vectors, 66-67
scanning, 62-66
worms, 62-66
unwitting, 74-75
Aggregate congestion control (ACC), 222-223
Aggregating costs, 254-255
Aggregation point, 21
aguri, 206-207
AIDS analogy, 32
Algorithmic attacks, 274
All Party Internet Group (APIG), 267
Analyzing attacks. See malware, analysis.
AND (Active Network Defense). See Active Response Continuum.
Annual Computer Security Applications Conference, 283
Anomaly detection. See also misbehavior detection; signature detection.
definition, 289-290
description, 143-145
Anti-analysis, 190-191
Anti-forensics, 190-191
APIG (All Party Internet Group), 267
Application attacks, 84-85
Armies, 290. See also agents; botnets; bots; handlers; networks.
Articles. See publications.
Artifacts, 290. See also malware.
Asynchronous communication, 31
Attack detection. See also detection.
accuracy, 139-140
anomaly detection, 143-145
attack characteristics, 141
behavioral models, 144-145
core-based techniques, 140
false negatives, 139
false positives, 139
goals, 139
misbehavior modeling, 145-146
signature detection, 141-143
standard-based models, 145
timeliness, 139
victim-based techniques, 140-141
source-based techniques, 140-141
Attack phase, 75-79
Attack response
automated response, 170-173
collateral damage, 148
counterattacks, 263-265
filtering, 147-149
goals, 146-151
manual response, 170-173
rate limiting, 147-149
service differentiation, 147, 151
traffic policing, 146, 147-149
Attackers. See also hackers.
hackers, 14
motivation, 13-14, 29-32, 276-277
nation-state actors, 14-15
profile, 14-15
sophistication level, 14
Attacking machines. See also agents; handlers; stepping stones.
reflectors, 19-20
Attacks. See also DDoS; DoS.
algorithmic, 274
analyzing. See malware, analysis.
attack trends, 98-99
characteristics, 141
controlling agents
attack phase, 75-79
direct commands, 69-71
indirect commands, 71-73
unwitting agents, 74-75
criminal, prognosis, 276-277
degradation of service, 275-276
hiding source of, 18-19
history of. See Evolution of DoS attacks.
HIV/AIDS analogy, 32
infrastructure, 274-275
IP spoofing
benefits to attacker, 97
defenses, 96-97
description, 92
ingress/egress filtering, 94-96
levels of, 92-93
limitations of, 97-98
raw socket access, 92
spoofing fully random IP addresses, 92-93
spoofing victim addresses, 94-96
subnet spoofing, 93
recruiting agents. See agents, recruiting.
motivations
against chat channels 13
from competitors 13-14
political, 276-277
notable 26-27, 44, 48-49, 50-58, 75
ongoing
backscatter traceback, 174
BGP-speaking routers, 175
black hole routes, 175
filtering, 173-174
hardcoded IP addresses, 174
liability issues, 178-181
sinkhole networks, 175-178
as a source, 178-181
as a target, 173-178
political, 276-277
prevention, 129
programs for. See malware.
semantic levels
algorithmic, 274
application attack, 84-85
attacking a protocol, 81-83
middleware attack, 83-84
Naptha attack, 83
pure flooding, 86
random port TCP SYN flooding, 82
resource attack, 85-86
SYN flood attacks, 81
vulnerability attacks, 79-81
sophistication, 273-274
trends, 98-99
types of. See also flooding attacks; vulnerability attacks.
flooding, 15-17
IP spoofing, using. 18-19
lagging, 45
misusing legitimate services, 19-20
reflection, 19-20
Smurf attack, 45
Naptha attack, 83
Automated infection toolkits, 26
Automatic response, 170
Autonomous propagation, 68
Back-chaining propagation, 68
Backdoors, 66-67
Backscatter traceback, 174
“The Bad Boys of Cyberspace,” 30
Barlow, Jason, 58
Behavioral models, 144-145
Bellovin, Steve, 58
Best-effort service model, 36-39
BGP (Border Gateway Protocol), definition, 290
BGP-speaking routers, 175
Black Hat Briefings, 284
Black hole routes, 175
Blaster worm, 48
Blended threats. See also malware.
definition, 290
recruiting agents, 62-66
Blocking traffic, 182
Bloom filters, 224-225
BNC (bounce), 290. See also stepping stones.
boink program, 44
bonk program, 44
Books. See publications.
Border Gateway Protocol (BGP), definition, 290
Botnets, 291
Bots. See also malware.
definition, 291
GTbot, 90
kaiten/knight bot, 62, 72, 89-90, 180, 217
Phatbot, 17, 26, 47, 54, 63, 69, 72, 74, 89, 91, 130, 155, 180, 290
recruiting agents, 62-66
Warez bots, 90
Bottlenecks, identifying, 168
Bounce (BNC), 89, 198, 200, 290. See also stepping stones.
Boyd Cycle, See OODA Loop.
Briefings, law enforcement, 57
Brumley, David, 185
Building secure systems, 110
CAIDA (Cooperative Association for Internet Data Analysis), 23-25, 236, 249, 280-281, 325-389
CanSecWest, 284
CERT/CC (CERT Coordination Center)
advisories
CA-1999-17 “Denial-of-service tools,” 57
CA-2000-01 “Denial-of-service developments,” 58
established, 42
first (DSIT) workshop, 49-50, 56, 57, 221, 222
incident notes
IN-99-04 “Attacks using various RPC services,” 59
reporting to, 252
Web site, 279-280
Chain of custody, 253
Challenges, 291. See also puzzles.
Characterization of attacks, 157-158
Charges for packet sending, 111
Chats. See IRC (Internet Relay Chat).
CIDR (classless internet domain routing), definition, 291
Circuit-switched networking, 33
Civil law, 242-244, 251-252. See also legal issues.
Class actions suits, 242-244. See also legal issues.
Classless internet domain routing (CIDR), definition, 291
Client legitimacy. See service differentiation.
Closed port backdoor, 203
Closing unneeded ports, 163
CMA (Computer Misuse Act) (United Kingdom), 267
CND-RA (Computer Network Defense-Response Actions). See Active Response Continuum.
