February 10, 2000 NYT
The Strength of the Internet Proves
to Be Its Weakness
By JOHN MARKOFF
SAN
FRANCISCO, Feb. 9 -- The Internet's greatest
strength has proved to be its most disturbing
weakness.
As attackers let loose a
barrage of data that
overwhelmed some major commercial
Internet sites for
a third day, the global
network's administrators
scrambled today to find
a way to protect it and trace the
culprits.
But the network's
| How the Sites Were Besieged
The attacks that overwhelmed several big Internet sites
in the last few days used a method called distributed denial of service.
THE ATTACKER
The attacker uses a computer to find other computers
on the Internet that are not protected from attack.
THE NETWORK
The attacker gets access to those computers. They in
turn are used to carry out the attack or to control a second group of computers
that attack.
THE ASSAULT
A Web site can be brought to a standstill in two ways.
The attacker may send data to the site and ask for confirmation. Because
the attacker is using many computers, the requests can overload the system.
Or, data may be sent that the site’s computers cannot understand, causing
them to crash.
Source: Computer Emergency Response Team |
 |
designers
acknowledged that the
attacks exploited the
same attributes of the
Internet that have
made it one of the
world's most effective
engines for
commercial and
technical innovation
over the last five
years.
"This is a fundamental
consequence of an
open system," said
Lawrence Lessig, a
Harvard law
professor who has
written on the
Internet's social and
legal aspects.
Unlike recent episodes in
which Web sites were
defaced or credit card records
were taken from an
online music retailer, this
week's attacks have not
involved stolen or altered
data. But in a world of
growing dependence on the
Internet, even being denied
access to an Internet web
site like E*Trade can have an
economic impact.
Indeed, Internet veterans
muse about potential technical
disasters in an increasingly
interconnected world. What
has been seen so far is
not the Internet's Armageddon,
they say, but only an alert.
"There are nightmare scenarios
that are real, but that's
not where we are," said
David Clark, an M.I.T.
professor who was one of
the Internet's original
designers.
Even so, finding ways to
contain anti-social acts in
such a system -- one that
by its very design permits
anonymous behavior -- without
compromising its
openness is proving increasingly
thorny for network
designers, law enforcement
officials and civil
libertarians.
"We have run into a situation
where the attackers are
coordinated and organized
but the people who have to
respond -- both companies,
Internet service providers,
and most particularly law
enforcement agencies -- are
fragmented," said Mark Rasch,
a former United States
federal prosecutor who is
currently a vice president at
Global Integrity, a computer
security consulting firm
based in Reston, Va.
This week's attacks have
exploited a set of software
programs developed over
the last year, computer
security experts said today.
Known variously as Tribe
Flood Network, Trin00 and
Stacheldraht (German for
"barbed wire"), the programs
first identify individual
computers on the Internet
with specific security flaws,
then use those computers
as launching pads for an
orchestrated attack.
Like the sorcerer's apprentice,
the programs allow a
small group or even an individual
to spray a giant
firehose of data at one
or many targets, inundating a
Web site's computers with
data.
Moreover, it is not easy
to identify the person holding
the hose. In some cases,
the malicious programs
systematically falsify the
network addresses from
which the data is sent.
But while the
consequences of these
programs are harmful,
it is just this kind of
novel intervention that
the Internet was
designed to make
possible.
In the early 1980's,
Mr. Clark and two
other M.I.T. computer
network researchers,
Jerry Salzer and
David P. Reed, first
described one of the
Internet's most
powerful aspects: that
it was a simple
network -- or even a
"stupid" one, as it
was later described
by David Isenberg,
then an A.T.& T. Bell
Labs researcher -- in
contrast to the more
centralized, or
"intelligent," and
tightly controlled
telephone network.
The very simplicity of
the Internet, they
wrote, made it a platform
for innovation in ways that a
more centralized and tightly
controlled network could
never become.
Over the last decade the
Internet has served as a virtual
petri dish for new ideas
-- from low-cost
communications systems that
have redefined telephone,
radio and television, to
business methods that have
remade industries like stock
trading, auctions and
bookselling.
But that same power for innovation
can be redirected
upon the data network that
is simultaneously
remarkably resilient as
well as extremely vulnerable.
"If a network owner of a
specific network wants to add
some kind of cool feature
it doesn't matter in an
internetworked world," said
Mr. Isenberg.
Because there is no central
point of control, as on other
networks, "you have the
control way out on the edges,
and anyone can do anything,"
he added.
Other Internet pioneers are
concerned that incidents
like this week's attacks
may lead to increasing calls for
government and law enforcement
intervention into the
structure of the Internet.
Last July, for example, the
Clinton administration began
circulating a plan for an
extensive software system
monitoring government computers,
and possibly those
of private industry, to
protect data networks from
intruders.
The network, known as the
Federal Intrusion Detection
Network, or Fidnet, alarmed
civil libertarians who said
it could potentially be
used to curtail privacy in the
Internet age.
"The real danger of any terrorism
is not so much in the
act itself as the overreaction,"
said Robert Frankston, a
computer researcher who
is the co-inventor of the
spreadsheet. "The Internet
has enabled rapid economic
growth because it has made
it difficult to prevent
disruptive innovation."
And he suggested that the
Internet becomes more secure
as it experiences attacks
and its administrators
reconfigure it to repel
invaders -- "just as our immune
system is strengthened by
exposure to disease."
