New York Times site hacked By Rose Aguilar and Janet Kornblum November 8, 1996, 4:15 p.m. PT The New York Times Web site, among the most popular online news outlets, this week became the latest victim of an attack from cyberspace that led to a slowdown in service. The so-called denial-of-service attacks are becoming more commonplace, where someone perpetrates a simple but nasty ruse that keeps thousands of people from being able to log on to a targeted Web site. But catching the online saboteur isn't easy. In fact, it may not even be possible, although the Times is working with experts in the field to find a solution as well as increasing its server capacity. The Times' Web site was hit by intruders on election night. The site received ten times the regular number of hits, overloading the system and causing slowdowns. Part of the extra traffic came from users who were eager to learn about the election results, but the rest came from online vandals who bombarded the site with bogus requests. In this form of assault, a hacker programs a computer to continuously send phony authentication messages to the targeted server, keeping it constantly busy and locking out legitimate users. Experts say that new protocols have been designed to eliminate the problem, but they won't be available for at least a few years. Called a "SYN-flood attack" in computer jargon, this kind of electronic assault is proving to be far more insidious than previous online threats. Not only is it simple to do, but the way to do it is now widely available from at least two publications on the Web. "The problem is it's a terrorist tactic," said Stephen Hansen, computer security officer at Stanford University. "You never know who's doing it, when it's going to happen, and might not have any idea why somebody decided to pick on you." Tracking down the attacker is an equally troubling process. In the case of the Internet Chess Club, which was hit by a SYN-flood attack in September, it involves tracing the launched missive from the club's server backwards. The problem is that the attack doesn't always take a straight path from the originating machine to its target. Instead, the chess club's president Daniel Sleator's local provider, Imagiware, and Imagiware's provider, Netcom, have undertaken the unenviable task of tracking the attack back to its nefarious origins, provider by provider. The only known way to do that is the painfully laborious procedure of going to the closest provider in the chain and asking its operators to track the previous provider that sent the data, and so on. "If you've got 30 routers between the attacker and the target, you can imagine that might take an awful lot of time," said Hansen. Then there's this unfortunate fact: "By the time you get back to him, he may have moved on to another site entirely," Hansen said. Or, he added, the offensive data is emanating from a hacked computer that has been programmed to send the authentication requests automatically. That's just what Sleator imagines--finding a lone computer. "I have a vision that it's just a machine there, running a little program that's spewing out this stuff, and there's nobody there, and there's no way to find the person who started this new program," he said. The result: no chance for vengeance, no chance to press charges for the cost in lost customers and technician hours trying to fix the problem as well as and devise ways to work around it. Plus, the ploy is so simple that the publisher of the hacking magazine 2600 won't even call it hacking. "It's pretty much like running a script. It's going through a formula. Hacking is figuring it out," said Emmanuel Goldstein. For example, the person responsible for the Chess Club attack, the one against New York service provider Panix, or others could easily have copied the program from 2600 or downloaded it from Phrack, another magazine devoted to hacking. Both 2600 and Phrack defended their decision to publish the code, saying they were simply exposing a hole in the architecture of the Internet, making people aware of it so that they could patch it. Hansen doesn't buy it. "People have known about this particular problem for years," he said. "I don't think we need to give handguns to every kid with a two-digit IQ in order to get the idea that it's a bad thing to give guns to kids with two-digit IQs." Meanwhile, people like Sleator try to find ways to run their services while the attacks continue. Berkeley Software Design, among other companies, has released a fix that it says will protect servers against the denial-of-service attacks. It has made the source code for the fixes available free of charge. Still, Sleator warned, "any organization that isn't very tightly firewalled off is potentially vulnerable, and even those who are may have to worry as well." Copyright © 1996 CNET Inc. All rights reserved.