Code Red worm, 27, 48, 66, 137, 188, 299, 305
Collateral damage
attack response, 148
definition, 291
filtering, 173
legitimate traffic, 115
Command and control flow, 216
Compartmentalizing your network, 168
Competitor attacks, 13-14
Completeness, defense strategy, 114
Computer Communication Review, 285
Computer Network Defense-Response Actions (CND-RA). See Active Response Continuum.
Computer data, as property, 260-263
Computer Fraud and Abuse Act (18 U.S.C. §1030), 244-246
Conferences and workshops. See also online resources; publications.
ACM SIGCOMM, 283
Annual Computer Security Applications Conference, 283
Black Hat Briefings, 284
CanSecWest, 284
ICNP (International Conferences on Network Protocols), 283
IEEE Information Assurance Workshop, 284
IEEE International Conferences on Network Protocols, 283
IEEE Symposium on Security and Privacy, 282
Infocom, 283
NDSS (Networks and Distributed Security Symposium), 283
NSPW (New Security Paradigms Workshop), 283
Usenix Security Symposium, 282-283
Usenix Technical Conference, 284
Congestion avoidance, 39
Congestion control mechanisms, 148
Congestion signatures, 222-223
Connection depletion attacks, defense approaches, 229-230
Controlling agents
attack phase, 75-79
direct commands, 69-71
indirect commands, 71-73
unwitting agents, 74-75
Convention on Cybercrime, 261
Cooperative Association for Internet Data Analysis (CAIDA), 23-25, 236, 249, 280-281, 325-389
COordinated Suppression of Simultaneous AttaCKs (COSSACK), 231-232
Coordinating defenses, 183
Core-based techniques, 140
The Coroner’s Toolkit, 193-194
COSSACK (COordinated Suppression of Simultaneous AttaCKs), 231-232
Cost of attacks. See also damages.
aggregating, 254-255
cost-estimation model, 255-257
defense, 116-117
“Developing an Effective Incident Cost Analysis Mechanism,” 256
examples, 12-13
FBI report (2004), 23
gambling business, 248-249
hidden costs, 249-250
ICAMP (Incident Cost Analysis and Modeling Project), 255-257
IRC (Internet Relay Chat), 249
loss, legal definition, 245, 254-255
overprovisioning, 166
trigger for federal statutes, 254
United States v. Middleton, 254
unused spare equipment, 172
Cost-estimation model, 255-257
Courts. See legal issues.
Covert channels, 203
Crackers. See attackers; hackers.
Criminal attacks, 276-277. See also legal issues.
Criminal culpability, 259. See also legal issues.
Criminal law, 242-244, 252. See also legal issues.
Critical versus non-critical services, 167
cron, 90
Cryptogram list, 281
Cryptogram newsletter, 281
CSI/FBI Computer Crime and Security Survey, 324-325
Custom attack tools, 190-191
Custom defense systems, 170-173
Cyber law. See legal issues.
Cybercrime, 7. See also legal issues.
Cyberwarfare, 7
Daemons. See agents; handlers; stepping stones.
Damages. See also cost of attacks.
aggregating, 254-255
cost-estimation model, 255-257
estimating, 253-257
hidden costs, 249-250
ICAMP (Incident Cost Analysis and Modeling Project), 255-257
IRC (Internet Relay Chat), 249
loss, definition, 245, 254-255
trigger for federal statutes, 254
United States v. Middleton, 254
Data, as property, 260-263
Datagrams. See packets.
DDoS (distributed denial of service). See also attacks; DoS.
benefits for the attacker, 20-22
definition, 3
extortion trend, 5
goals, 2-4
history of. See evolution of DoS attacks.
postal analogy, 4
prognosis, 273-278
DefCOM, 230-231
Defense approaches. See also tools.
attack detection. See attack detection.
attack response. See attack response.
building secure systems, 110
characterization, 157-158
charges for packet sending, 111
collateral damage, 115
complete deployment, 107-108
completeness, 114
contiguous deployment, 107-108
costs, 116-117
deployment at specified points, 107-108
deployment patterns, 107-108
effectiveness, 113-114
false positives, 116
false negatives
firewalls, 27-28
goals, 113-117
general strategy, 156-158
hardening, 109-110
incident response life cycle, 157-158
large scale, widespread deployment, 107-108
modification of protocols, 107-108
NAT (Network Address Translation) box, 27-28
obstacles, 155-156
ongoing attacks
backscatter traceback, 174
BGP-speaking routers, 175
black hole routes, 175
filtering, 173-174
hardcoded IP addresses, 174
liability issues, 178-181
sinkhole networks, 175-178
as a source, 178-181
as a target, 173-178
post-mortem analysis, 158
preparation
attack response, 170-173
automatic response, 170
closing unneeded ports, 163
compartmentalizing your network, 168
costs, 172
critical versus non-critical services, 167
custom defense systems, 170-173
disabling unneeded services, 163
discovering active services, 163
disk I/O performance, 164
end host vulnerability, 161-165
estimating damage costs, 160
fault-tolerance, 167-169
filtering incoming traffic, 163
hiding, 169
identifying bottlenecks, 168
incident response life cycle, 157
ingress/egress filtering, 163-164
insurance coverage, 172
ISP agreements, 172-173, 181-183
MAC (mandatory access control), 168
manual response, 170
memory utilization, 165
network I/O performance, 165
network risk assessment, 158-161
number of server processes, 165
processor utilization, 164
risk assessment, 168
scalability, 167-169
securing end hosts, 161-165
segregated services, 167-168
swapping/paging activity, 165
system tuning, 164-165
protection
attack prevention, 129
endurance approach, 129-130
host vulnerabilities, 130
hygiene, 130-131
network organization, 130-131
packet filtering, 131
research
ACC (aggregate congestion control), 222-223
Bloom filters, 224-225
client legitimacy, 226-229
congestion signatures, 222-223
connection depletion attacks, 229-230
COSSACK (COordinated Suppression of Simultaneous AttaCKs), 231-232
DefCOM, 230-231
detection and control of attacks, 225-226
D-WARD, 225-226
entropy principle, 235-236
flash crowds, 222-223
flooding-style attacks, 222-223, 233-234
hash-based traceback, 224-225
HCF (Hop-Count Filtering), 234-235
locality principle, 235
NetBouncer, 226-228
Pi filtering, 232-233
PPM (probabilistic packet marking), 223-225
prognosis, 238-240
proof of work, 229-230
pushback, 222-223
rate limiting, 225-226, 230-231
SIFF, 233-234
SOS (Secure Overlay Services), 228-229
source-based defense, 231-232
SPIE (source path isolation engine), 224-225
SPIEDER, 224-225
target-based defense, 232-233
target-resident DoS filters, 236-237
traceback, 223-225
serving legitimate traffic, 114-115
social challenges, 107-108
source validation
hiding, 137-138
one-way functions, 133
proof of work, 132-135
resource allocation, 135-136
reverse Turing test, 131-132
TCP SYN cookie approach, 134-135
trapdoor functions, 133
technical challenges, 106-107
throttling packet flow, 111
wide deployment, requirements, 108
Defense locations
in the middle, 123-126
multiple locations, 126-128
near the attacker, 120-123
near the target, 117-120
tragedy of the commons, 122
Defense strategies. See defense approaches; prevention; detection, reaction.
