Coordinated Hacker Attacks: An Assault on Freedom
February 8th, 2000 - Chuck Flink
Yahoo was effectively taken off the air for several hours yesterday by a coordinated denial of service attack. Today, e-Bay is under attack as I write this. There are indications that Amazon and Buy.com are also under attack.
Apparently there is a new strain of virus that is effectively a time bomb directed at a remote target. Infect a few hundred computers (or many thousands?) with a computer virus designed to bang away at a target system, all timed to unleash their barrage over the same interval, and you can shut down just about anything that is open to the public. If the requests are apparently legitimate (e.g. search requests for random data found on the site) there is no easy way to filter valid customers from attacks aimed at saturating the service.
This should not be a surprise. We’ve seen stores closed down by riots in the past. Here, however, the instigators of the riot didn’t even need to mix with the crowd to have their pointless, puerile and Pyrrhic victory. This “crowd” apparently is made up of mindless robots, triggered by remote command, or more likely, by time and date.
When the “D-day” is reached, wave upon wave of infected systems around the world could conceivably take their turn at saturating the target site.
This crude act falls in the lowest category of “hacker tricks.” And let me assure you, it was a crime. It was an attack on my freedom, your freedom, and the fundamental freedoms of the Internet.
First crime: many computers were infected with a virus (or other form of Trojan Horse) armed to do harm. This infection took place without the permission or authority of the owners of the computers involved. This is a criminal act, even without the intent to do harm, intent present here that multiplies the criminality.
Second crime: the theft, during the attack, of the processing power of these computers and the service of the many network components to which they were connected.
Third crime: the denial of a useful resource to millions of users around the world.
I could go on, but the worst crime will never land the perpetrators in jail: the self-defeating stupidity of it all!
Some may feel there are justifiable moral reasons for the actions of those who attempt to hack security systems. They see it as justifiable to debunk the claims of a dishonest vendor. It is not justifiable, however, to do harm to that vendor’s customers in the process. I’ll give you an example:
A dishonest screen door vendor sells your aged grandmother a screen door, claiming that it cannot be broken into. To prove the vendor wrong, do you go out and hire a mob of thugs to break in and beat up the old lady? I hate to have to put it in such stark, childish terms, but apparently this is the way you have to reason with imbeciles of this sort.
In the Yahoo incident, not only were the injured parties innocent, there was no dishonest vendor and there was no screen door! No vendor had made unsupportable claims and no attempt had been made to even “latch the door.” Attacking Yahoo with this riot was like storming a public library!
A technical defense against denial of service attacks is important in military security and consists of ensuring the ability to efficiently discard attacking traffic with minimal expenditure of processing power or bandwidth. This is most easily done by requiring all correspondents to authenticate themselves. Examples would be VPN access to a corporate site or the fielding of trustworthy IP addresses as in IPsec. But imposing this form of authenticated access turns what was a public resource into a private one.
This is clearly the e-World equivalent of the medieval architectural style in which a high wall surrounded every home and streets were effectively tunnels. It severely limits the extent of the public world and locks each individual into narrowly defined and closely watched families, cliques or organizations. This would not be the open and free Internet that has made so much progress possible over the last decade. I’d hate to see this; I don’t want to live in this type of brutal world.
Maybe the attackers in question were not out to prove the vulnerability of trusting people on the Internet (as if we need to be reminded of this!) Maybe they were extortionists, pure and simple. This is the most likely scenario in my mind. If not directly extorting or intending to extort money from threatened Internet merchants, these extortionists may be attempting to:
a) Manipulate short-term stock prices for personal gain. (Missed the recent surge in Internet stock prices? Want a second chance?)
b) Promote the sale of advanced security technology. (IPsec anyone?)
c) Induce a political overreaction leading to a less open and more regulated Internet. (Angry about all the potential of criminal activity? Want more Internet cops on the beat? Want every Internet citizen to carry an ID or other “papers”?)
d) Simply intent on extorting an unjustified respect for a sick mind. (Think you’re ‘big’ because you can throw stones at the library window and run away?)
e) Terrorize the e-World. (Do you seriously think your cause, whatever it is, will benefit by making the citizens of the world angry to even think about you?)
