WHEN Toni Koivunen visits the online discussion forum Bluehell, he knows what to expect. “The first thing you see is your internet connections drop. You can’t go to any website. Then the lights on your modem go wild. Your bandwidth is being eaten alive.”
Just showing up in one of the chatrooms at Bluehell is enough to generate such a cyber attack. It’s a forum where some of the web’s more disruptive coders hang out, and they don’t need much of an excuse to try out their skills. “It’s like a random act of violence,” says Koivunen. “Most of the time there are no reasons. Maybe someone simply didn’t like the nickname you were using.”
For Koivunen, a computer security expert at the Finnish Communications Regulatory Authority in Helsinki, who visits Bluehell to monitor hacker activity, such attacks are just a nuisance. But the denial-of-service (DoS) attacks that the hackers often use to target him, in which a web connection is swamped with traffic until it seizes up, are increasingly being used by criminals to take money from unsuspecting site owners.
Advertisement
DoS attacks hit the news in May when the Russian government was accused of attacking Estonian websites, in what was reported as the first ever cyber war. As with most DoS attacks, though, the perpetrators were far more likely to be relatively small-time criminals than high-ranking military officials.
Rather than a new battleground in international conflict, DoS is the street crime of the internet, an old and persistent activity that hits less wealthy users and stubbornly refuses to go away. This is because while big companies can afford to buy protection, individual users and small companies generally cannot. Thousands of attacks take place every day, and security experts warn the problem is getting worse. Until the internet itself is reconfigured, say some researchers, the attacks will never be prevented.
“There have been a few arrests,” says Jose Nazario, a computer security specialist with Arbor Networks in Ann Arbor, Michigan. “But there are around a thousand different teams behind the attacks. There are more players, better players, in the market than just a year ago.”
Hackers have many ways of unleashing DoS attacks, but a common method is to infect computers with bots: software that sits unnoticed on the affected PC until, on a given signal, it connects to the target website. If enough computers access a site simultaneously, the server often freezes under the weight of traffic. It’s like crippling a firm’s operations by creating a traffic jam outside the warehouse. Starting such congestion is relatively easy, too. On the hacker discussion website ryan1918.com, for example, a network of 300 bots is currently on sale for just $75.
Three hundred connections would not derail a standard, well-resourced website, but much larger networks, or botnets, exist. These are sometimes used to target organisations that criminals or hackers dislike. In 2003, for example, servers at SCO, a US computing firm that has engaged in legal battles with open-source software companies, went down after they were flooded with over 700 million packets of data over a 32-hour period. And last year, Blue Security, a successful Israeli anti-spam firm, ceased operating after a DoS attack took down its site and many others linked to it. Although the exact number of infected machines involved is unknown, security experts say they have seen networks of over a million bots.
Yet it is not big companies that are most frequently attacked. In a survey of DoS activity, David Moore and colleagues at the University of California, San Diego, found that over 68,000 attacks were directed at 34,000 victims between 2001 and 2004 (ACM Transactions on Computer Systems, vol 24, p 115). They estimate that home users or small businesses were the victims in over half of these attacks.
Although some of the cyber skirmishes are hard to interpret – Moore does not know why the most targeted website is at Graz University of Technology in Austria, for instance – most appear to be petty disputes or crimes. Online gamers use DoS attacks to disable rival players, while chatroom spats like those Koivunen has suffered are also likely to make up a significant chunk, Moore says.
More serious are those attacks used for extortion. Big companies generally have enough computing power and bandwidth to cope with all but the most intense attacks. “The bad guys target those who can’t survive, but can pay,” says Marty Linder of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, Pennsylvania. Botnet owners hit sites when it hurts: bookmakers have been taken offline in the days before a major sporting event, for example. Although victims do not generally admit it, many simply pay up rather than go to the police in order to get back online as quickly as possible. Pornography sites are also targeted due to their reluctance to involve the police. “There are always large attacks going on,” says Linder. “It’s just that the companies hit don’t want to advertise it.”
“There are always large attacks going on, but the companies hit don’t want to advertise it”
So when Estonia was hit last month, it was a rare case of the victim attracting media attention. Nazario’s firm monitors botnet activity, and he says that at least four networks were involved. Each of these botnets consisted of tens of thousands of machines, and were already known to Nazario. As in many other cases, it is impossible to say who controls the botnets, since commands are often relayed through a chain of computers in different countries. But Nazario says the botnets that attacked Estonia had previously been involved in attacks against anti-spam companies, suggesting that they may be hired out to whoever wants to pay for cyber intimidation.
No Estonian site has reported being asked for money, so it may be that the botnet owner simply took a dislike to the country itself, since the attacks came amid Russian anger over an Estonian government decision to move a Soviet war memorial. On the Russian hacker website Xakep, users posted simple code that individuals could use to launch DoS attacks against the Estonian police website. Security experts say the attacks may also have been an advert: if a hacker can take out much of a country’s online infrastructure, he or she can hire out their botnets for more money in future.
Nazario plays down suggestions that the attacks represented the opening salvo in a new type of cyber war. Estonian officials pointed the finger at Russia, saying they had traced some attacks to computers within the Kremlin. However, many governments’ computers have previously been infected by bots. In 2005, for example, the computer security firm Prolexic, based in Hollywood, Florida, identified two US military computers as being involved in a DoS attack against a website selling penis enlargements.
Firms like Prolexic protect their clients by offering to route all traffic through their own network in the event of an attack. The firm has the bandwidth to cope with a sudden increase in traffic and can use filtering software that spots patterns in the flow of communications to block signals coming from compromised machines.
If a website owner cannot afford such a service, though, the egalitarian nature of the internet means that they are always vulnerable to attack, says Tom Anderson, a computer networks expert at the University of Washington in Seattle. “The principal problem is that anyone can communicate with anyone else at any time,” he says.
Selective friendship
To combat DoS attacks, therefore, Anderson believes websites need to be more choosy in who they talk to. He and his colleagues will soon start testing a new protocol for exchanging information over the internet. Under this scheme, sites would include a token in the code they exchange with visiting computers. Software installed at the site’s internet service provider (ISP) would see the token as proof that the communication was legitimate. Should a site come under attack, it could stop handing out tokens to any traffic that looked suspicious, alerting the ISP to the problem and prompting it to block incoming connections upstream. This would prevent the website becoming crippled.
Anderson’s system could give website owners the upper hand in their battle with disruptive hackers. Still, the conflict will almost certainly go on, given the kudos and money that can be generated from cyber attacks. Those who fight off the hackers often adopt a world-weary tone. “We are still being attacked,” says Hillar Aarelaid of Estonia’s Computer Emergency Response Team. “All the time someone is attacking you. The internet has grown up now. You can make a lot of money legally – but also illegally.”
