Home & Office

DoS attacks: What really happened

In the CNN attack and perhaps others, the device that was in place to defend the site was used to topple it.
Written by Bob Sullivan, Contributor
More details are emerging about last February's massive denial-of-service attack, and they continue to paint a dramatic picture of how helpless the Net's biggest Web sites really were.

A 15-year-old Canadian boy was charged this week in the cyberattack on CNN.com, allowing security experts a bit more freedom to speak about the incident. At least in the case of CNN, and perhaps two of the other attacks, the very device that was in place to defend the site was actually used to cripple it.

The investigation into last February's denial of service attacks is continuing, but Canadian police and the FBI believe they have found the computer vandal responsible for shutting down CNN.com. The teen-ager, known by the online moniker "Mafiaboy," was charged and released on bail earlier this week.

The investigation into attacks on other popular Web sites -- including Amazon.com, Yahoo, eBay and Excite -- is continuing, according to the Royal Canadian Mounted Police.

Mafiaboy, who cannot be named under a Canadian law that withholds the identities of juveniles, was arrested Saturday and formally charged on Monday, RCMP Inspector Yves Roussel said at a news conference. Investigators searched his residence and seized computers and software at the time of the arrest, he said.

The teenager was charged with two counts of mischief to data, police said. Each count carries a maximum penalty for juveniles up to two years in detention and a $1,000 Canadian (U.S. $675) fine.

Authorities in the United States would not be able to press charges against Mafiaboy because Canadian law prohibits extradition of a juvenile. "But we're confident he'll face the appropriate punishment there," one U.S. official told NBC News.

From the start, authorities indicated sites like Yahoo, eBay, Amazon, E*Trade, and ZDNet were hit with a so-called distributed denial of service attack - armies of "zombie" computers concentrating their efforts at a Web site to force it offline, creating the Internet's equivalent of a busy signal.

According to security expert Joel de la Garza, who has seen the software tool that toppled CNN, a different tool was used to shut down Yahoo.com, the first of the name-brand sites that fell in February. Authorities have not linked Mafiaboy to this second attack method.

At least one other suspect has been questioned in connection with the attacks - Dennis Moran, a 17-year-old New Hampshire resident who used the nickname "Coolio" while online. Moran has confessed to Web page defacements, but denied any connection with the denial of service attacks when questioned about them by authorities.

The attack on Yahoo was an "ICMP flood," said de la Garza. ICMP traffic is the simplest kind of computer conversation - it's a ping, or a single bit of data sent to see if another computer is responding. In an ICMP flood, an attacking ping is sent to a target computer with a faked return address, which sends the attacked computer on an endless quest for a place to return the ping.

But the attack on CNN was a "syn-flood," which starts with a falsified synchronization packet - which is sent by a computer when it wants to actually connect with another computer.

"But this was a little more sophisticated that a regular syn flood," de la Garza said.

Traffic to a Web site is funneled through a router, an electronic air traffic controller for information requests. Generally, data streams simply pass through the router and it is not considered a "choke point" - like a canal between to lakes, where congestion is likely to occur.

But according to Joel de la Garza, security expert at Securify.com, the CNN's router collapsed that February doing the very thing that was supposed to protect the site.

Routers often have Access Control Lists, a set of instructions about what kind of traffic to allow into a network - and what kind of traffic to deny. For example, computers talk to each other by connected to "ports." All Web traffic occurs on port 80, and that's generally considered safe traffic, and the Access Control List would instruct the router to allow port 80 traffic through. Traffic headed for another port known to be used by computer criminals can be denied.

The custom distributed denial of service tool used to attack CNN, the one allegedly used by mafiaboy, exploited this protection. It sent so-called synchronization packets, or attempts to connect, to random ports, ranging from 2 to 400. That meant each packet had to be approved by the access control list - normally, synchronization packets are followed by legitimate traffic which simply flows through the router. Quickly, the router's memory was consumed and stopped functioning.

"They just kept forcing the routers to reboot," de la Garza said, effectively crippling the site.

Working through the Access Control List is a very labor-intensive process, said security expert Russ Cooper, and it's easy to imagine a router toppling over in such an attack.

"The hardware in most routers is archaic compared to that in the PCs sitting on people's desktops," Cooper said. "The typical router might have four megabytes of memory, and a lot of that is occupied by operating system. Only what's left is available for processing the rules."

Cooper and de la Garza disagree on the attacker's intent, however. Cooper thinks the router was the intended target; de la Garza thinks toppling the router was an accident. Either way, the attack revealed another weakness in the systems used to protect major corporate Web sites.

"It's entirely feasible that the router choked before the bandwidth," said Mark Edwards, operator of NTsecurity.net. Industry estimates say that under ideal conditions, a router can only process 200,000 packets per second - fewer than 100 computers on corporate-style fast Internet connections aimed at a single router could easily surpass 200,000, he said.

But the problem could have been averted by more careful router maintenance, according to an industry professional speaking on condition of anonymity. He said sites like CNN could have prevented the attacks had their routers been configured properly; in fact, the source said, eBay Inc. was attacked twice, the second time after installing special filters on their routers. The second attack was ineffective.

Cisco Systems Inc, the company that made the routers toppled in the attack, did not immediately return phone calls.

Editorial standards