For months now, government and private computer security groups have warned of potential devastation from the new hacker tools that took down some of the Internet's highest-profile Web sites this week.

In fact, in a November workshop at Pittsburgh's Carnegie Mellon University, members of the Department of Defense-funded Computer Emergency Response Team specifically explored the threat from "denial of service" software under development worldwide.

"So far, we have seen only limited use of these new tools, but we believe it won't be long before the tools will move from development by sophisticated intruders into wide use by the large population of less-sophisticated intruders," conference attendees wrote in their final report. "When this happens, all of us will face new issues with impact on security, incident response and future technology."

This week, the group's worst fears were apparently realized. Hundreds - perhaps thousands - of unprotected computers scattered across the Internet were used by malicious hackers to take down some of the most prominent American business and news sites.

Experts have grown concerned over three programs in particular - Trinoo, Tribal Flood Network and Stacheldraht (German for "barbed wire") - all of which can now be easily found and downloaded from hacker sites. No one knows whether they were the culprits in this week's attacks.

Federal authorities and the response team have noted that a growing number of broadband-connected Internet computers with lax security measures were being prepared for assaults.

"Intruders are actively developing distributed tools to use the many resources on the network; this has become easier because of the large number of machines "available for public use' - that is, vulnerable to compromise," the team said in November. "As a result, even unsophisticated intruders can use the available tools to identify and take advantage of a large number of vulnerable machines."

In recent years, hackers have been using scanning programs to automatically probe for vulnerable computers on fixed Internet addresses. With a list of vulnerable addresses returned by the scanner, a malicious hacker is able to install an attack script used by programs like Trinoo.

The scripting on the unwitting hosts can then be directed to send multiple, rapid-fire requests to a designated target Web server.

"If this is someone who has a large collection of sites waiting to attack, they could literally fire off one attack after another, " said Jim Magdych, director of security research for PGP Security, a division of Network Associates.

Before the attacks, experts had urged commercial and private users to scan their systems for evidence of infection. Programs for various computer platforms have been available from the FBI (www.fbi.gov/nipc/trinoo.htm) and FedCIRC (www.fedcirc.gov/tools/trinoo.html) Web sites.

Home users with always-on connections and fixed Internet addresses had been warned to employ commercial firewall software, such as Black Ice, that can detect outside attempts to install malicious program "slave" scripts.

In recent weeks, news group discussions had also noted increased reports from firewall programs that scanning for open security holes had dramatically increased. On some residential high-speed ISDN lines, users noted they were being probed by possibly malicious scanners up to twice every 10 minutes.

Most likely, experts say, this is the work of "script kiddies" - unsophisticated computer users experimenting with the new-found, easier hacker tools that so alarmed security experts.

One of the first sites to be hit by a coordinated attack was the University of Minnesota, which was effectively shut down last August. In that incident, 227 computers were used to inundate the school's system.

Security experts say it appears that this week's events involve something similar. And that means that the Web is likely to continue to experience such attacks.

The response team had warned large commercial sites to take immediate defensive measures, including examination and storage of all log files, scanning of drives for signs of malicious scripting and securing backup Internet access in the event of attack.

In fact, Yahoo - one of the sites hit this week - had implemented "rate filters," which are intended to guard against attempted denial of service attacks. However, the company said, this particular attack was too large to ward off.

At the peak of the three-hour Yahoo outage, requests totaled roughly 1 gigabit per second, more information than some Web sites receive in a year, Yahoo spokeswoman Diane Hunt said.

"This was a highly unusual event," Ms. Hunt said."It happened very quickly and with great intensity.

"The Internet is still in its infancy," Ms. Hunt said. "A lot of the things that happen on the Web are new. This isn't the last time this will happen on the Internet."

C-Net contributed to this report.

CHART(S): (DMN) Web Outages: The Consumer Impact

© 2000 The Dallas Morning News All Rights Reserved