Degradation of service, 275-276
Deloder worm, 48
DeMilitarized Zone (DMZ). See DMZ.
Denial of service (DoS). See DoS (denial of service).
“Denial-of-Service Developments,” (CA-2000-01), 58
“Denial-of-Service Tools,” (CA-1999-17), 57
Department of Justice Cybercrime Web site, 245-246
Deployment patterns, 107-108
Detection. See also attack detection.
anomalies
definition, 289-290
description, 143-145
of DoS tools, 185-186
general defense strategy, 157
misbehavior, 295
signatures, 297
“Developing an Effective Incident Cost Analysis Mechanism,” 256
Dietrich, Sven
DDoS analysis, 179
history of DoS, 31
Shaft analysis, 24, 49-50, 56, 61, 67, 69, 77, 78, 87-88, 101, 185, 216
Stacheldraht analysis, 48-50, 57-59, 69-70, 87, 89-90, 101, 185, 192, 198, 203, 216
tool analysis, 185
mstream analysis, 38, 69, 88, 121-122, 194, 208
Direct commands, 69-71
Disabling unneeded services, 163
Disclosure versus nondisclosure, 186-190
Discovering active services, 163
Disk I/O performance, 164
Distributed computing, evolution of, 48-50
Distributed denial of service (DDoS). See DDoS (distributed denial of service); DoS.
“Distributed Denial of Service Tools” (IN-99-04), 56
“Distributed Denial of Service Tools” (Sun Bulletin # 00193), 58
Distributed System Intruder Tools (DSIT) Workshop, 49-50, 56, 57, 221, 222
Dittrich, David
“Active Response to Computer Intrusions,” 263
“Basic Steps in Forensic Analysis of UNIX Systems,” 191
DDoS analysis, 179
DDoS Web page, 280
“Developing an Effective Incident Costs Analysis Mechanism,” 256
host-and-network-oriented scanners, 185
IDS signatures, 185
mstream analysis, 38, 69, 88, 121-122, 194, 208
“Power bot” analysis, 216
rootkit FAQ, 190-191
Shaft analysis, 24, 49-50, 56, 61, 67, 69, 77, 78, 87-88, 101, 185, 216
Stacheldraht analysis, 48-50, 57-59, 69-70, 87, 89-90, 101, 185, 192, 198, 203, 216
tcpdstat modifications, 205
TFN analysis, 57
trinoo analysis, 57
DMZ (DeMilitarized Zone)
description 32
traffic capture 182
DNS (Domain Name Service)
definition, 292
false requests, evolution of, 51-52
Don’t Panic, 286
DoS (denial of service). See also attacks.
definition, 2
goals, 2-4
history of. See Internet, evolution.
postal analogy, 4
DoS programs, 87-89
Dropping legitimate packets, 148
Dshield, 280
DSIT (Distributed System Intruder Tools) Workshop, 49-50, 56, 59, 221
Dual criminality, 262
D-WARD, 225-226
Effects of attacks. See cost of attacks; damages.
Egress filtering. See also ingress filtering; IP spoofing.
definition, 292
18 U.S.C. §1030 (Computer Fraud and Abuse Act), 244-246
18 U.S.C. §1030(a)(3) (Trespassing on Government Computers), 244
18 U.S.C. §1030(a)(6) (Trafficking in Passwords), 244
18 U.S.C. §2510 (Wiretap Statute), 244
Electronic communication privacy, 211
E-mail cluster bombs, 277-278
Encryption, evolution of, 50
End host vulnerability, 161-165
End-to-end paradigm, 36-39
Endurance approach, 129-130
Entropy principle, 235-236
Estimating
cost-estimation model, 255-257
costs and damages. See cost of attacks; damages.
risk. See risk assessment.
Ethical issues. See moral issues; social issues.
“Ethics of Tracking Hacker Attacks …,” 266
EURIM (European Information Society Group), 267-268
European Information Society Group (EURIM), 267-268
Evidence collection, 252-253
Evolution of DoS attacks
1980s (late), 42
1990s (early), 43-44
1996, 44
1997, 44-45
1998, 45-48
1999, 48-50
2000, 50-51
2001, 51-52
2002, 52-53
2003, 53-54
2004, 54
extortion, 53-54
financial crimes, 53-54
ICMP Echo Request packet attack, 50-51
reflection attack, 51-52
scripting attacks, 49
spambots, 53-54
SYN floods, 44
tool development, 45-50
tools and programs
Agobot, 54
boink program, 44
bonk program, 44
development timeline, 55-59
distributed scanners and sniffers, 49-50
DSIT (Distributed System Intruder Tools) Workshop, 49-50, 56, 57, 221, 222
encryption, 50
mstream, 38, 69, 88, 121-122, 194, 208
Phatbot, 54
Shaft, 48-50
sniffers, 43-44
Stacheldraht, 48-50
teardrop program, 44
TFN (Tribe Flood Network), 48-50, 56
TFN2K (Tribe Flood Network 2000), 49-50
vulnerability attacks, 46
“The Experience of Bad Behavior …,” 30
Exploit programs, 90
Exploiting a vulnerability, 15-17
Exploits. See also malware.
vulnerability attacks, 79-81
External signature, 201-204
Extradition, 262
Fair scheduling algorithm, 39
False negatives, 139, 292. See also false positives.
