Dojo (HowTo)







  Easter Eggs




  Martial Arts

Denial of Service

By:David K. Every
©Copyright 1999

Recently the media has made a big deal out of these new "denial of service" attacks on a few prime targets like AOL, Yahoo or eBay. To those services, I'm quite sure that these attacks are a big deal -- but I think someone needs to be the voice of sanity and explain what these attacks are, and how serious (or incidental) this issue is.

To give you perspective as to what is going on, let's assume that I am a young (often teenaged) hacker -- as I once was -- with an over sensitive sense of justice (and injustice). Then someone someone does something to wrong me (in my mind) like someone won't stop sending me harassing emails because they were offended by something I once said (a gift that I seem to have a knack for), or that they just keep soliciting me with junk email. As a hacker, I would likely give them a warning or three -- first ask them to stop, then tell them to stop, and finally warn them to stop. But many people (or companies) just don't get the hint, and there is nothing anyone else can (or will) do about those attacks on me. So justice (in the minds of many hackers, and humans in general) is something that might be taken into their own hands. What would I (hypothetically) do? In the long distant past (I am no longer a teen) I might spoof their email address (as a return address) and subscribe to 100 different email lists, each generating hundreds of emails per day -- all set to the most verbose "modes" possible. The results would be that their email account would be flooded (and probably be permanently unusable) -- and in fact their ISPs email server might be so overloaded as to be rendered useless as well. At least it would take the recipient a lot of work to un-subscibe to all those lists -- at most it would teach them (the hard way) that hitting me with lots of unsolicited mail might evoke the same response in kind (only magnified).

The mail list servers of course eventually catch on to being unwitting pawns (weapons) and take counter measures to block the holes that allow this. The counter measure for that attack is to require confirmation from the person asking to be subscribed to a list -- thus making it harder to spoof the return address. And of course there are counter-counter measures; like spoofing conformation or since the verification is an email itself, you might setup two mail lists to keep asking each other to verify a subscription request and just CC (Courtesy Copy) the victim on all that noise (evoking the same flooding by proxy result). The mail-list servers figure out ways to block these new attacks, and the people intent on using the weapons at hand figure out ways around the new counter-measures. To the attackers it is a battle of wits and a game -- to the attackee's it is not fun and games at all -- but either way things get worked out, the logic holes get plugged, things get more secure, and that kind of "attack" goes away.

For the record, I only used examples that are unlikely to work as effectively any more -- but there are far simpler and easier attacks that still work to this day. And long, long ago I grew up, got over my anger and frustration, and I now let karma take its own course without my hand guiding it -- and recommend that others do the same.

The email attack I described is basically the exact same concept as a denial of service attack (or flood attack). Someone convinces other servers or services to start sending lots of data to one machine. That target machine is overloaded and basically can't get it's real work done. It isn't done with email lists as much anymore, because experience has taught people how to plug the holes -- now it is more done at a lower level using packetized network data. But the concepts are still the same -- set up a simple way to get lots of data sent at one target, usually by simply spoofing a return address, and let someone else do the dirty work. And usually it is in response for a perceived injustice (like unsolicited email, or some wrong the attacker feels has been done to them).

Some think of this as tit for tat -- they hit me with lots of useless spam, so I returned the favor. And all people have a desire to see justice -- just some are too enthusiastic about enforcing it (on their own), and are actually seeking vindictive revenge or malicious vandalism instead of justice. It isn't just the kids and the new-hacks -- though of course a few of the new hacks and many kids are the most likely to let the knowledge (and power) they have go to their heads -- but even the old timers on the net remember when things used to be self-policing (they would deal with people who didn't get netiquette on their own), and some forget how much the Internet has changed in 10 or 20 years. Our courts and our justice system has a lot less pleasant view of the situation.

I'm not justifying these attacks, and when you are attacking businesses and you prevent them from conducting their business (thus costing them millions of dollars) that is certainly a crime -- but I am trying to give people some perspective on this whole mess and where this comes from and what is actually going on. This stuff is incredibly easy to do, and has been since the Internet began -- it only takes a little common sense and a desire to do so. The fact that these attacks are so rare (even considering how easy they are) should reflect how many people do NOT have the will to attack, and how civil the Internet and even most "hackers" really are. There is basically a live and let live attitude on the Internet (by and large) -- with a little curiousity and malevolence mixed in. You have a lot more to fear in the real world than in the virtual one.


The thing that concerns me more than the attacks themselves is how we (as a society or individuals)) will respond to them. Of course "the press" hypes the attacks because that is what the press does -- they sell papers by creating interest -- no surprises there. But people are scared -- and scared people do stupid things. The Govt. uses these attacks as an excuse to get more "involved" in the Internet and "help" things -- which really means to use any excuse to collect more power and to try convince people to tolerate more information tapping or other infringements -- because that is what Governments do. Sadly, the people don't know any better when it comes to the Internet, and there are few sanity checks and lots of fear mongering is going on -- this concerns me, and makes me think that the people will let governments do rash things. Legislators of course use the fear to make more laws (so they can pretend to do something constructive), because that is what legislators do -- they make laws to pretend to be helping society -- but making rash laws is almost always a bad thing, and the cure may be far worse than the disease. So while there are many valid concerns over how immature the Internet is (and the supporting technologies are), which is what is allowing these attacks to happen in the first place, I think the wrong solution is to overreact and do anything rash.

See these attacks for what they really are -- some teen-ager (or teenager at heart) can basically ask a bunch of computers to all talk to this other guys computer and take it down (temporarily) and create a nuicance while things get fixed. They are just feeling their wheaties, and letting anger get the better of them. For that minor fraud and vandalism, the legislators want to be able to throw these kids (no matter what their physical age) in jail for decades (or life)?!?! We need the sanity checks -- and while these activities are "bad things", and we should chase down those who do them and punish them, but we need to keep a little perspective in life and weight the severity of the crime against the punishment or what we will allow to prevent it. The sane amongst us don't try to put an age restriction on buying eggs to prevent kids from throwing them -- though sadly there was legislation pushed through my state to try to cure this problem in just that manner, proving that sanity might not be the norm.

When telephones first came out (and for a while afterwards) there were connected through party lines -- a single phone line was shared amongst multiple homes (parties). For a while that allowed abuses since one person could listen to others conversations. The solution wasn't to make it a capital offense to eavesdrop, nor was the solution to allow government to monitor all calls in order to protect us. I don't think fear mongering and reporting every single time someone caught someone else evesdropping as "the beginning of the end of the telephone" would have been constructive either. The real solution was to just let the technology mature, and make phone lines more private in order to fix the problem at the source. The same applies to the Internet -- have patience and the problems will be fixed. The symptoms of the immaturity of the net is that these attacks are so easy to do, the cure is to keep fixing the problems, learn from the attacks, create better security, and let the net mature without wildly overreacting to the rare attacks or infrequent virtual break-ins. Let the IS/IT and network admin people do their jobs and keep plugging the holes, but to me this is all about as serious an issue as seeing toilet paper or eggs on someone's house.

Created: 02/13/00
Updated: 11/09/02

Top of page

Top of Section