Who Are These Jerks, Anyway?

[William Knowles <wk () C4I ORG>]

http://upsidetoday.com/Opinion/38a211670.html

Who Are These Jerks, Anyway?
February 10, 2000
by Richard L. Brandt

The real question about the "denial of service" (DoS) attacks on major
Web sites this week is: Just who are these jerks, anyway?

It could be virtually anyone. Except for non-jerks. You have to be a
jerk to pull this kind of stunt. It seems to be nothing but a prank.
There is no political ideology, no monetary gain, no anger against the
sites being attacked. There is just the thrill of having done it and
knowing that all those important newscasters on television are talking
about something you did. Gee, aren't you special?

If it were political or a protest against particular sites or
e-commerce in general, there should be some sort of manifesto, someone
claiming credit. The point of a terrorist attack is to let people know
why you did it, in an attempt to change something you don't like. But
in this case, no one is claiming credit or telling us why it's
happening.

Further, although there are certainly unscrupulous people who would
attack a site in order to make money -- say, short a stock before the
attack -- usually such a person would be smart enough to keep a low
profile. When a lot of prominent sites are attacked at once, investors
realize this is an anomaly and not a problem unique to the company
being attacked. The stocks of these companies did not decline as much
as some observers thought they might.

That's why the main speculation seems to be that this is being done by
adolescents (in mind if not in body). "The people who have done this
in the last couple days are amateurs," says Alex Samonte, chief
engineer at SiteSmith, a company that helps build Web sites. "It
appears to be just for the fun of it."

Samonte has a lot of experience on this issue, as someone who has been
building Web sites for a long time. He did some of the work on the
original Yahoo site.

We should distinguish between these amateurs (or "jerks") and that
underground computer community that calls itself "hackers." The hacker
communities are really pissed off right now, because every television
news program in the universe is talking about the "hacker attacks."

Hackers like to figure out how systems work. They like to find obscure
weaknesses that can be exploited. The more difficult, the better.
There is status in being able to do something sophisticated. And many
of them try to demonstrate their power by showing it off in some
relatively harmless way, posting an obscene message, say, rather than
shutting down a site.

Most hackers do not consider DoS attacks to be true hacking. You can
do it automatically, using one of several rogue programs available on
the Internet. (One early program, still popular, is called Smurf,
although there are a lot more sophisticated programs these days.)
Using such a program makes this kind of attack a simple process that
we used to call "cookbooking" in chemistry lab. You don't have to know
how it works, just follow the directions and you get the reaction you
want. The problem in this case is that we don't know what reaction the
attackers want.

Hacker news sites are complaining. On 2600: The Hacker Quarterly, for
example, writers say they're insulted to be linked to these attacks by
implication. The site's editors do concede, however, that the
attackers have a reasonable knowledge of Internet topology.

(Suggestion to the hacker community: Find a new name for yourself. The
term "hacker" has been co-opted by the press to mean any computer
attacker, malicious or not. The public's definition of the word is
different than yours. You can't change that now.)

The reason these attacks are so disturbing is that it could be some
14-year-old jerk doing it. And some of the recent attacks could be
done by copycats, an even more despicable breed of jerk, because they
don't even show any originality.

And it's not that I agree with hackers who may be trying to prove a
point or make a statement, but the randomness of these attacks is
clearly worse. The world is moving toward e-commerce, and it can be
halted by some pimply-faced kid who doesn't have a life. Isn't that a
pleasant image of the information revolution?

When I was in college at a really geeky school called Harvey Mudd
College, there were lots of phone phreaks and geeks who liked to show
that they could make free calls off the college president's phone line
with their homemade blue boxes. I'd hang out with them sometimes and
get a giggle out of doing something naughty. But then I grew up.

The current attacks demonstrate the double-edged sword of any new
technology. The Web empowers the individual to do great things. It can
also amplify his or her tendency to be a jerk and hurt a lot of
people. With every new privilege comes a new responsibility, and these
folks are irresponsible. They don't deserve access to the Web, but we
don't know how to deny them service, unless they are caught.

Apparently, that will be difficult to do. It is not difficult to
disguise yourself, or make it appear that you are operating from a
different address. It's called spoofing. According to Samonte of
Sitesmith.com, in order to trace the attack back to the origin, you
have to do it while the attack is occurring, probably tracing back
through several different servers, ISPs and network providers -- with
their cooperation. But the people operating the target sites are too
busy putting out fires, trying to get their sites back up, to spend
time doing the tracing.

Here's another difficult problem: DoS attacks use innocent computers
to do the attacking. They do not exploit security problems in the
target sites, they attack security problems in other computers on the
Internet. They get other computers -- and it could be your home
computer with a DSL connection -- to send hundreds of messages to the
target site. Enlist enough of those computers and you can overwhelm a
site with too much traffic.

Therefore, companies that can best prevent such attacks are the
Network Service Providers or Internet Service Providers, not the
target Web sites themselves.

The ISPs know all the network addresses that should be routing signals
through their services. These spoofed messages would have strange IP
addresses on them. So theoretically, the ISPs could block any messages
with the wrong address.

But they may have thousands of legitimate addresses to keep track of,
and those change every day as new clients join up and old ones drop
off. It is not that trivial or cheap, and the ISPs themselves have
nothing to gain by it. They would only do it to prevent another
company from being attacked.

In other words, "What's my motivation?" To be nice? Government
subsidies might do the trick, but we know how bad government subsidies
are. Right?

Longer term, there are solutions. Major sites need to distribute their
servers and add as much redundancy as possible. That will make it
harder for the attackers to find and target all their servers,
increasing the odds that the site will keep running. But that's not an
overnight job.

But in the meantime, this is a perfect example of the difficulty of
putting a powerful tool in the hands of the people: Some people are
jerks.


---------------------------------------------------
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*=================================================*

ISN is sponsored by Security-Focus.COM