False positives. See also false negatives.
defense goal, 116
fapi, 45
Fault-tolerance, 167-169
FBI
CSI/FBI Computer Crime and Security Survey (2004), 324-325
jurisdictional issues, 257-258
report on cost of attacks, 23
trigger point for involvement, 248
find_ddos (NIPC scanning tool), 56, 59
File system signature, 191-196
Filtering. See also egress filtering; ingress filtering; rate limiting.
attack response, 147-149
definition, 292-293
incoming traffic. See ingress filtering.
ongoing attacks, 173-174
outgoing traffic. See egress filtering.
packets, 131
research on
Bloom filters, 224-225
HCF (Hop-Count Filtering), 234-235
Pi filtering, 232-233
target-resident DoS filters, 236-237
Financial crimes, evolution of, 53-54
Firedaemon, 89
Flooding, definition, 293
Flooding attacks. See also attacks, types of; vulnerability attacks.
characteristics of, 103-105
defense approaches, 222-223, 233-234
definition, 15-17
ICMP flood, 89
pure flooding, 86
random port TCP SYN flooding, 82
Targa flood, 89
UDP flood, 89
wonk flood, 89
Flow logging, 182
Fortifying a network. See overprovisioning.
FPort, 192-193
“A Framework for Classifying Denial of Service Attacks,” 329-331
Frequency of attacks, 5, 22-24
FTP servers, 90
Fully random IP addresses, spoofing 92-93
Goals of attacks, 2-4
Good traffic, identifying. See service differentiation (legitimacy).
Graham-Leach-Bliley Act, 260
GTbot, 90
Hackers, 14. See also attackers.
Half-open connections, 81
Half-open scans, 202
“Handbook on Information Security,” 263
Handlers, 18, 293. See also agents; malware.
Hardcoded IP addresses, 174
Hardening networks, 109-110. See also defense; overprovisioning.
Hash-based traceback, 224-225
HCF (Hop-Count Filtering), 234-235
hdparm, 164
Health Insurance Portability and Accountability Act (HIPAA), 260
Hidden costs of attacks, 249-250
Hiding. See also defense.
attack sources, 18-19
Himma, Kenneth, 263
HIPAA (Health Insurance Portability and Accountability Act), 260
HIV/AIDS analogy, 32
Honeynet Project
Honeywalls, 211
Hop-Count Filtering (HCF), 234-235
Hygiene, 130-131
ICAMP (Incident Cost Analysis and Modeling Project), 255-257
ICMP Echo Reply packet attacks, 56
ICMP Echo Request packet attack, 50-51, 75
ICNP (International Conferences on Network Protocols), 283
Identifying legitimate traffic. See service differentiation.
Identity, online, 30
IDS (intrusion detection systems), 21-22, 143, 157. See also defense.
IEEE Cipher list, 282
IEEE Cipher newsletter, 282
IEEE Information Assurance Workshop, 284
IEEE International Conferences on Network Protocols, 283
IEEE Security and Privacy, 285
IEEE Symposium on Security and Privacy, 282
IEEE Transactions on Dependable and Secure Computing, 285
IEEE/ACM Transactions on Networking, 285
ifconfig, 199-200
Impairing access to data, 267
Incident Cost Analysis and Modeling Project (ICAMP), 255-257
Incident response life cycle, 157-158
Incident response procedures, 252-253
Indirect commands, 71-73
inetd, 90
“Inferring Internet Denial-of-Service Activity,” 52, 325329
Infocom, 283
Infrastructure attacks, 274-275
Ingress filtering. See also egress filtering; IP headers; IP spoofing.
definition, 293
Initial sequence number (ISN), 81
Insurance coverage, 172
Internal signatures, 191-201
International Conferences on Network Protocols (ICNP), 283
Internet
design principles
active queue management, 39
best-effort service model, 36-39
circuit-switched networking, 33
congestion avoidance, 39
end-to-end paradigm, 36-39
fair scheduling algorithm, 39
packet-switched networking, 33-36
store-and-forward switching, 34
management, 40-41
popularity, 40
scale, 39
security issues, 39-40
user profiles, 40
CERT/CC established, 42
CERT/CC workshop, 49
distributed computing, 48-50
false DNS requests, 51-52
government, role of, 59
Morris worm, 42
security issues, 39-40
spam, 53-54
Y2K failures, 50
Internet DNS root server attack, 52-53, 332-333
Internet Relay Chat (IRC)
costs of damage, 249
definition, 294-295
Internet Service Providers (ISPs). See ISPs (Internet Service Providers).
Internet worms. See worms.
Intrusion detection systems (IDS), 21-22, 143, 157. See also defense.
Involving law enforcement, 218-219
iostat, 164-165
IP addresses, hardcoded, 174
IP headers, 18-19. See also ingress/egress filtering; IP spoofing.
definition, 293-294
header fields, 18-19
IP spoofing. See also amplification; IP headers.
benefits to attacker, 97
defenses, 96-97
description, 92
spoofing fully random IP addresses, 92-93
ingress/egress filtering, 94-96, 163-164
levels of, 92-93
limitations of, 97-98
raw socket access, 92
subnet spoofing, 93
traffic analysis, 236-237
spoofing victim addresses, 94-96
IRC (Internet Relay Chat)
attacks
motives for, 13
bots, 90
costs of damage, 249
definition, 294-295
ISN (Initial Sequence Number). See Initial Sequence Number.
ISPs (Internet Service Providers). See also NSPs.
contacts, 172-173
coordinating defenses, 183
definition, 295
flow logging, 182
network address agility, 181
null routing, 182
out-of-band management network, 182
topological changes, 181
traffic blocking, 182
traffic capture/analysis, 181-182
Jahanian, Farnam, 23
Journal of Computer Security, 285
Jurisdictional issues, 257-258
kaiten/knight bot
detection using antivirus, 180
relation to blended threats, 89-90
Lagging attacks, 45
Law enforcement. See legal issues.
Laws. See legal issues.
Legal attache (LEGAT), 262
Legal issues. See also moral issues; social issues.
18 U.S.C. §1030 (Computer Fraud and Abuse Act), 244-246
18 U.S.C. §2510 (Wiretap Statute), 244
18 U.S.C. §1030(a)(3) (Trespassing on Government Computers), 244
18 U.S.C. §1030 (a)(6) (Trafficking in Passwords), 244
access, legal definition, 266-267
Active Network Defense. See Active Network Defense (AND).