What do we do? We track them down and jail them as we’ve done to the enemies of civilization for thousands of years. It will take a community effort, but we can, and now apparently must, ensure such deeds do not go unpunished.
Here’s what I’d recommend:
1) before locking up the public places, let’s try enforcing the protection of private places.
Specifically, this attack would not have been possible if it were not for the ease with which the attackers could enlist an army of zombies by infecting hundreds or thousands of computers with their robot virus. If the users of these systems had acted responsibly concerning what they downloaded from the Internet, they would not have been unwitting accomplices to this crime. Download only from trusted sites and download only digitally signed object modules. I’ve talked about this in earlier articles. One minor good that could come from this would be the serious adoption of safer downloading practices.
2) Besides protecting private places, we should protect private addresses.
At least some of the reports indicate the faked requests also include faked return addresses. This is an old denial of service strategy since an invalid return address assures that the server wastes an inordinate amount time waiting for an acknowledgement from any response sent back and even retrying the response multiple times. Every ISP should include packet filters where packets enter their service to ensure that the “from” address is reasonable. Many ISPs already provide this level of filtering. For example, if the ISP provides you with a single IP address, all packets from your site should have only that address. Any virus on your site attempting to send spoof packets would be killed at the ISP’s router, preferably setting off alarms.
This suggestion is distinct from VPNs and IPsec in which we can formally assure the association of IP address with an authenticated user. If we simply kill illegal addresses, we accomplish 90% of the protection without forcing the users to “carry identity papers” with them. The ISP would still issue dynamic IP addresses to users who dial in and the association of assigned IP address to user will remain protected as per the implied contract between the user and the ISP, subject to court-ordered discovery by legal authorities. In IPsec, each packet is digitally signed, and hence traceable by anyone, with significant privacy implications. In VPNs, to enter a space the user must identify him/her self and be issue an address unique in the virtual network space. The authority managing that space then ‘knows who you are’. You’ve identified yourself at the door and are no longer a freely roaming shopper, but not a registered member of the ‘club’.
If this proposed 90% solution, protecting private addresses by blocking obvious spoofs, then ‘from’ addresses could be used by web sites to throttle bandwidth, greatly reducing the impact of ‘robot’ attacks. How many valid searches on Yahoo can YOU issue per second? A robot can issue 10 to 100 times more per second than any human at a keyboard could handle. Throttle to 1 request per unique ‘from’ address per second, and you’ve forced the attacker to have to have 10 to 100 times more zombies before doing you harm.
3) Laws must extend to the e-World the rules of public behavior common in the physical world.
In the physical world we have extensive laws that govern what is acceptable behavior in the public, private and ‘open to the public’ private spaces. Actions you take in public must meet the norms of public behavior or you will be arrested to prevent harm to the children, minorities, weak, retarded, easily frightened, etc. who have to be protected by society as a whole. Actions taken in private must be treated as a matter between you and your Maker; privacy must be respected. Actions taken in private spaces ‘open to the public’ (i.e. commercial sites, stores, private libraries, etc.) have specific laws against shoplifting, disruption of commerce, loitering, etc. We need to clarify to the citizens of the e-World what is and is NOT acceptable behavior in these virtual spaces.
Regardless of the outcome, this certainly has been a learning experience for all involved. Hopefully we will react with reason and a balanced respect for the rights of e-Citizens on all sides. I’d hate to see the absurd, destructive, disruptive behavior of a minority destroy the freedoms of the vast majority of honest members of the Internet community.Copyright © 2000 Information Security Analysis LLC. All Rights Reserved. http://www.infosecana.com