home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacks & Cracks
/
Hacks_and_Cracks.iso
/
hackersclub
/
km
/
news
/
1996
/
sept
/
hack6.txt
< prev
next >
Wrap
Text File
|
1998-03-25
|
8KB
|
181 lines
To catch a hacker
By Janet Kornblum
September 21, 1996, 2 a.m. PT
Somewhere out there, at the end of a long chain of
cyberlinks, a criminal is perpetrating a simple but
particularly nasty ruse: one that keeps thousands of
people from being able to log on to their Internet
services.
But catching the online saboteur isn't easy. In fact, it
may not even be possible.
Just ask Daniel Sleator, a computer science
professor at Carnegie Mellon University and
president of the Internet Chess Club. A little more
than a week ago, someone decided to close down
the subscription-based chess service by waging the
latest tactic in hacking trends, a "denial of service"
attack.
In this particular form of the assault, somebody
somewhere programs a computer to continuously
spew out phony authentication messages to the
targeted server, keeping it constantly busy and
locking out legitimate users. Experts say that new
protocols have been designed to eliminate the
problem, but they won't be available for at least a
few years. (See illustration below)
Called a "SYN-flood attack" in computer-speak,
this type of electronic assault is proving to be far
more insidious than previous online threats. Not
only is it simple to do, but the way to do it is now
widely available from at least two publications on
the Web.
"The problem is, it's a
terrorist tactic," said
Stephen Hansen,
computer security
officer at Stanford
University. "You never
know who's doing it,
when it's going to
happen, and might not
have any idea why
somebody decided to
pick on you."
And tracking down the attacker is an equally
troubling process.
In the case of the Internet Chess Club, it involves
tracing the launched missive from the club's server,
backwards. That wouldn't be so tough if the attack
had taken a straight path from the originating
machine to its target. But nothing on the Internet
ever does that, and this is no exception.
Instead, Sleator's local provider, Imagiware, and
Imagiware's provider, Netcom, have undertaken
the unenviable task of tracking the attack back to
its nefarious origins, provider by provider.
The only known way to do that is the painfully
laborious procedure of going to the closest
provider in the chain and asking its operators to
track the previous provider that sent the data, and
so on. It would be like requiring a police officer
pursuing a stolen car to stop each time she crossed
the border into a new city, contact the local force,
and ask someone there to continue the chase to the
next town in a kind of absurd investigative relay
race.
"If you've got 30 routers between the attacker and
the target, you can imagine that might take an awful
lot of time," said an understated Hansen.
And then there's this unfortunate fact: "By the time
you get back to him, he may have moved on to
another site entirely," Hansen said. Or, he added,
the offensive data is emanating from a hacked
computer that has been programmed to send the
authentication requests automatically.
That's just what Sleator imagines--finding a lone
computer. "I have a vision that it's just a machine
there, running a little program that's spewing out this
stuff, and there's nobody there, and there's no way
to find the person who started this new program,"
he said.
No chance for vengeance. No chance to press
charges for the money the guy cost him in lost
customer and technician hours trying to fix track the
problem and devise ways to work around it.
Plus, the ploy is so simple that even the publisher of
the hacking magazine, 2600, won't even call it
hacking. "It's pretty much like running a script. It's
going through a formula. Hacking is figuring it out,"
said Emmanuel Goldstein.
For example, the person responsible for the Chess
Club attack, the one against New York service
provider Panix, or others that have been violated in
the last few weeks could easily have copied the
program from 2600 or downloaded it from
Phrack, a magazine devoted to hacking.
Both 2600 and Phrack defended their decision to
publish the code, saying they were simply exposing
a hole in the architecture of the Internet, making
people aware of it so that they could patch it.
Hansen, however, doesn't buy it.
"People have known about this particular problem
for years," he said. "I don't think we need to give
handguns to every kid with a two-digit IQ in order
to get the idea that it's a bad thing to give guns to
kids with two-digit IQs."
Meanwhile, until there's a real solution, people like
Sleator try to find ways to run their services while
the attacks continue.
"Any organization that isn't very tightly firewalled off
is potentially vulnerable," he warned. "And even
those who are firewalled off-- they may have to
worry as well."
In a typical connection, the user sends a message asking
the server to authenticate it. The server returns the
authentication approval to the user. The user
acknowledges this approval and then is allowed onto the
server.
In a "denial of service" attack, the user sends several
authentication requests to the server, filling it up. All
requests have false return addresses, so the server can't
find the user when it tries to send the authentication
approval. The server waits, sometimes more than a
minute, before closing the connection. When it does
close the connection, the attacker sends a new batch of
forged requests, and the process begins again--tying up
the service indefinitely.
Stephen Hansen on the
difficulty of tracing an
attack
Hansen speaks out on
"denial of service"
attackers
Hacking cost businesses
$800 million
Web watchdogs sharpen
teeth
Hacker alert sounded
The Net's most wanted
Jury still out on hacking
Hacker bombardment
keeps site in check
ISPs search for a cure
Chess Club waits for next
move
Copyright ⌐ 1996 CNET Inc. All rights reserved.