APIG (All Party Internet Group), 267
applicable laws, 244-246
CERT/CC, reporting to, 252
chain of custody, 253
class action suits, 242-244
computer data, as property, 260-263
criminal culpability, 259
damages
aggregating, 254-255
cost-estimation model, 255-257
estimating, 253-257
hidden costs, 249-250
ICAMP (Incident Cost Analysis and
Modeling Project), 255-257
IRC (Internet Relay Chat), 249
loss, definition, 245, 254-255
trigger for federal statutes, 254
United States v. Middleton, 254
Department of Justice Cybercrime Web site, 245-246
domestic, 258-260
dual criminality, 262
electronic communication privacy, 211
EURIM (European Information Society Group), 267-268
evidence collection, 252-253
extortion, 244
extradition, 262
frequency of legal involvement, 248-251
health care, 260
identifying perpetrators, 243
impairing access to data, 267
incident response procedures, 252-253
initiating legal proceedings, 251-252
international, current, 260-263
international, trends, 266-268
involving legal authorities, 243
jurisdictional issues, 257-258
LEGAT (legal attache), 262
letters rogatory, 262
liability, 259
military responses, 263
MLATs (mutual legal assistance treaties), 262
national defense, 263
NIPC (National Infrastructure Protection Center), reporting to, 252
PCCIP (President’s Commission on Critical Infrastructure Protection), 268
phone contacts, 252
prognosis, 278-279
record keeping, 253
reporting requirements, 252
reporting suspected crimes, 243, 250-251
self-help options, 263-265
Tortious Interference with Business Relationship or Expectancy, 245
Trafficking in Passwords (18 U.S.C. §1030(a)(6)), 244
trespassing on government computers, 244
unauthorized, legal definition, 266-267
U.S. legal system, 241-244
U.S. Secret Service, Electronic Crimes Branch, reporting to 252
viability of prosecution, 248-249
victim negligence, 258-259
victim profile, 246-247
wiretaps, 211
LEGAT (legal attache), 262
Legislation
CMA (Computer Misuse Act) (United Kingdom), 267
Computer Fraud and Abuse Act (18 U.S.C. §1030), 244-246
Graham-Leach-Bliley Act, 260
HIPAA (Health Insurance Portability and Accountability Act), 260
“Privacy Law” (Italy), 266
United States v. Dennis, 244, 266-267
USA PATRIOT Act of 2001, 254-255
Wiretap Statute (18 U.S.C. §2510), 244
Legitimate traffic. See service differentiation.
Letters rogatory, 262
Liability issues, 178-181, 259. See also legal issues.
libcap format, 207
Lion (1i0n) worm, 48
Litigation. See legal issues.
Locality principle, 235
Loki, 87
Loss, legal definition, 254-255
Loss estimates. See cost of attacks; damages.
Loveless, Mark (Simple Nomad), 83, 186
lsof, 192
MAC (mandatory access control), 168
Machiavelli, on problem recognition and control, 32
Magnitude of attacks, 24-27, 273
Mailing lists, 281-282
Malicious software. See malware.
Malware. See also agents; bots; handlers.
analysis. See also tools.
aguri, 206-207
anti-analysis, 190-191
anti-forensics, 190-191
classification, 191
closed port backdoor, 203
command and control flow, 216
The Coroner’s Toolkit, 193-194
covert channels, 203
custom attack tools, 190-191
electronic communication privacy, 211
external signature, 201-204
file system signature, 191-196
FPort, 192-193
half-open scans, 202
identifying the user, 217-218
ifconfig, 199-200
internal signatures, 191-201
involving law enforcement, 218-219
legal issues, 211
libcap format, 207
lsof, 192
malware artifacts, 190
Nessus, 202
network state signature, 198-199
network taps, 204
network traffic signature, 204-216
nmap, 202
nondisclosure, 219-220
port scanners, 202
process state signature, 199-200
ps, 200
Sleuthkit, 193-194
sniffers, 204
source code lineage, 216-217
surface analysis, 197-198
system log signature, 200-201
tcpdstat, 205
top, 200
wiretap issues, 211
artifacts, 190
definition, 295
propagation, 67-68
updates, 73-74
Mandatory access control (MAC), 168
Manual response, 170
Masters. See handlers.
Measuring. See estimating; malware, analysis.
Memory utilization, 165
Metcalf, Robert, 42
Methodologies. See defense approaches; defense strategies.
Microsoft Security Readiness Kit, 213
Microsoft TCP/IP stack bug, 44
Middleton, United States versus. See United States versus Middleton.
Middleware attack, 83-84
Military responses, 263
Misbehavior detection, 295. See also anomaly detection; attack detection; detection; signature detection.
Misbehavior modeling, 145-146
Misusing legitimate services, 19-20
MLATs (mutual legal assistance treaties), 262
Moderators (of IRC channels), 13
Modification of protocols strategy, 107-108
Monitoring traffic, commercial tools, 311-312, 316-317
Moral issues, 265-266, 278-279. See also legal issues; social issues.
Morris worm, 42
Motivation of attackers, 13-14, 29-32, 276-277
MSBlast. See W32/Blaster.
Mscan, 89
analysis, 88
direct commands, 69
effects, 208
in forensic analysis, 194
Mutual legal assistance treaties (MLATs), 262
Naptha attack, 83
NAT (Network Address Translation) box, 27-28
National defense, 263
National Infrastructure Protection Center (NIPC), 252
Nation-state actors, 14-15
NDSS (Networks and Distributed Security Symposium), 283
Nessus, 202
Netblocks. See CIDR (classless internet domain routing).
NetBouncer, 226-228
netstat, 165
Network address agility, 181
Network Address Translation (NAT) box, 27-28
Network Service Providers (NSPs), 295. See also ISPs.
Networks. See also agents; armies; botnets; bots; handlers.
address agility, 181
circuit-switched networking, 33
compartmentalizing, 168
control issues, 214
definition, 295
fortifying. See hardening; overprovisioning.
hardening, 109-110. See also overprovisioning.
I/O performance, 165
organization, 130-131
out-of-band management network, 182
packet-switched networking, 33-36
risk assessment, 158-161
sinkholes, 175-178
state signatures, 198-199
taps, 204
traffic signatures, 204-216
Networks and Distributed Security Symposium (NDSS), 283
New Security Paradigms Workshop (NSPW), 283
nfsstat, 164
Nimda worm, 48
NIPC (National Infrastructure Protection Center), 252
Nondisclosure, 219-220
Normal traffic. See service differentiation.
