About the distributed denial of service attacks
Recently several large US internet dot-coms allegedly fell victim to a
distributed denial of service attack that blew each off the net for
about three hours. Among the victims were Yahoo, ebay, amazon.com and a
few others. No hacker or hacker group claimed the fame afterwards.
The press blew up the issue into a giant "who did it?" story. A
well-known German hacker called Mixter had published a distributed
denial of service tool many months ago to make the point that this kind
of attack was not only possible but also feasible. Now the press all
over the world is pointing fingers at him.
To me, the whole issue does not look kosher. There are many reasons.
First of all, the mere idea that Mixter could have somehow be involved
in the attacks is ridiculous. There have been similar tools before and
after he wrote his, and from the attack pattern there is no way to even
know which tool was used, so it is not even clear that the attacker(s)
used his tool. Blaming Mixter is like shooting the messenger. In fact,
hadn't Mixter published his tool, the attacked sites wouldn't even know
what hit them.
- As a typical consumer, when you can't reach Yahoo, you don't blame
Yahoo. You don't even consider Yahoo as the culprit, because people are
used to the situation that web sites are not reachable from time to
time. Network outages and routing problems that cause whole countries
to disappear from the Internet are a frequent sight on the net.
- When web sites get hacked, the hackers almost always leave an
anonymous message claiming the "victory". In this case there was no
message. Yet it was not one or two but six sites that were hacked.
This rules out juvenile hackers, or "script kiddies", because those
try to get fame with their hacks.
- A friend once angered someone on IRC (a worldwide chat network) and
was subsequently hit by a flooding attack that lasted three days (not
hours!). This is a typical duration for a flooding attack on the
Internet. If someone really wanted to cause damage to Yahoo, he
would not have stopped the attack after three hours. This rules out
industrial sabotage.
- Who has a motive to shut down Yahoo, then? The competition? They
would have no reason to stop after three hours. Actually, if you watch
the press after the fact, you see that only one institution has had any
advantage from the attacks: the FBI. The FBI budget is
coincidentally being approved right now, and the FBI needs to give
Congress reasons to grant them a big budget, so the best thing that could
have happened to the FBI are these kinds of attacks. Please note that
the attacks only hit commercial sites and only inside the US. If the
attacks were about vandalism, whitehouse.gov would have been a better
target, or at least it would have been one of the targets. But right now
the FBI is concerned about funds for securing e-commerce, not about
securing government web sites, that is another department of the
government.
- There was a rumour that the attacks were about "hacktivism",
i.e. hackers would try to make a point against the increasing
commercialization on the Internet. Why, then, haven't we seen any note
to the press about this? If this was an attempt to make a point, a
hacker attack would only be useful if there also was an anonymous press
release of some kind so the public notices.
- In this case, there were six large multi-billion dollar companies,
that were not really hacked but just not reachable, and the problem went
away after just three hours. It would have been no problem to blame
this on network equipment or anything else, but a hacker attack would
have been the least likely scapegoat because of the bad publicity that
is associated with it.
- But let us step back a little. How do we even know that
there were any attacks? Companies are normally very reluctant to
acklowledge that their servers were broken into. That would be bad
publicity. If anyone ever acknowledges that there was a problem, it is
only because the situation has escalated until one can't deny it anymore
(i.e. big data loss or several days of downtime). So, who brought up
the idea that there was an attack? That person will probably know who
really did it. Any, are we really sure that Yahoo was down? I didn'
notice it. I didn't notice any downtime. And even if I would have had
problems connecting to Yahoo, an attack would have been the least
probable explanation.
Conclusion: The whole story looks made up. And the only one that I can
think of who has any reason to make a story like this up is the FBI.
Some technicalities
The Internet is based on cooperation. The TCP protocol that underlies
all the major services (like email, FTP and the web) assumes cooperation
from everyone. If the network appears to be full, TCP will transmit
less data. A single non-cooperative person can make life miserable for
everyone else, not only by distributed flooding. This kind of network
works well for research and friendly peers, but it maybe is not robust
enough to build a business on it. People should be aware that they are
building their businesses on sand. There is no way to protect yourself
against being flooded.
Distributed flooding works like this:
- A bad guy breaks into 1000 computers and installs a back door on
each. This procedure has been automated.
- The back doors listen for special data packets that tell them whom
to flood.
- As data packets travel through the Internet, routers look at the
destination address, not the source address. So, malicious programs can
hide their identity by writing the address of someone else in their
packets. The back door programs of distributed flood tools write random
data in the source field and ignore the source address of the control
packets that tell them whom to flood.
- Anyone can send control packets to any back door program. So, the
thousands of flood back door programs are now really part of the
infrastructure of the Internet.
If you are being flooded by a distributed flood back door, you don't
know which 1000 machines are flooding you because the source address in
the packets is random.
If a back door at University XY is used to flood Yahoo, then not only
will Yahoo be unreachable, but also University XY. So, when University
XY notices that their Internet is really slow, they will probably close
the back doors, but at this point you still don't know who installed the
back doors and who sent the control packets, and there really is no way
to find out, because attackers normally wipe their traces when they
successfully install a back door and the control packet, should you by
coincidence have seen and saved it, can carry any random source
address.
Conclusion: it is fundamentally impossible to find out who is flooding
you by technical means. The attacker must have made some very stupid
mistake or he must confess voluntarily. There is no way to protect
yourself against being flooded, but you can (and should!) protect
yourself against being used to flood others by making sure that your
infrastructure is secure against hackers. The real problem is that Mom
and Pop buy some shrink-wrapped Windows web server and go on the net.