DoS attacks: What really happened System designed to defend Web sites used to topple them By Bob Sullivan MSNBC April 19  More details are emerging about last Februarys massive denial of service attack, and they continue to paint a dramatic picture of how helpless the Nets biggest Web sites really were. A 15-year-old Canadian computer vandal was charged with toppling CNN.com this week, allowing security experts a bit more freedom to speak about the incident. At least in the case of CNN, and perhaps two of the other attacks, the very device that was in place to defend the site was actually used to cripple it. THE INVESTIGATION into last Februarys denial of service attacks is continuing, but Canadian police and the FBI believe they have found the computer vandal responsible for shutting down CNN.com. The teen-ager, known by the online moniker mafiaboy, was charged and released on bail earlier this week. The investigation into attacks on other popular Web sites  including Amazon.com, Yahoo, eBay and Excite  is continuing, according to the Royal Canadian Mounted Police.

Mafiaboy, who cannot be named under a Canadian law that withholds the identities of juveniles, was arrested on Saturday and was formally charged on Monday, RCMP Inspector Yves Roussel said at a news conference. Investigators searched his residence and seized computers and software at the time of the arrest, he said.

The teenager was charged with two counts of mischief to data, police said. Each count carries a maximum penalty for juveniles up to two years in detention and a $1,000 Canadian (U.S. $675) fine. Authorities in the United States would not be able to press charges against Mafiaboy because Canadian law prohibits extradition of a juvenile. But were confident hell face the appropriate punishment there, one U.S. official told NBC News. HOW IT HAPPENED From the start, authorities indicated sites like Yahoo, eBay, Amazon, E*Trade, and ZDNet were hit with a so-called distributed denial of service attack  armies of zombie computers concentrating their efforts at a Web site to force it offline, creating the Internets equivalent of a busy signal. According to security expert Joel de la Garza, who has seen the software tool that toppled CNN, a different tool was used to shut down Yahoo.com, the first of the name-brand sites that fell in February. Authorities have not linked Mafiaboy to this second attack method.

At least one other suspect has been questioned in connection with the attacks  Dennis Moran, a 17-year-old New Hampshire resident who used the nickname Coolio while online. Moran has confessed to Web page defacements, but denied any connection with the denial of service attacks when questioned about them by authorities. Staff Sgt. Jean-Pierre Roy of the Royal Canadian Mounted Police explains how his agency came to arrest Mafiaboy.

The attack on Yahoo was an ICMP flood, said de la Garza. ICMP traffic is the simplest kind of computer conversation  its a ping, or a single bit of data sent to see if another computer is responding. In an ICMP flood, an attacking ping is sent to a target computer with a faked return address, which sends the attacked computer on an endless quest for a place to return the ping. But the attack on CNN was a syn-flood, which starts with a falsified synchronization packet  which is sent by a computer when it wants to actually connect with another computer. But this was a little more sophisticated that a regular syn flood, de la Garza said. ROUTER TOPPLED Traffic to a Web site is funneled through a router, an electronic air traffic controller for information requests. Generally, data streams simply pass through the router and it is not considered a choke point  like a canal between to lakes, where congestion is likely to occur.

But according to Joel de la Garza, security expert at Securify.com, the CNNs router collapsed that February doing the very thing that was supposed to protect the site.

Routers often have Access Control Lists, a set of instructions about what kind of traffic to allow into a network  and what kind of traffic to deny. For example, computers talk to each other by connected to ports. All Web traffic occurs on port 80, and thats generally considered safe traffic, and the Access Control List would instruct the router to allow port 80 traffic through. Traffic headed for another port known to be used by computer criminals can be denied.

The custom distributed denial of service tool used to attack CNN, the one allegedly used by mafiaboy, exploited this protection. It sent so-called synchronization packets, or attempts to connect, to random ports, ranging from 2 to 400. That meant each packet had to be approved by the access control list  normally, synchronization packets are followed by legitimate traffic which simply flows through the router. Quickly, the routers memory was consumed and stopped functioning.

They just kept forcing the routers to reboot, de la Garza said, effectively crippling the site. Working through the Access Control List is a very labor-intensive process, said security expert Russ Cooper, and its easy to imagine a router toppling over in such an attack. Tracing the source of hacker attacks The hardware in most routers is archaic compared to that in the PCs sitting on peoples desktops, Cooper said. The typical router might have four megabytes of memory, and a lot of that is occupied by operating system. Only whats left is available for processing the rules.

Cooper and de la Garza disagree on the attackers intent, however. Cooper thinks the router was the intended target; de la Garza thinks toppling the router was an accident. Either way, the attack revealed another weakness in the systems used to protect major corporate Web sites.

Its entirely feasible that the router choked before the bandwidth, said Mark Edwards, operator of NTsecurity.net. Industry estimates say that under ideal conditions, a router can only process 200,000 packets per second  fewer than 100 computers on corporate-style fast Internet connections aimed at a single router could easily surpass 200,000, he said.

But the problem could have been averted by more careful router maintenance, according to an industry professional speaking on condition of anonymity. He said sites like CNN could have prevented the attacks had their routers been configured properly; in fact, the source said, eBay Inc. was attacked twice, the second time after installing special filters on their routers. The second attack was ineffective.

Cisco Systems Inc, the company that made the routers topple in the attack, did not immediately return phone calls.

http://www.newsdirectory.com/go/?r=cur&u=www.nbcnews.com

-- Martin Thompson (mthom1927@aol.com), April 19, 2000