Home & Office

Web attack manhunt 'impossible'

The cyber manhunt for the Denial of Service attackers is 'very difficult' if not 'impossible,' security experts say. But can the offender resist bragging?
Written by Robert Lemos, Contributor

The FBI might have vowed to bring the "packet warriors" responsible for taking down eight major Web sites to justice, but several Internet security experts remain doubtful the bureau can deliver on that promise.

"It will be virtually impossible (to track the attackers down)," said a "white-hat hacker" who identifies himself as "Mixter" and who authored the Tribe Flood Network. TFN is a tool used to cause denial-of-service attacks such as those that hit Yahoo!, eBay, Buy.com, Amazon.com, E*Trade, MSN.com, CNN.com and ZDNet earlier this week.

"All providers have to scrutinise their router logs tracing back traffic," Mixter said, and that's a time-intensive process.

Proving Mixter's point, Yahoo! -- the first site to be knocked offline on Monday morning -- said Thursday its investigation of the attack would be "a very difficult, long process."

"It's definitely going to be difficult to track these people," a Yahoo! spokeswoman said. "It's largely because the traffic is mock traffic. It's not easy to track down the IP addresses from which the attack originated. These are very smart individuals using very sophisticated software that makes it very difficult to trace."

FBI investigators refused to comment on its ongoing investigation Thursday.

Even if successful, federal agents will most likely end up just finding the host computers that the attackers co-opted to do their dirty work, rather than the attackers themselves. It's no coincidence that, although Denial of Service attacks take place a handful of times every day on the Internet, few arrests have ever been made.

"If the person was smart, they could have gone to their local library or public-access point to put in the (compromised computers)," said Troy Davis, administrator for Netscan.org, a Web site dedicated to highlighting insecure Internet servers that could be co-opted to launch a specific type of denial-of-service attack known as a SMURF attack.

Instead, Davis said, investigators will have to rely on psychology to point them in the right direction. "All of the instances where we have seen smurfers get caught were because they bragged, and not because of a technical solution," he said.

Tim Yardley, a senior in computer science at the University of Illinois Urbana-Champaign and the author of a paper on distributed attacks, agreed.

Attackers that brag of their attacks tend to be found out rather quickly, he said. "That tends to be how people are getting caught. The stimulus for people to attack a server is that it gives them an illusion of power, but what good is that if they can't tell anyone?"

Apparently, some of the attacks seem to have been made by vandals who want bragging rights, Mixter said. According to the 20-year-old hacker and other reports, several of the packets used to flood networks included messages to the attackers' peers, including Mixter.

It's no coincidence that, although Denial of Service attacks take place a handful of times every day on the Internet, few arrests have ever been made.

"They included hacker greetings and other stuff in the packets," he said. Those greetings could contain clues to the identity of the person, or people. "However, they could also be just there for decoy purposes," he added.

Already, many other decoys are taking up investigation bandwidth, and several groups and individuals have jockeyed to claim credit for the attacks.

On Tuesday, a Florida man calling himself Captain Zapp sent out an 18-page manifesto to MSNBC claiming credit for the crime. On Wednesday, someone using the handle "mafiaboy" and allegedly based in Canada claimed that he initiated the attacks. Another group calling themselves the "Sovereign Anarchist Internet Militia" also claimed responsibility.

"If the federal government, or any branch of government for that matter, or any corporate board continues to threaten more control of the Internet, I can guarantee that more attacks will occur (not only ones similar to this week, but more severe attacks) by the many underground organisations that share our same cause and beliefs," threatened a spokesman calling himself F. Reed Omman, or Freedom Man. "You can, in a sense, consider what has happened as a warning shot."

The "statement" reached a variety of news organisations, including the Associated Press, Reuters, MSNBC, CBS, United Press International and ABC News.

"There are red herrings in any investigation," said one FBI spokesman. "As a rule, everything is on the table until we have proof otherwise."

What do you think? Tell the Mailroom. And read what others have said.

Take me to the Denial of Service round-up

Editorial standards