Why cant they track this?

-- anyone (anyone know@ebay.com), February 10, 2000

Answers

As I understand it,

All hardware (i.e., servers, switches, hubs, routers) have finite limits.

When these limits are exceeded, the system malfunctions or shuts down.

This failure COULD be caused by:

1. Excess legitimate use

2. Packets received containing excessive errors, having the same effect as #1

3. Erroneous packets, and/or overload of the system by hackers

4. A combination of the above

Note that the sites have been hacked during working hours. Even though they are open 24/7, this would be the time of busiest usage, hence the time the systems are most vulnerable.

Re: Tracking. This is very difficult, since (if the problem is due to hackers) they could be ANYWHERE IN THE WORLD.

-- No Polly (nopolly@hotmail.com), February 10, 2000.

I am not so sure that the internet is the most busy during the day. I find that sites back up and are too busy during the evening- aprox. 7-10 pm, not during the day when everyone is at work.

I wonder if all these problems aren't due to the same computer systems (Cisco?) used by the very large internet sites. I would think they would all use the same equipment. Note that they all having the same problem, the same number of days from Jan. 1, 2000.

-- JT (JT@notsosure.com), February 10, 2000.

Why can't they be tracked?

Let's say that I am able to place a program called 'DirtyDeedDoer' on your computer without your knowledge. Let's also assume that your computer is constantly connected to the Internet - as many computers are today.

Let's next assume that this program is somewhat smart in that it is able to listen for and communicate with my 'EvilMaster' program which I have installed on a computer someplace else on the Internet. Further, assume that this communication is transparent to the user - i.e. it doesn't create a window on your monitor and doesn't otherwise announce it's presence.

Finally, let's assume that I've been able to surreptitously install the DirtyDeedDoer program on 200 different computers at various locations around the Internet.

Then, from my "EvilMaster" program I issue a command to all 200 DirtyDeedDoer programs around the Internet "At 23:00GMT on Feb 10, 2000 begin attacking the XYZ web site".

At the appointed time, all DirtyDeedDoers begin their assigned task and the result is a massive attack against a single site.

Now the victim examines his/her log files and see's that an attack is originating from not 1 or 2 but several hundred IP addresses simultaneously.

So he/she contacts the admin for the attacking machine (you) and says "quit it!" and you say "huh?". Without even being aware, you were attacking the remote machine. SO then the question becomes "how did this malicious software come to be on your machine" and it turns out that you don't really have clue.

This is what makes tracking down these types of 'surrogate' attacks more difficult than usual.

-- Arnie Rimmer (Arnie_RImmer@usa.net), February 10, 2000.

Arnie,

Are you sure you didn't have a hand in these DOS attacks? (grin...)

Take a look at this article that I uncovered...

cgi.zdnet.com/slink?17640:2509272

-- (Sheeple@Greener.Pastures), February 10, 2000.

As I understand it, the idea is to swamp a web site with requests for information. This is by unleashing a flood of packets on the internet all aimed at a specific site.

The first step is to locate and "take over" a good base of operations. This is a computer network in an organization that allows "a mass Ping". Ping is a common internet program that sends out a request for a reply. By timing how long it takes to get a reply (or noting if a reply never comes), a system can help measure the health of a network.

A mass Ping means that one computer sends out a request on a computer network for a reply from all the computers on the network. This can involve very heavy traffic, since it all happens at once. Usually, systems are set to turn "mass ping" off for the reason that it can flood a network.

So our hackers find the biggest organization they can find that has "mass ping" enabled. then they force the system to send out a devious message that says "respond, but do it by sending a request packet to the target internet site". SO now General Motors (or whatever) has each computer on the network ask Yahoo for some information. Do that enough and Yahoo is out of business.

Notice that the computer that is "hacked" is not the internet site that is targeted. The hacked network is forced to send a flood of requests to the targeted website.

Anyway, I have no idea how easy it is to find these characters.

But if they keep doing it, week after week, it has got to start affecting the Nasdaq.

-- David Holladay (davidh@brailleplanet.org), February 10, 2000.

If I heard correctly these attacks can also be planned way in advance. As much as a year some expert said on one of those cable news shows.

-- Kyle (midtnbuddy@juno.com), February 10, 2000.