Why distributed denial-of-service?

As you likely know by now, somebody has been bombarding eBay, Yahoo and other sites with a flood of fraudulent, useless queries. The glut of packets has interfered with other, legitimate uses of the Web sites and may have contributed to a significant increase in overall traffic on the Internet. The bombardments were orchestrated through compromised systems, where criminals have installed slave programs that respond to commands from master programs by sending out floods of rubbish on command.

Rumors have been flying about who is doing this stuff and why.

One hoary old canard is that information security consultants attack systems to generate business. I have never met anyone who claimed to know this firsthand. The ethical standards to which Certified Information Systems Security Professionals subscribe in maintaining our certification preclude such abhorrent behavior. Personally, I know for sure that anyone behaving in such a manner in my current group of colleagues would be fired on the spot. I also know for a fact that my colleagues at ICSA Labs, who monitor the criminal underground, frequently warn potential victims that criminal hackers are talking about hitting their sites - and this is simply a professional courtesy, not a presales technique.

In a related vein, professionals who discover security vulnerabilities inform the manufacturers quietly and without publicity. I remember discovering a denial-of-service attack vulnerability on the HP3000 in 1981, when I was a software support specialist for Hewlett-Packard. I asked that the vulnerability be fixed without inserting a full description in the Software Status Bulletin, to minimize the risk of the vulnerability being exploited by people browsing the document. Security experts who describe vulnerabilities by publishing detailed exploits are irresponsible and unprofessional. Security experts who invent exploits and publish them in fully functional form are part of the problem, not the solution.

Another weird idea: people tell me they think that antivirus product developers create viruses to have continued work. I have met and worked with many antivirus product developers (I used to be involved with the ICSA Anti-Virus Product Developers' Consortium). It is my deeply held belief that either these people really do detest virus writers and think that having to fight viruses is the consequence of other people's stupidity and irresponsibility, or they are all fantastic actors and should seriously consider working in the movies. I tell you truly: no one fighting viruses has to invent any. The idiots and defectives who write and spread these nuisances are unfortunately keeping the supply going all by themselves.

But going back to distributed denial-of-service, what other motives could there be for such a mindless attack? Based on the boasting that is common among criminal hackers, you might guess that reputation - the respect of other criminal hackers - is a possibility.

My esteemed friend Stephen Cobb (Stephen.Cobb@infosec.spectria.com) is a well-known and vocal opponent of all criminal hacking, and director of education and research for the security firm Spectria. Here's what he had to say about the fools running distributed denial-of-service software: "Denial-of-service is a dumb attack with no point to it. 'The Web is weak.' - duh! So is Interstate 95 if some idiot wants to jackknife a trailer across it. Heck, the guy who threatened to jump off the main bridge across the Potomac into D.C. probably caused as much [financial] impact in the six hours it took for the police to yield to public pressure and knock him off. You can defeat any computer any time with a denial-of-service attack ('Look, I cut the cable!'). Does that mean we need to go to armored cables? No, it means we have to discourage (and educate to prevent) people from thinking it is cool to cut cables."

A more sinister plot was suggested in a note from a colleague:

"Here's a point for speculation on the distributed denial-of-service attacks that one of my colleagues brought up in conversation that sounds very plausible to me and might indicate a way to catch the culprits who are doing this. He noticed that stocks dropped on the companies that have been hit. Suppose the people who are kicking off the attacks are investing in a company knowing they are going to drop in stock. The next day they hit that company hard and keep the attack going until the stock drops to what they consider a sufficient amount. Wouldn't the person who is implementing the distributed denial-of-service attacks stand to gain a pretty tidy sum of money knowing which stocks are going to drop? Isn't trading information a matter of public record? If these things are true, then it may be possible to cross check on who is 'lucky' enough to buy short at just the right company, at just the right time for a number of statistically improbable investments."

Interesting ideas. Let's hope the FBI and the Securities and Exchange Commission are following up on them.

Sinking even further into paranoia, some commentators have seriously proposed that the FBI and the National Infrastructure Protection Center are behind the attacks. This view holds that the flurry of investigative activity and appeals for public support are evidence of sinister plots to trick the country into believing that information security is important. One writer claimed that the use of the term distributed denial-of-service proved that managers of commercial organizations were being coached by the military - where else could they have learned of this top-secret expression? Pfui: distributed denial-of-service is a plainspoken description of exactly what is involved in the attacks, and security specialists have been warning about the danger of denial-of-service attacks for decades. I prefer to believe - until evidence smacks me in the modem - that the flurry of investigative activity and appeals for public support are rational responses to a genuine problem.

As this column is being written, there is news that the RCMP, the federal police force in Canada, is zeroing in on one social misfit, who calls himself "mafiaboy." Mafiaboy may be responsible for at least some of the damage caused to e-commerce. The RCMP is working closely with the FBI on this case. It will be interesting to see under what statutes such shenanigans are to be prosecuted in Canada and the U.S.

In the meantime, next time you talk to youngsters about the distributed denial-of-service attacks, be sure to pour scorn on the mindless stupidity of doing this kind of thing to hardworking network administrators.