Home & Office

Author of Web attack tool speaks

'The Net is as susceptible to hack attacks as its weakest parts.' So says 'Mixter,' the hacker who created the tool possibly used in last week's spate of Web attacks
Written by Robert Lemos, Contributor

The Internet has its own sense of irony.

While chatting online with ZDNet about last week's spate of Web attacks, "Mixter" -- a self-proclaimed "white-hat hacker" who created the Tribal Flood Network denial-of-service tool some believe is responsible for several of those attacks -- was knocked offline by a flood of data similar to those very same attacks.

"It's quite easy," Mixter said of the data-flood technique used against Yahoo!, eBay, Buy.com, Amazon.com, CNN, E*Trade, MSN.com and ZDNet. And the tool allegedly created by the 20-year-old German-based hacker makes it even easier.

The Tribal Flood Network and its newest version, TFN2K, can implement a denial of service by flooding servers and routers with a bewildering variety of different data types.

In an exclusive chat interview with ZDNet, Mixter called Tribal Flood Network a teaching tool that points out the holes in the Web. Others consider it a danger.

ZDNet: How did you get into security?

Mixter: Well, I worked with computers for a long time. I started with my first computer when I was 6 years old, and I've been interested in the technical details of operating systems and networks since I was about 14 when I got my first PC with an Internet connection.

ZDNet: What computer did you start with?

Mixter: Commodore 64.

ZDNet: Do you consider what you do to be "hacking"?

Mixter: I think what I do is hacking in the "traditional" sense, but I'm afraid to use the term, since the meaning of "hacker" is changing to something negative. I had some conflicts with the law in the past, but I'm a white-hat now.

ZDNet: What sort of things happened in the past?

Mixter: Well, I started with it like many people on Efnet (a major IRC chat network) do, by learning how to take over and how to secure chat channels. Then I went over to programming and writing IRC robots. Unfortunately, I have also "actively" taught myself how to get into systems. I used some compromised systems for running and testing IRC bots, for which I've been raided and persecuted, but gladly I didn't commit real major damage with anything I did. I consider it as a mistake in my past, from which I've learned.

ZDNet: Why did you want to make a tool like TFN and make it public for all the script kiddies to use and abuse?

Mixter: I rewrote TFN after what I thought Trinoo (a tool that makes another DoS attack known as SMURFing easy) worked like because Trinoo was kept private. First, I called it the "teletubby flood network," but I thought the name was just too silly.

The problem (with today's infrastructure) is that a lot of weaknesses exist. For example, you can employ spoofing and distributed concepts, and it is hard to do something against it due to Internet protocol weaknesses. I decided to write TFN and post the source code publicly to security sites, so people could scrutinise the code, and possible upcoming attack methods, and come up with a patch. This is the security concept known as "full disclosure." The main idea is that security people find and post any weaknesses, including really dangerous ones, as soon as possible, so everyone has a chance of analysing them and thinking about countermeasures.

ZDNet: Yet, there seems to be no comprehensive solution to the problem. That is, if you want to let people access your site, you must to some degree be susceptible to a DDoS (distributed denial-of-service) attack.

Mixter: That's true, but the real problem is the lack of authentification in current protocols. Besides, you actually have to compromise a real lot of other hosts to be able to penetrate fast sites. ... That is the concept of DDoS. There are methods (to stop more advanced DoS attacks) including SYN interception and proxying at the routers. However, all these short time measures can only minimise the impact of the floods; they cannot fully prevent it. When a site is attacked really badly, they're probably still going to notice it somehow.

ZDNet: So, in your mind, what is the solution to this problem?

Mixter: Well, you can basically spoof the origin of any packet arbitrarily. And that has to be prevented in the long term by migrating to IPv6 (the next-generation Internet protocol), which provides necessary authentication facilities and a bunch of other security extensions.

ZDNet: What is the short-term solution?

Mixter: The solution for the hosts that are being compromised is simply to care about their security, by updating their software and configurations. It's that easy. The attacker *HAS* to gain access to his "slave" servers by exploiting existent security vulnerabilities. The Net is as susceptible to hack attacks as its weakest parts. Also, limit the amount of bandwidth that is being let through at the backbone provider. This is a concept that many people are implementing.

ZDNet: And when do you think IPv6 will actually make it into most of the infrastructure?

Mixter: IPv6 should get implemented as soon as possible, not only because of security aspects, but because the growth of the Internet will make it inevitably necessary by 2004, or sooner. The old IP protocol is a relic, comparable to the Y2K bug. It is soon going to cause problems if people don't care about it.

ZDNet: Do you think that the people who make these tools available (i.e., put power in the hands of people who don't use it responsibly) are responsible for the use of them? Yourself, for instance?

Mixter: No, that's generally not the case, and it is, in my opinion, irrational to say so. I also know the author of Trinoo, who hasn't directly been launching the attacks, but I think he is afraid and wants to stay anonymous.

ZDNet: Are you planning to make any other such tools?

Mixter: Currently not. I've released TFN2K, after the CERT advisory. The purpose of releasing another DDoS tool was to include all possible attacking, stealthing, etc., features in that tool that could be developed in the future I could think of.

We are currently seeing new derivatives of tools with small variations, but nothing that is really worse or more "powerful" in any way. ... My purpose of releasing TFN2K was showing all these risks in one rush, and as early as possible.

ZDNet: So, anything you want to say about the attacks that are currently occurring?

Mixter: Well, there has been rumour that they included in the packets some protest against e-commerce. I think they are mostly social motivated, and I don't condone any of such activity. Most of all because it doesn't require really great technical skill to install these tools and launch attacks, and it serves absolutely no constructive purpose.

What do you think? Tell the Mailroom. And read what others have said.

For full coverage see the Denial of Service Roundup.

Editorial standards