To catch a hacker By Janet Kornblum September 21, 1996, 2 a.m. PT Somewhere out there, at the end of a long chain of cyberlinks, a criminal is perpetrating a simple but particularly nasty ruse: one that keeps thousands of people from being able to log on to their Internet services. But catching the online saboteur isn't easy. In fact, it may not even be possible. Just ask Daniel Sleator, a computer science professor at Carnegie Mellon University and president of the Internet Chess Club. A little more than a week ago, someone decided to close down the subscription-based chess service by waging the latest tactic in hacking trends, a "denial of service" attack. In this particular form of the assault, somebody somewhere programs a computer to continuously spew out phony authentication messages to the targeted server, keeping it constantly busy and locking out legitimate users. Experts say that new protocols have been designed to eliminate the problem, but they won't be available for at least a few years. (See illustration below) Called a "SYN-flood attack" in computer-speak, this type of electronic assault is proving to be far more insidious than previous online threats. Not only is it simple to do, but the way to do it is now widely available from at least two publications on the Web. "The problem is, it's a terrorist tactic," said Stephen Hansen, computer security officer at Stanford University. "You never know who's doing it, when it's going to happen, and might not have any idea why somebody decided to pick on you." And tracking down the attacker is an equally troubling process. In the case of the Internet Chess Club, it involves tracing the launched missive from the club's server, backwards. That wouldn't be so tough if the attack had taken a straight path from the originating machine to its target. But nothing on the Internet ever does that, and this is no exception. Instead, Sleator's local provider, Imagiware, and Imagiware's provider, Netcom, have undertaken the unenviable task of tracking the attack back to its nefarious origins, provider by provider. The only known way to do that is the painfully laborious procedure of going to the closest provider in the chain and asking its operators to track the previous provider that sent the data, and so on. It would be like requiring a police officer pursuing a stolen car to stop each time she crossed the border into a new city, contact the local force, and ask someone there to continue the chase to the next town in a kind of absurd investigative relay race. "If you've got 30 routers between the attacker and the target, you can imagine that might take an awful lot of time," said an understated Hansen. And then there's this unfortunate fact: "By the time you get back to him, he may have moved on to another site entirely," Hansen said. Or, he added, the offensive data is emanating from a hacked computer that has been programmed to send the authentication requests automatically. That's just what Sleator imagines--finding a lone computer. "I have a vision that it's just a machine there, running a little program that's spewing out this stuff, and there's nobody there, and there's no way to find the person who started this new program," he said. No chance for vengeance. No chance to press charges for the money the guy cost him in lost customer and technician hours trying to fix track the problem and devise ways to work around it. Plus, the ploy is so simple that even the publisher of the hacking magazine, 2600, won't even call it hacking. "It's pretty much like running a script. It's going through a formula. Hacking is figuring it out," said Emmanuel Goldstein. For example, the person responsible for the Chess Club attack, the one against New York service provider Panix, or others that have been violated in the last few weeks could easily have copied the program from 2600 or downloaded it from Phrack, a magazine devoted to hacking. Both 2600 and Phrack defended their decision to publish the code, saying they were simply exposing a hole in the architecture of the Internet, making people aware of it so that they could patch it. Hansen, however, doesn't buy it. "People have known about this particular problem for years," he said. "I don't think we need to give handguns to every kid with a two-digit IQ in order to get the idea that it's a bad thing to give guns to kids with two-digit IQs." Meanwhile, until there's a real solution, people like Sleator try to find ways to run their services while the attacks continue. "Any organization that isn't very tightly firewalled off is potentially vulnerable," he warned. "And even those who are firewalled off-- they may have to worry as well." In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server. In a "denial of service" attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely. Stephen Hansen on the difficulty of tracing an attack Hansen speaks out on "denial of service" attackers Hacking cost businesses $800 million Web watchdogs sharpen teeth Hacker alert sounded The Net's most wanted Jury still out on hacking Hacker bombardment keeps site in check ISPs search for a cure Chess Club waits for next move Copyright © 1996 CNET Inc. All rights reserved.