Floored by attack of the bots

By PETER GRIFFIN

The last time we caught up with shadowy web figure Captain Bob, he was making a tidy sum running a global "spam" mail operation over the internet. But since then, the internet has come back to bite him.

Captain Bob, or Steven Taylor as he is known in the real world, has spent the past few weeks getting to know how a distributed denial of service (DDOS) attack occurs. That's because Taylor and the small, Auckland-based internet provider he was using to host his server became the subject of a DDOS attack after Taylor "annoyed" a fellow web user operating from the United States.

The result? About 25 per cent of the internet provider's customers, including Taylor, saw their internet connectivity grind to a halt.

Despite the personal attack, Taylor is philosophical, and now quite well-informed about DDOS - where an attacker floods a victim's computer with vast volumes of data traffic, using an army of compromised computers that have been mustered via the internet.

"It's something that is unavoidable, anyone is prone to it and the worst thing is there is no good way of stopping it," he says.

The genesis of DDOS attacks, in all their varying forms, lies in weak computer security and digital software agents known as "bots".

The Machines are insecure for a variety of reasons: lack of firewall security, missing software patches, outdated anti-virus programs and complacent IT departments.

As Taylor demonstrated to the Herald, insecure computers are searched for and detected on the internet easily. A few minutes of scanning can pick up dozens of "open" machines.

Taylor was searching IP (internet protocol) addresses associated with Asian countries - China, Korea and Japan in particular. The high use of pirated software in those countries means there are often wide security holes.

The first job of the attacker is to create or obtain a bot - something anyone with basic knowledge of writing computer code or access to a search engine can do.

They can be spread with the aid of Trojan viruses such as SUB7, worms and other exploits.

"A lot of the bots have the ability to auto-spread. Once you infect one machine, it will go and infect another six and each of those will infect another six and on it goes," says Taylor.

Some of the Trojans granting access to computers are spread through file-sharing networks such as KaZaA, which is frequented by millions of copyright-flouting music downloaders.

How many bots are needed?

"Maybe a few hundred bots to take down a medium-sized website - 20,000 bots is enough to take out anyone," says Taylor.

The next step is to launch the attack. Often IRC (internet relay chat) is used to communicate with the bots, commanding them to begin sending packets of data to the victim's machine repeatedly. The desired effect is network chaos at the victim's end of the web.

For Taylor, used to changing ISPs at the drop of a hat, the disruption was minimal. But for the thousands of businesses that bear the brunt of DDOS attacks each week, the results can be disastrous.

Yahoo, eBay, MSN and several large US government departments have all at one time struggled to prop their networks up through DDOS attacks.

Quite often their networks, at the most visible their web pages, are taken offline, potentially costing companies, especially those with e-commerce operations, large amounts of money in lost business.

Internet security expert Steve Gibson knows better than most the shock of disappearing from the internet in the blink of an eye.

"Nothing more than the whim of a 13-year old hacker is required to knock any user, site, or server right off the internet," says Gibson on his website, which tells the story of being brought down by a DDOS attack and then attempting to analyse the attack and trace it back to its source (grc.com/dos/grcdos.htm).

"We were drowning in a flood of malicious traffic and valid traffic was unable to compete with the torrent," says Gibson, who determined that GRC had been attacked by 474 insecure Windows PCs sending billions of unwanted packets of data.

And as Gibson found out when he caught up with "Wicked", the DDOS mastermind who had targeted him, the motive for attacks can be basic and personal.

"The reason me and my 2 other contributers [sic] do this is because in a previous post you call us 'script kiddies'," an insulted Wicked later confessed.

Stopping the chaos involves tracing each attack back to the network or computer from where it came. The organisation is then contacted and asked to disable or clean the offending system. Crossing borders, time zones, cultures and languages can be difficult and time-consuming. Attackers often send fake IP addresses, masking the true origins of the attack. The only true way to end the nightmare is to disconnect from the web.

Software vendors have come up with ways of thwarting the attacks such as limiting the number of connections that can be made from one IP address before it is blocked.

The headache is separating authentic traffic from DDOS data flows.

"It comes down to security versus usability. Usually the latter will suffer," says Taylor.

For those doing business online, the threat of DDOS attacks are ever-present.

The director of Taylor's internet provider, which did not want to be named, said the attack had been "reasonably substantial", but good network redundancy had lessened the impact.

"We're one of the few ISPs that have three or four different bandwidth providers. It gives us the ability to weather the storm."

Not as fashionable as they used to be, DDOS attacks seem to come and go - and will become more dangerous as dependence on the web increases. As Taylor says, "with enough bots and enough bandwidth, anything is possible".