I thought this may be useful to some of you on this list, should you have to explain to people what all this news about DOS attacks is. Feel free to use it if you can actually work out the grammar but on the offchance it will be distributed or printed please ask me 1st (once bitten, twice shy and all that). Michael. -----Original Message----- From: Michael Lawrie [mailto:michael@senika.com] Sent: 09 February 2000 11:38 To: Undisclosed Subject: Denial Of Service attacks, as seen on TV. You have probably seen a lot of stuff about denial of service attacks on major Internet corporations this week. Ones specifically mentioned are Amazon, CNN, buy.com, eBay and Yahoo. I thought I may as well save myself explaining this a few times by explaining the methods of attack and the implications. This is not a technical email so don't expect any technical terms, you can get lots of them elsewhere but very few places actually explain what it all means. It's before midday so don't expect it to be too well written! One major thing that tends to differ an Internet business from a traditional one is the number of outlets and the potential to create bottlenecks. An Internet company is more like a shop like Harrods that has one main location than shops like Tesco and Dixons that have hundreds of branches all over the country or even the world. Basically. a Denial Of Service (DOS) attack is an attempt to stop people getting access to a service by causing so much activity that nobody else gets a look in. There are many methods of doing this but I will explain three major ones with analogies. I am only picking on Harrods here because I can't spell Fortnum & Masons and it's in a good location. Flooding: In Internet terms what happens here is that the hackers send so much data to the site that no other data can get through. Taking our Harrods analogy what would effectively happen is that the hackers would drive thousands of bulldozers down all access routes to Knightsbridge and at the same time, have thousands of cows all piling through the doors and generally making a nuisance of themselves. In this scenario, even if the police set up roadblocks around Knightsbridge, the trucks and cows would still be backed up for miles and eventually all routes into London would jam up with them all. One question that may be on your mind is where do the hackers get all these bulldozers and cows? - Simple, they steal them. This may sound unrealistic but in network terms this is exactly what happens. When I was at BT we had a denial of service attack that in this analogy would basically have meant that not only were all the motorways into London closed, but a couple of runways at Heathrow were blocked and most of the railway routes too. These things can go on for weeks and until all of the big Internet and backbone providers start to co-operate there is absolutely nothing that can be done about them. In this case, we even knew who was doing it and he had told us he would and we could still do nothing about it. Incidentally, don't be under any illusions about the people who do these denial of service attacks. They don't care in the slightest about any innocent collateral damage they may cause on the way. Overloading: This is a bit more directed and specific that a raw flood and theoretically is easier to protect against. The problem with this is it can very soon turn into a flood. What happens in our shop is that thousands of people in blue T-shirts all pile into Harrods and hundreds of them all bunch around every member of staff they can find asking inane or time consuming questions. Not only are the members of staff all tied up dealing with the blue T-shirt brigade but the shop is also starting to fill to capacity with them so that real customers start to have difficulty just browsing. Eventually it is conceivable that the staff will be driven so mad by these people that they will have a nervous breakdown and collapse anyway. Should the store security company take the measure of stopping everyone with a blue T-shirt coming in this may work (though again, they may fill the roads outside causing a small flood) but what may well happen is the attackers will change into red T-shirts and eventually, so many different colours that it is impossible for store security to be selective at all. In network terms (and this is what happened to Yahoo), a number of different hosts or, in this case, thousands of different networks all make complicated search requests to the site and eventually it starts to collapse under the sheer weight. Mail bombing: Here, our hackers literally send millions and millions of letters and/or parcels to our shop. Not only does the shop soon get filled with so many parcels that there is no room for people, staff or anything else but (you guessed it) the street starts to become so full of couriers, post office vans, little blokes on bikes with stupid shorts on and various other things that other people find it hard to get into the store - Taking this further and more into the flooding arena, companies like DHL and the post office will soon start to get so overloaded their business is also significantly damaged and eventually, they will refuse to send any post to the shop. If these parcels all look the same, it would be possible to sort them out at the various sorting offices or burn them in the store incinerator but, our hackers have thought of that so clever ones make all the parcels look different. This will create a huge amount of work for a long time to come trying to sort out the real post from the rubbish and in some cases, the hackers will have made them look like real post as well to further confuse things. A few of the attacks this week were mail bombs, though from what I have heard they weren't very sophisticated ones. So.... How do you protect an Internet site against a denial of service attack? - Unfortunately, it's not at all easy. You may use more than one service provider for your data connections but even if you have lots of routes into your site it is a trivial (and almost automatic) matter to block all of them. If someone attacking a high street shop could steal all the resources they wanted and the law enforcement services and military were as bad as anything similar we have on the Internet then anyone with a grudge could do these DOS attacks in real life with ease and create havock for the country whilst doing so. Even Internet companies with multiple locations can be attacked one by one, or more likely all at once and in any case, most of them all use a very small amount of actual central servers. This is quite a pessemistic email really. All that can be done is for the people doing it to be stopped and the people letting them get away with it and steal the resources be held partly liable. But that's not going to happen in the short term. Michael.