In any case, some veteran
law enforcement officials
said there was no simple
centralized solution to these
kinds of attack.
"The problem is that if you're
smart about this there is
no trail for law enforcement
to follow," said Scott
Charney, who until recently
was the Justice
Department's top computer
crime official and who is
now a partner at Price Waterhouse.
"There are obvious
privacy implications. The
real question is how strong a
response do you want."
The best response, several
computer security experts
said, will be to strengthen
the security of individual
computers on the Internet.
That would make it more
difficult for the automated
programs that now take over
many systems to find systems
to exploit.
------------------
By MICHAEL BRICK and KEVIN
MAX
NYTimes.com/TheStreet.com,
7:46 p.m.
The ease, accessibility and
convenience of the Internet
has rapidly changed the
way Americans read, shop and
invest. But a series of
attacks that disrupted several
popular Web sites this week
left even the businesses
that provide Internet service
confused and raised more
questions than answers.
As the FBI confronts a long,
laborious investigation,
several companies declined
to discuss their security
precautions in detail. Public
relations officials at other
companies simply handed
the telephone over to their
software engineers.
While hacking is not a new
phenomenon, the
denial-of-service attacks,
comparable to intentionally
clogging a telephone line,
drew more widespread
attention to online vulnerability
than ever before.
Internet service providers
began discussing ways to
prevent the problems, but
no definitive plans had been
made, said Secret Fenton,
a spokeswoman for Global
Center, the Internet service
provider that stores the data
of Yahoo! , the first Web
site to be attacked this week.
The company has determined
the cause of Monday's
disruption of Yahoo!, but
what it has learned shows that
the FBI's job -- finding
the culprit or culprits -- will be
a daunting task. A Yahoo!
spokeswoman confirmed
Global Center's account.
The attacker or attackers
sent a flood of information
requests known as pings
to Yahoo!, according to
Fenton. The requests essentially
ask the computers
storing Yahoo! data whether
they are available to
exchange information. The
type of request falls under
the category of Internet
control message protocol, or
ICMP, normally used to check
status.
The requests were sent to
Yahoo! indirectly. The
attacker or attackers actually
sent a flood of requests
through networks that fraudulently
listed Yahoo! as a
return address.
While this cripples the server's
ability to deliver Web
pages, it doesn't violate
the integrity of the system or
allow access to data stored
on the server. As such,
these attacks don't threaten
such sensitive data like
credit card numbers and
other personal information.
The ICMP requests can be
distinguished from
legitimate attempts to log
on to the company's Web site,
Fenton said. In the case
of Yahoo!, the requests were
received at a rate of one
gigabyte per second,
representing more traffic
than some of the top-50 Web
sites receive in a year,
according to Shannon Stubo, the
Yahoo! spokeswoman.
Fenton said the requests
came from about half of the
other service providers
that carry data transmissions to
Global Center.
Stubo said about 50 service
providers carried bogus
requests to Yahoo!.
That means it is possible
that one person built software
that commanded many different
computers, using many
different service providers
in many different
geographic areas. It is
also theoretically possible that
millions of people simultaneously
sent the malignant
information requests.
"It was just coming from
everywhere," Fenton said.
"That's why it's so hard
to trace. I don't think anybody
knows."
The FBI contacted Yahoo!
on Tuesday and the company
is cooperating with the
investigation, Stubo said. The
company has software that
can separate the bogus
requests from real requests
to access the site, she said.
Fenton said Internet service
providers discussed using
rate-limitation devices,
the routers that accept
electronic requests, to
monitor the volume of requests
and halt incoming requests
when the volume becomes
too great. Global Center
has not experienced problems
with other clients.
While Global Center has installed
rate-limitation
devices since the Yahoo
shutdown, it is impossible to
know whether they are helping
prevent attacks, she
said.
"The denial-of-service attacks
happen quite
frequently," Fenton said.
"They just don't happen to this
magnitude."
Some security experts said
Wednesday's attackers
could be copycats, and opinion
varied on how many
people would be needed to
carry out one attack.
Software could be written
to link computers together to
simultaneously send requests,
or hundreds of people
could be sending multiple
requests.
"Yahoo! likely had a million
legitimate hits," said
Jeffrey Bedser, managing
director of Internet Crimes
Group Inc., a Princeton,
N.J., Internet investigation
firm. The information requests
are "not that difficult to
send through anonymous proxies."
Each electronic request for
data can be multiplied 225
times, and the return address
of the request can be made
to appear as the victim's
own address.
"These hackers have the power
to leverage almost
unlimited bandwidth," said
Chris Rouland, an executive
at Internet Security Systems,
which develops security
software for Internet companies.
"This is not a problem
that you can solve by throwing
money at it. It needs
technology."
Rouland added that so-called
intrusion software to
combat this problem just
became available in
November. The intrusion
software detects the problem,
allowing companies to race
to reconfigure a service
provider to circumvent the
problem. Existing software
can automatically reconfigure
servers, but few
companies actually use it,
Rouland said.
"Everybody is vulnerable,"
said Alan Alper, an analyst
at Gomez Advisors.
"People don't put procedures
in place to prevent it
because of the time and
the money it takes," Alper said.
"Solutions to the problem
are only reactive and there's
not much you can do to prevent
it."