NSPs (Network Service Providers), 295. See also ISPs.
NSPW (New Security Paradigms Workshop), 283
Null routing, 182
“Observations and Experiences Tracking
Denial-of-Service …,” 331-332
Observe, Orient, Decide, Act (OODA). See OODA loop.
One-way functions, 133
Ongoing attacks. See attacks, ongoing.
Online identity, 30
Online resources. See also conferences and workshops; publications.
“Basic Steps in Forensic Analysis of UNIX Systems,” 191
CAIDA (Cooperative Association for Internet Data Analysis), 280-281
CERT/CC, 279-280
The Coroner’s Toolkit, 193-194
cost of attacks, 23
Cryptogram list, 281
Department of Justice Cybercrime Web site, 245-246
“Developing an Effective Incident Cost Analysis Mechanism,” 256
“Denial-of-Service Tools” (CA-1999-17), 57
“Denial of Service Developments” (CA-2000-01), 58
“Distributed Denial of Service Tools” (IN-99-04), 56
“Distributed Denial of Service Tools” (Sun Bulletin #00193), 58
Dittrich, David, DDoS Web page, 280
Dittrich on the Active Response Continuum, 263
Dittrich rootkit FAQ, 190-191
Dshield, 280
Honeynet Project, 191, 194, 211
IEEE Cipher list, 282
Jahanian report, 23
legal issues, 245-246
mailing lists, 281-282
Microsoft Security Readiness Kit, 213
mstream analysis, 88
network taps, 204
nmap, 89
Packetstorm Security, 185
Red Hat Linux (Patching), 161, 213
RID, 185
@Risk: The Consensus Security Vulnerability Alert, 281
RISKS Digest newsgroup, 282
SANS list, 281
SANS NewsBytes (reports of Solaris intrusions), 56
Sleuthkit, 193-194
sniffers, 43-44, 49, 91, 200, 204, 244, 254, 257
Stacheldraht analysis, 87
TFN analysis, 87
TFN2K analysis, 88
Windows updates, 161
OODA (Observe, Orient, Decide, Act) Loop, 94
Operators, IRC, 13
Out-of-band management network, 182
Overprovisioning, 138-139, 166-167. See also defense; hardening networks.
Owners (of IRC channels), 13
Packet-marking techniques, 150
Packets. See also IP headers; protocols.
charges for sending, 111
definition, 296
filtering, 131
throttling, 111
Packetstorm Security, 185
Packet-switched networking, 33-36
Paging activity, 165
Papers. See publications.
Passwords
guessing, 17
trafficking in, 244
weak, 17
PCCIP (President’s Commission on Critical
Infrastructure Protection), 268
Phatbot
blended threat, 290
features and use, 17, 26, 47, 54, 63, 72, 89, 91, 130, 155, 180
password guessing, 17
peer-to-peer networks, 74
portability, 54
size of networks, 69
spam delivery, 54
Phone numbers for reporting DDoS attacks, 252
Pi filtering, 232-233
Political attacks, 276-277
Port scanners, 202
Ports, 296. See also protocols; TCP/IP.
Postal analogy, 4
Post-mortem analysis, 158
Power bot
detection of command and control, 216
features and use, 62, 75, 90, 238
in forensic analysis, 192, 202
unwitting agent, 298
PPM (probabilistic packet marking), 223-225
Preparation. See also defense.
attack response, 170-173
automatic response, 170
closing unneeded ports, 163
compartmentalizing your network, 168
costs, 172
critical versus non-critical services, 167
custom defense systems, 170-173
disabling unneeded services, 163
discovering active services, 163
disk I/O performance, 164
end host vulnerability, 161-165
estimating damage costs, 160
fault-tolerance, 167-169
filtering incoming traffic, 163
hiding, 169
identifying bottlenecks, 168
incident response life cycle, 157
ingress/egress filtering, 163-164
insurance coverage, 172
ISP agreements, 172-173, 181-183
MAC (mandatory access control), 168
manual response, 170
memory utilization, 165
network I/O performance, 165
network risk assessment, 158-161
number of server processes, 165
overprovisioning, 166-167
processor utilization, 164
risk assessment, 168
scalability, 167-169
securing end hosts, 161-165
segregated services, 167-168
swapping/paging activity, 165
system tuning, 164-165
President’s Commission on Critical Infrastructure Protection PCCIP), 268
Prevention, 109-112. See also defense.
“Privacy Law” (Italy), 266
“Private Intrusion Response,” 268
Probabilistic packet marking (PPM), 223-225
Process state signature, 199-200
Processor utilization, 164
Programs. See malware; tools.
Proof of work, 132-135, 229-230
Propagation vectors, 66-67
Prosecution. See legal issues.
Protection. See also defense; prevention.
attack prevention, 129
endurance approach, 129-130
host vulnerabilities, 130
hygiene, 130-131
network organization, 130-131
packet filtering, 131
Protocol attacks, 81-83
Protocols, 296-297. See also ports; TCP/IP.
Provisioning. See overprovisioning.
Publications. See also conferences and workshops; online resources.
ACM TISSEC (Transactions on Information and System Security), 284-285
“Active Response to Computer Intrusions,” 263
“The Bad Boys of Cyberspace,” 30
Computer Communication Review, 285
“Convention on Cybercrime,” 261
cost estimation, 256
Cryptogram newsletter, 281
CSI/FBI Computer Crime and Security Survey (2004), 23, 324-325
Denial-of-Service Developments, (CA-2000-01), 58
Denial-of-Service Tools, (CA-1999-17), 57
“Developing an Effective Incident Cost Analysis Mechanism,” 256
“Distributed Denial of Service Tools” (IN-99-04), 56
“Distributed Denial of Service Tools” (Sun Bulletin # 00193), 58
“Ethics of Tracking Hacker Attacks …,” 266
“The Experience of Bad Behavior …,” 30
“A Framework for Classifying Denial of Service Attacks,” 329-331
“Handbook on Information Security,” 263
ICAMP (Incident Cost Analysis and Modeling Project), 255-257
IEEE Cipher newsletter, 282
IEEE Security and Privacy, 285
IEEE Transactions on Dependable and Secure Computing, 285
IEEE/ACM Transactions on Networking, 285
“Inferring Internet Denial of Service Activity,” 52, 325-329
Journal of Computer Security, 285
“Observations and Experiences Tracking Denial-of-Service …,” 331-332
“Private Intrusion Response,” 268
“Report on the DDoS Attack on the DNS Root Servers,” 332-333
Shaft analysis, 24, 49-50, 56, 61, 67, 69, 77, 78, 87-88, 101, 185, 216
Stacheldraht analysis, 48-50, 57-59, 69-70, 87, 89-90, 101, 185, 192, 198, 203, 216
“Targeting the Innocent …,” 266
TFN2K analysis, 58
tools development timeline, 45-50, 55-59
USENIX ;login;, 285
Pure flooding, 86
Pushback, 222-223
Puzzles, 297. See also challenges.
