Main Page | Bracing for Cyberwar | Hacking Primer | Scenes from the 'Hacker Underground' | Hacking: Two Viewpoints | Timeline | Gallery | News Archive | Discussion | Related Sites

December 21, 1999 Web posted at: 11:33 a.m. EST (1633 GMT) by Ellen Messmer

From...

(IDG) -- Network-based attacks against eToys last week and the emergence of a particularly destructive method for launching such raids are fresh reminders of the need for e-commerce sites to keep their defenses sharp.

Online retailer eToys has taken legal steps to prevent a Swiss art group from using the domain name etoy.com. Last week, that move prompted an Internet activist group to launch what are known as denial-of-service attacks on the toy seller's Web site with the intent of bringing it down.

Denial-of-service attacks involve the flooding of a Web site with bogus requests that wind up blocking legitimate ones. Denial-of-service attacks can be launched using any of dozens of programs available in hacker chat forums and on the Web, including new tools that enable attackers to bombard Web sites with traffic generated by thousands of machines.

Bracing for Cyberwar Hacking Primer Hacking: Two Views Timeline Gallery Discussion TIME: Counterhacking 101 Related Sites

Activist group RTMark attempted to justify its attack on eToys' Web site by citing the eToys vs. etoy case as the victory of corporate greed over art and freedom of expression. Declaring a war of revenge against eToys, RTMark sought to rally the public to use a denial-of-service tool called FloodNet to saturate the eToys.com site with network ping floods.

RTMark also engaged the help of the Electronic Disturbance Theater - a hacker group claiming to attack sites only on behalf of social causes - to help cripple eToys or deface its Web pages.

"We're going to make an example of them," claimed Ray Thomas, a San Francisco-based accountant and RTMark's spokesman, describing how the group wants to "destroy" eToys. The group's Web site made available information, such as eToys' IP address, that would give attackers helpful ammunition to shoot eToys down.

Over at eToys, which has kept a great network-availability record during the holiday season, the e-commerce site showed only slight signs of problems. It slipped from 100% availability to 98% once the RTMark call for attack came, according to Internet online measurement service, Service Metrics.

Ken Ross, a spokesman for eToys, says the online toy store considers the technical defenses it is using against the protest group's sabotage to be "proprietary."

Security professionals have a number of recommendations for coping with such attacks, which are identified by strange names such as SYN Floods, LAND attack, Ping bomb, Ping O'Death, Fraggle, Smurf and WinNuke.

Security experts and e-commerce industry watchers believe denial-of-service attacks happen more often than they are reported. Most companies prefer not to acknowledge such attacks, often begging not to be identified in stories.

According to Paul Proctor, chief technology officer of CyberSafe's Centrax division, there are three categories of denial-of-service attacks.

One method involves flooding the line with ping traffic, or any "garbage to keep the router busy," Proctor says.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Domain name bullying

eToys vs. Toys R Us

The war for Drugs.com

IDG.net's network operating systems page

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for network experts

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

Using another method, an attacker can send malformed packets that give routers, firewalls or switches a kind of network indigestion.

Attackers also can scare off Web visitors by making them think something is wrong or dangerous about the site.

The discovery earlier this month of a new, more dangerous kind of denial-of-service tool on the 'Net has security pros sounding the alarm.

The new type of tool, which includes variations called Tribal Flood Network and Trin00, enables attackers to invade Web sites with bogus messages sent from many machines simultaneously. Until now, denial-of-service tools have limited attackers to launching a single ping flood, which wasn't usually enough to fill up the T-1 or T-3 bandwidth typically available at an e-commerce site, says Chris Klaus, chief technology officer at Internet Security Systems.

But Unix-based Tribal Flood Network and Trin00 overcome that barrier by allowing a single user, by means of the appropriate client software, to launch a coordinated attack on a target from thousands of compromised machines in which the necessary server software has been installed.

"I call these compromised machines 'zombies' because of the intended use of them in denial-of-service attacks," Claus says. Attackers can remotely install Tribal Flood Network and Trin00 on unsuspecting hosts by exploiting buffer-overflow vulnerabilities or one of a handful of other vulnerabilities.

Claus says thousands of these ping-launching zombie machines have already been identified, many in university and government networks that are unprotected by firewalls.

This new type of ping flooding capability means that a single attacker at his desktop could masquerade as a huge group sending out disabling pings.

What if your site gets hit by a distributed denial-of-service attack? According to a recent CERT Coordination Center advisory, the target of an attack may not be able to rely on Internet connectivity for communications. CERT suggests that firms have alternatives to the Internet for data communications.

CERT also recommends that if you discover one of these distributed attack tools installed on your servers, realize that it might provide information useful in locating or disabling other parts of the distributed attack network. "We encourage you to identify and contact other sites involved," CERT says.