About the distributed denial of service attacks

Recently several large US internet dot-coms allegedly fell victim to a distributed denial of service attack that blew each off the net for about three hours. Among the victims were Yahoo, ebay, amazon.com and a few others. No hacker or hacker group claimed the fame afterwards.

The press blew up the issue into a giant "who did it?" story. A well-known German hacker called Mixter had published a distributed denial of service tool many months ago to make the point that this kind of attack was not only possible but also feasible. Now the press all over the world is pointing fingers at him.

To me, the whole issue does not look kosher. There are many reasons. First of all, the mere idea that Mixter could have somehow be involved in the attacks is ridiculous. There have been similar tools before and after he wrote his, and from the attack pattern there is no way to even know which tool was used, so it is not even clear that the attacker(s) used his tool. Blaming Mixter is like shooting the messenger. In fact, hadn't Mixter published his tool, the attacked sites wouldn't even know what hit them.

  1. As a typical consumer, when you can't reach Yahoo, you don't blame Yahoo. You don't even consider Yahoo as the culprit, because people are used to the situation that web sites are not reachable from time to time. Network outages and routing problems that cause whole countries to disappear from the Internet are a frequent sight on the net.
  2. When web sites get hacked, the hackers almost always leave an anonymous message claiming the "victory". In this case there was no message. Yet it was not one or two but six sites that were hacked. This rules out juvenile hackers, or "script kiddies", because those try to get fame with their hacks.
  3. A friend once angered someone on IRC (a worldwide chat network) and was subsequently hit by a flooding attack that lasted three days (not hours!). This is a typical duration for a flooding attack on the Internet. If someone really wanted to cause damage to Yahoo, he would not have stopped the attack after three hours. This rules out industrial sabotage.
  4. Who has a motive to shut down Yahoo, then? The competition? They would have no reason to stop after three hours. Actually, if you watch the press after the fact, you see that only one institution has had any advantage from the attacks: the FBI. The FBI budget is coincidentally being approved right now, and the FBI needs to give Congress reasons to grant them a big budget, so the best thing that could have happened to the FBI are these kinds of attacks. Please note that the attacks only hit commercial sites and only inside the US. If the attacks were about vandalism, whitehouse.gov would have been a better target, or at least it would have been one of the targets. But right now the FBI is concerned about funds for securing e-commerce, not about securing government web sites, that is another department of the government.
  5. There was a rumour that the attacks were about "hacktivism", i.e. hackers would try to make a point against the increasing commercialization on the Internet. Why, then, haven't we seen any note to the press about this? If this was an attempt to make a point, a hacker attack would only be useful if there also was an anonymous press release of some kind so the public notices.
  6. In this case, there were six large multi-billion dollar companies, that were not really hacked but just not reachable, and the problem went away after just three hours. It would have been no problem to blame this on network equipment or anything else, but a hacker attack would have been the least likely scapegoat because of the bad publicity that is associated with it.
  7. But let us step back a little. How do we even know that there were any attacks? Companies are normally very reluctant to acklowledge that their servers were broken into. That would be bad publicity. If anyone ever acknowledges that there was a problem, it is only because the situation has escalated until one can't deny it anymore (i.e. big data loss or several days of downtime). So, who brought up the idea that there was an attack? That person will probably know who really did it. Any, are we really sure that Yahoo was down? I didn' notice it. I didn't notice any downtime. And even if I would have had problems connecting to Yahoo, an attack would have been the least probable explanation.

Conclusion: The whole story looks made up. And the only one that I can think of who has any reason to make a story like this up is the FBI.

Some technicalities

The Internet is based on cooperation. The TCP protocol that underlies all the major services (like email, FTP and the web) assumes cooperation from everyone. If the network appears to be full, TCP will transmit less data. A single non-cooperative person can make life miserable for everyone else, not only by distributed flooding. This kind of network works well for research and friendly peers, but it maybe is not robust enough to build a business on it. People should be aware that they are building their businesses on sand. There is no way to protect yourself against being flooded.

Distributed flooding works like this:

  1. A bad guy breaks into 1000 computers and installs a back door on each. This procedure has been automated.
  2. The back doors listen for special data packets that tell them whom to flood.
  3. As data packets travel through the Internet, routers look at the destination address, not the source address. So, malicious programs can hide their identity by writing the address of someone else in their packets. The back door programs of distributed flood tools write random data in the source field and ignore the source address of the control packets that tell them whom to flood.
  4. Anyone can send control packets to any back door program. So, the thousands of flood back door programs are now really part of the infrastructure of the Internet.
If you are being flooded by a distributed flood back door, you don't know which 1000 machines are flooding you because the source address in the packets is random.

If a back door at University XY is used to flood Yahoo, then not only will Yahoo be unreachable, but also University XY. So, when University XY notices that their Internet is really slow, they will probably close the back doors, but at this point you still don't know who installed the back doors and who sent the control packets, and there really is no way to find out, because attackers normally wipe their traces when they successfully install a back door and the control packet, should you by coincidence have seen and saved it, can carry any random source address.

Conclusion: it is fundamentally impossible to find out who is flooding you by technical means. The attacker must have made some very stupid mistake or he must confess voluntarily. There is no way to protect yourself against being flooded, but you can (and should!) protect yourself against being used to flood others by making sure that your infrastructure is secure against hackers. The real problem is that Mom and Pop buy some shrink-wrapped Windows web server and go on the net.