Without a trace

How will the rash of denial-of-service attacks affect Internet security—and personal privacy?

DUCK AND COVER! Get under your desks! Most of all, close your Internet connection—the cyberwars have come home, and no one online is safe.

The threat is coming in the form of denial-of-service (DoS) attacks. Roughly the computerized equivalent of calling somebody and leaving the phone off the hook, the technique is so simple that even a journalist can do it. When a browser connects to an Internet site, the two engage in an automatic process to recognize each other, which ordinarily takes a few milliseconds and a tiny fraction of the systems’ processing time. By sending out thousands of these contacts per second and not answering the return message, a DoS attacker ties up the phone lines and keeps the host computer too busy to respond to any other calls.

A coordinated series of attacks, allegedly by Chinese hackers angry over the U.S. surveillance flight shot down over the South China Sea, slowed the White House Web servers to a crawl for about three hours one day in early May.

This kind of attack can have a dramatic effect on a government site, but it cripples a business. Having a server go down in a flood of bogus connections can cost e-commerce sites millions of dollars an hour. Because they are so easy to orchestrate and hard to handle once they begin, and because they’re difficult to trace, DoS attacks are turning into a form of revenge.

“It’s not the big hits against Yahoo that drive this sort of thing. It’s the almost daily low-level DoS attacks that are the problem,” a network administrator, identified as BeBoxer, posts on the geek bulletin board Slashdot. “When it happens, in some cases for us it takes literally tens of thousands of students off of the network.”

According to a study released last month by Stefan Savage and two colleagues at the University of California, San Diego, these attacks come in all sizes and for reasons ranging from the political to the personal. Over a three-week period, they logged no fewer than 12,800 denial-of-service attacks against 5,000 Internet host sites, affecting 2,000 separate organizations. Savage’s team estimates that 20 to 40 attacks are going on across the Internet at any given instant. In the last year or so, DoS attacks have become increasingly common, shutting down Web sites from Amazon.com and CNN.com to Yahoo and even the White House and Pentagon pages. Some of the most widely publicized attacks have been launched by adolescents, like “Mafia Boy,” the 13-year-old Canadian script kiddie who took credit for Amazon and eBay attacks.

“Most security experts will tell you there’s no really good way to stop a denial-of-service attack,” says Scott Bailey, an Internet security expert with Kerby, Bailey and Associates.

AN ESCALATING SERIES of measures and countermeasures between network administrators trying to keep their servers running and resourceful hackers has become a peculiar cat-and-mouse game. Potential victims watch incoming addresses to catch any sudden floods from a single site. But hackers have responded with “distributed-denial-of-service” (or DDoS) attacks, hijacking other people’s computers to send messages from literally thousands of machines simultaneously.

Four separate university-backed start-ups have emerged in the past year to develop defenses to deal with the worsening DoS problem. Savage is connected with Seattle-based Asta Networks, which, according to president and CEO Joe Devich, was the first out of the box. Mazu Networks, a Boston area company aligned with MIT, was just a few weeks behind with their own system. Bailey says these defense systems monitor flow and traffic patterns and are “very similar to Visa and Mastercard ‘neural networks’ that monitor activity on your credit card.”

By attaching devices to the service provider’s end, network administrators can monitor the patterns without reading the actual addresses. Devich says that Asta hopes to stay one step ahead of the hackers by monitoring for statistical anomalies so they can catch entirely new types of attacks. One Asta executive told an industry news service that they look at distributed-denial-of-service attacks as a hard traffic problem rather than a security concern. “The point,” he says, “is not to catch the bad guys but keep the . . . traffic flowing.”

A number of people have voiced concerns about the increasing interest in monitoring Internet traffic as it races through the web of servers, routers, phone, and cable lines that make up the Internet backbone. Devich responds that by monitoring the flow rather than the IP addresses, they are taking another step away from identifying individuals. Tracing the attacks back to their source, security experts admit, is another matter. But most security people agree with Oracle CEO Larry Ellison that privacy on the Internet is just an illusion, anyway.

“If you browse to a Web site, you are leaving a trail that leads to your PC,” says computer security consultant Gunnar Magholder. “If you send an e-mail with the mail server of your ISP, you are traced and tracked. Every time you log on to any site on the Internet, you are logged. This is not related to DDoS defense, but comes with any Web server you use.”

With server logs that record who has come through a server, cookies planting information onto your hard drive, and Web bugs that report back on your surfing from one site to the next, privacy advocates may have to accept Ellison’s advice: “Get over it.”