Ramen worm, 89
Random port TCP SYN flooding, 82
Ranum, Marcus, 185
rape program, 46-47
Rate limiting. See also filtering.
definition, 297
traffic policing, 147-149
Raw socket access, 92
Reaction, 112-113, 158. See also defense.
Real world attacks, 277-278
Record keeping, 253
Recruiting agents
automated infection toolkits, 26-27
auto-rooters, 26-27
backdoors, 66-67
blended threats, 62-66
bots, 62-66
common methods, 26-27
description, 17-18
finding vulnerable machines, 62-66
malware propagation, 67-68
propagation vectors, 66-67
scanning, 62-66
worms, 62-66
Red Hat Linux (patches), 161, 213
Reflection attacks
definition, 19-20
examples, 51-52
Smurf attacks, 45
Reflectors, 19-20, 297. See also IP spoofing.
“Report on the DDoS Attack on the DNS Root Servers,” 332-333
Reporting incidents, 243, 250-251, 252
Reports. See publications.
Research. See defense approaches, research; malware, analysis.
Resources (equipment), 85-86, 135-136
Resources (information). See online resources; publications.
Responding to attacks. See defense; preparation; prevention.
Reverse Turing test, 131-132
RID, 185
@Risk: The Consensus Security Vulnerability Alert, 281
Risk assessment. See also vulnerability.
identifying bottlenecks, 168
networks, 158-161
vulnerability analysis, 27-28
RISKS Digest newsgroup, 282
Rootkits, 190-191, 297. See also malware.
SANS list, 281
SANS NewsBytes (reports of Solaris intrusions), 56
Scalability, 167-169
blended threat toolkits, 89
distributed, 49-50
host and network oriented, 185-186
Scanning, recruiting agents, 62-66
Scripting attacks, 49
Secure Overlay Services (SOS), 228-229
Securing end hosts, 161-165
Security issues. See also legal issues.
disclosure versus nondisclosure, 186-190
electronic communication privacy, 211
liability, 178-181
network control, 214
wiretap, 211
Segregated services, 167-168
Self-help options, 263-265
Semantic attacks, 274
Semantic levels. See Attacks, semantic levels
Sensitivity, attack detection, 140
Service differentiation (legitimacy). See also source validation.
identifying, 114-115
research, 226-229
Serv-U FTP, 90
Shaft
detection of command and control, 216
direct commands, 69
features and use, 24, 49, 78, 87-88
in history, 49-50
predictions about development trends, 101
scanning for, 185
statistics capabilities, 24, 77
SIFF, 233-234
Signature detection, 141-143, 297.
See also anomaly detection; attack detection; detection; misbehavior detection.
Signatures
external, 201-204
file system, 191-196
internal, 191-201
network state, 198-199
network traffic, 204-216
process state, 199-200
system log, 200-201
Simple Nomad. See Loveless.
Single-threaded DoS, 90
Sinkhole networks, 175-178
Slammer worm
recruitment of agents, 61
relation to unwitting agents, 298
size of networks, 188
Slapper worm, 74
Slaves. See agents; handlers; stepping stones.
Sleuthkit, 193-194
Slowing down networks. See Lagging attacks.
Sniffers
description, 91
distributed, evolution of, 49-50
evolution of, 43-44
Web site, 204
Social challenges, 107-108
Social issues, 278-279
Software for attacks. See malware.
Solaris intrusions, 55-56
Sophistication level of attacks, 14, 273-274
SOS (Secure Overlay Services), 228-229
Source address forgery. See IP spoofing.
Source code lineage, 216-217
Source address. See IP headers, header fields.
Source path isolation engine (SPIE), 224-225
Source validation. See also service differentiation.
attack response, 151
hiding, 137-138
one-way functions, 133
overprovisioning, 138-139
proof of work, 132-135
resource allocation, 135-136
reverse Turing test, 131-132
TCP SYN cookie approach, 134-135
trapdoor functions, 133
Spam, evolution of, 53-54
Spambots, 53-54
SPIE (source path isolation engine), 224-225
SPIEDER, 224-225
Spoofing. See IP spoofing.
Stacheldraht
analysis, 87
blended threat, 89
detection of command and control, 203, 216
direct commands, 69
features and use, 49
in forensic analysis, 192, 198
motivation to create, 49
predictions about development trends, 101
relation to blended threats, 90
relation to t0rnkit and Ramen worm, 89, 198
scanning for, 185
use of covert channel, 203
Standard-based detection models, 145
Stepping stones, definition, 18, 298
Store-and-forward switching, 34
Strategies. See defense approaches; defense strategies.
Subnet spoofing, 93
Surface analysis, 197-198
Swapping activity, 165
SYN flood attacks, 81
SYN floods, evolution of, 44
Synchronous communication, 31
synk4 program, 90
synscan program, 89
System log cleaners, 91
System log signature, 200-201
System tuning, 164-165
targa.c program, 47
Target-based defense, 232-233
“Targeting the Innocent …,” 266
TCP banner grabbers, 89
TCP SYN cookie approach, 134-135
Tcpdstat program, 205
TCP/IP. See also IP headers; packets; ports; protocols.
definition, 298
stack bug, 44
teardrop program, 44
Technical challenges, defense 106-107
TFN (Tribe Flood Network)
analysis, 87
detection of command and control, 185, 216
direct commands, 69
motivation to create, 49
predictions about development trends, 101
relation to blended threats, 90
size of networks, 69
TFN2K (Tribe Flood Network 2000)
analysis, 88
detection of command and control, 142, 185, 216
portability, 89
relation to blended threats, 90
relation to 1i0n worm, 89
Third-party tools. See tools, commercial.
