The latest Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) Computer Crime and Security Report
shows a drop in the overall dollar value in losses associated with cybercrime over the last few years. The CSI/FBI report also shows the previously first-place type of loss, theft of intellectual property, slipping to the second-highest position on the list. In first position? Distributed denial-of-service (DDoS) attacks.
Surprised? I am, too. But this may be bittersweet news. Speaking at last week's CSI/NetSec 2004 conference in San Francisco, Robert Richardson, editorial director for CSI, suggested that the shift from outright theft to disruption is, relatively speaking, a good thing. If data inside the network isn't being stolen, that shows that corporate security is improving However, as security measures improve, less-sophisticated criminal hackers (crackers) often turn to easier, but still quite disruptive, practices, including denying visitors service to specific Web sites.
Anatomy of an attack
A denial-of-service (DoS) attack takes advantage of the way Web sites work: When your browser tries to reach a Web site, it sends out a SYN packet. The Web site server receives that packet, sends back an ACK packet, and holds open a session for your browser to complete the connection. One method of denial-of-service involves sending repeated SYN packets with no intent to follow up. The result is that the server holds several sessions open with no one completing the transaction; soon, after all the available sessions are open, legitimate users get a message saying that the server is busy and asking them to try again later.
Any script kiddie or wanna-be criminal hacker can now download DDoS tools from a variety of clandestine Internet sites.
If one computer sends hundreds of SYN packets per second to a target, try multiplying that attack by a thousand or so. As a result of recent virus and worm activity, we know that some new Trojan horses have compromised a number of computers around the world, forming them into a private network of so-called zombies.
A cracker need only send his DoS app to all those infected computers to orchestrate a distributed
denial-of-service attack (DDoS), where thousands of computers simultaneously take down a specific target. Any script kiddie or wanna-be criminal hacker can now download DDoS tools from a variety of clandestine Internet sites, then piggyback those tools on a widely spreading virus or worm.
The direct approach
We saw a recent demonstration of this practice in February, with the MyDoom worm, which failed to take down Microsoft's Web site but succeeded in shutting down SCO Linux for several days. The Netsky virus followed in April, taking out several file-sharing sites.
Of course, these attacks pale in comparison to the attacks first launched in February 2000, when eight major sites, from Amazon to ZDNet, were all taken offline for several hours. Arrested for that attack was a then-15-year-old with the nickname MafiaBoy, although he was charged with attacking only a few of the eight sites.
The less-than-direct approach
But now, it seems that DDoS crackers are getting craftier. Last Tuesday, between 8:30 and 10:45 a.m. ET, someone tried to take down servers used by Akamai, a distributed computing solution and services company. Never heard of Akamai? This company is the middleman that distributes the load on major Web sites by caching pages of frequently requested information on servers located around the world; the result is that your browser needs fewer hops to reach these sites, so you get a faster response time. Customers of Akamai affected by the attack included Apple Computing, Google, and Yahoo. And I suspect that recent attacks on university supercomputers in April were part of the preparation for the Akamai attack last week.
It's my guess that the more-sophisticated crackers are attempting to wreak havoc behind the scenes by taking out DNS and Akamai servers.
Two years ago, someone attempted to take down the 13 domain name servers
, servers that translate a common name, such as www.company.com,
to its numerical Internet address. Once again, had the attack lasted long enough, the resulting damage would have been spread across many--if not all--sites on the Internet. As it was, the 2002 attack slowed traffic slightly; it failed, mostly because smaller and more local DNS servers maintained the load while the larger and strategically placed servers were under attack.
Who's doing this?
It's my guess that the more sophisticated crackers are attempting to wreak havoc behind the scenes by taking out DNS and Akamai servers, while the less-sophisticated script kiddies are targeting Microsoft and SCO Linux. Why anyone would want to shut down the Internet--other than the obvious "because I can" argument--eludes me, however. So far, luckily, the Internet has proven to be incredibly robust (by design), by withstanding these behind-the-scenes attacks. I have a feeling it'll stay robust for the foreseeable future.
You can do your part to stop these attacks with up-to-date antivirus protection and a personal firewall. Antivirus and firewalls will keep backdoor Trojans off your PC. If we can't stop these attacks outright, we can at least weaken them.
Got a security question? Let me hear about it!