Three-way handshake, 81
Throttling
locality principle, 235
packet flow, 111
worms, 235
Thrower, Woody, 58
Timeline, tools and programs development, 45-50, 55-59
Timeliness, attack detection, 139
TISSEC (Transactions on Information and System Security), 284-285
Tools. See also malware, analysis.
for agent discovery, 18
Agobot/Phatbot. See Agobot and Phatbot.
automated attacks, 26
boink program, 44
bonk program, 44
command and control flow, 183-185
active verification, 316-317
anomaly detection, 305-309, 312-317, 318
Arbor Networks, 305-309
Captus IPS, 311-312
Captus Networks Corporation, 311-312
Cisco Guard XT, 315-317
Cisco Traffic Anomaly Detector XT, 315-317
CS3, Inc., 312-315
data collection, 305-309
filtering, 316-317
firewalls, 313-315
flooding attacks, 312-315
Lancope, 318
MANAnet Firewall, 313-315
MANAnet FloodWatcher, 312-315
MANAnet Linux Router, 313-315
MANAnet Reverse Firewall, 313-315
MANAnet Shield, 312-315
Mazu Enforcer, 303-305
Mazu Networks, 303-305
overview, 301-303
Peakflow, 305-309
protocol analysis, 316-317
rate limiting, 316-317
setting triggers, 303-305
StealthWatch, 318
summary, 318-322
traffic monitoring, 311-312, 316-317
Web server protection, 309-311
Webscreen Technologies, 309-311
WS series of applications, 309-311
cron, 90
detecting, 185-186
disk I/O performance, 164
distributed scanners and sniffers, 49-50
DoS programs, 87-89
DSIT (Distributed System Intruder Tools) Workshop, 49-50, 56, 59, 221
encryption, 50
estimating attack magnitude, 24-27
evolution of
Agobot. See Agobot and Phatbot.
boink program, 44
bonk program, 44
distributed scanners and sniffers, 49-50
DSIT (Distributed System Intruder Tools), 49-50, 56, 59, 221
encryption, 50
Phatbot. See Agobot and Phatbot.
Shaft. See Shaft.
sniffers, 43-44
Stacheldraht. See Stacheldraht.
teardrop program, 44
TFN (Tribe Flood Network). See TFN.
TFN2K (Tribe Flood Network 2000). See TFN2K.
trinoo. See trinoo.
exploit programs, 90
fapi, 45
Firedaemon, 89
FTP servers, 90
GTbot. See GTbot.
hdparm, 164
historical analysis, 185-186
inetd, 90
iostat, 164-165
IRC bots, 90
kaiten/knight bot. See kaiten/knight bot.
mscan, 89
mstream. See mstream.
Nessus, 75
netstat, 165
nfsstat, 164
NIPC scanning tool (find_ddos), 56, 59
Phatbot. See Phatbot.
PING.EXE, 74-75
Power bot. See Power Bot.
processor utilization, 164
ps, 164-165
rape, 46-47
RID, 185
Serv-U FTP, 90
Shaft. See Shaft.
single-threaded DoS, 90
Stacheldraht. See Stacheldraht.
synk4 program, 90
synscan program, 89
system log cleaners, 91
targa.c, 47
TCP banner grabbers, 89
teardrop program, 44
TFN (Tribe Flood Network). See TFN.
TFN2K (Tribe Flood Network 2000). See TFN2K.
top, 164-165
Trinity. See Trinity.
Trinoo. See trinoo.
Trojan Horse replacements, 91
uptime, 164
vmstat, 164-165
vulnerability scanner, 163
Warez bots, 90
Zombie Zapper, 185-186
Topological changes, 181
t0rnkit, 89
Tortious Interference with Business Relationship or Expectancy, 245
Traceback
defense approaches, 223-225
definition, 298
problems using, 225
research, 223-225
Traffic
blocking, 182
capture/analysis, 181-182
legitimacy. See service differentiation.
volume, role in attacks, 16-17
Trafficking in Passwords (18 U.S.C. §1030(a)(6)), 244
Transactions on Information and System Security (ACM TISSEC), 284-285
Transactions on Information and System Security (TISSEC), 284-285
Trapdoor functions, 133
Trespassing on Government Computers (18 U.S.C. §1030(a)(3)), 244
Tribe Flood Network (TFN). See TFN.
Tribe Flood Network 2000 (TFN2K). See TFN2K.
Trinity
analysis, 88
features and use, 72
trinoo
detection of command and control, 70, 208, 216
direct commands, 69-70
in forensic analysis, 208-211
motivation to create, 49
portability, 89
predictions about development trends, 98, 101
Trojan Horse replacements, 91
Troll,
definition, 298
Trolling, 29
Turing test, 131-132
Unauthorized access, legal definition, 11, 266-267
United States v. Dennis, 244, 266-267
United States v. Middleton, 254
University of Minnesota attack (1999), 48-49, 56
Unwitting agents, 74-75, 298-299
uptime, 164
U.S. legal system, 241-244
U.S. Secret Service, Electronic Crimes Branch, 252
USA PATRIOT Act of 2001, 254-255
USENIX ;login;, 285
Usenix Security Symposium, 282-283
Usenix Technical Conference, 284
Utilities. See tools.
Victim negligence, 258-259
Victim profile, 246-247
Victim-based defense techniques, 140-141
vmstat, 164-165
Vulnerability attacks. See also attacks, types of; flooding attacks.
analysis, 27-28
definition, 15-17
end host, 161-165
protection, 130
semantic levels, 79-81
Vulnerability scanner, 163
W32/Blaster (MSBlast), 27, 48, 188, 213
W32/Leaves, 67
Warez bots, 90
Wide deployment, requirements, 108
Windows TCP/IP stack bug, 44
Windows updates, 161
Wiretap issues, 211
Wiretap statute (18 U.S.C. §2510), 244
Worms
Blaster, 48
definition, 27
Deloder, 48
Lion (l10n), 48
Morris, 42
Nimda, 48
recruiting agents, 62-66
Slapper, 74
throttling, 235
Y2K failures, 50
Zalewski, Michael, 54
Zombie Zapper, 185-186
Zombies. See agents; handlers; stepping stones.