ad info




CNN.com
 MAIN PAGE
 WORLD
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
* TECHNOLOGY
   computing
   personal technology
 SPACE
 HEALTH
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 ARTS & STYLE
 NATURE
 IN-DEPTH
 ANALYSIS
 myCNN

 Headline News brief
 news quiz
 daily almanac

  MULTIMEDIA:
 video
 video archive
 audio
 multimedia showcase
 more services

  E-MAIL:
Subscribe to one of our news e-mail lists.
Enter your address:
Or:
Get a free e-mail account

 DISCUSSION:
 message boards
 chat
 feedback

  CNN WEB SITES:
CNN Websites
 AsiaNow
 En Español
 Em Português
 Svenska
 Norge
 Danmark
 Italian

 FASTER ACCESS:
 europe
 japan

 TIME INC. SITES:
 CNN NETWORKS:
Networks image
 more networks
 transcripts

 SITE INFO:
 help
 contents
 search
 ad info
 jobs

 WEB SERVICES:

COMPUTING

eToys attacks show need for strong Web defenses

December 21, 1999
Web posted at: 11:33 a.m. EST (1633 GMT)

by Ellen Messmer

From...
Network World Fusion
Image

(IDG) -- Network-based attacks against eToys last week and the emergence of a particularly destructive method for launching such raids are fresh reminders of the need for e-commerce sites to keep their defenses sharp.

Online retailer eToys has taken legal steps to prevent a Swiss art group from using the domain name etoy.com. Last week, that move prompted an Internet activist group to launch what are known as denial-of-service attacks on the toy seller's Web site with the intent of bringing it down.

Denial-of-service attacks involve the flooding of a Web site with bogus requests that wind up blocking legitimate ones. Denial-of-service attacks can be launched using any of dozens of programs available in hacker chat forums and on the Web, including new tools that enable attackers to bombard Web sites with traffic generated by thousands of machines.

Activist group RTMark attempted to justify its attack on eToys' Web site by citing the eToys vs. etoy case as the victory of corporate greed over art and freedom of expression. Declaring a war of revenge against eToys, RTMark sought to rally the public to use a denial-of-service tool called FloodNet to saturate the eToys.com site with network ping floods.

RTMark also engaged the help of the Electronic Disturbance Theater - a hacker group claiming to attack sites only on behalf of social causes - to help cripple eToys or deface its Web pages.

"We're going to make an example of them," claimed Ray Thomas, a San Francisco-based accountant and RTMark's spokesman, describing how the group wants to "destroy" eToys. The group's Web site made available information, such as eToys' IP address, that would give attackers helpful ammunition to shoot eToys down.

Over at eToys, which has kept a great network-availability record during the holiday season, the e-commerce site showed only slight signs of problems. It slipped from 100% availability to 98% once the RTMark call for attack came, according to Internet online measurement service, Service Metrics.

Ken Ross, a spokesman for eToys, says the online toy store considers the technical defenses it is using against the protest group's sabotage to be "proprietary."

Security professionals have a number of recommendations for coping with such attacks, which are identified by strange names such as SYN Floods, LAND attack, Ping bomb, Ping O'Death, Fraggle, Smurf and WinNuke.

Security experts and e-commerce industry watchers believe denial-of-service attacks happen more often than they are reported. Most companies prefer not to acknowledge such attacks, often begging not to be identified in stories.

According to Paul Proctor, chief technology officer of CyberSafe's Centrax division, there are three categories of denial-of-service attacks.

One method involves flooding the line with ping traffic, or any "garbage to keep the router busy," Proctor says.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Domain name bullying
  eToys vs. Toys R Us
  The war for Drugs.com
  IDG.net's network operating systems page
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for network experts
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

Using another method, an attacker can send malformed packets that give routers, firewalls or switches a kind of network indigestion.

Attackers also can scare off Web visitors by making them think something is wrong or dangerous about the site.

The discovery earlier this month of a new, more dangerous kind of denial-of-service tool on the 'Net has security pros sounding the alarm.

The new type of tool, which includes variations called Tribal Flood Network and Trin00, enables attackers to invade Web sites with bogus messages sent from many machines simultaneously. Until now, denial-of-service tools have limited attackers to launching a single ping flood, which wasn't usually enough to fill up the T-1 or T-3 bandwidth typically available at an e-commerce site, says Chris Klaus, chief technology officer at Internet Security Systems.

But Unix-based Tribal Flood Network and Trin00 overcome that barrier by allowing a single user, by means of the appropriate client software, to launch a coordinated attack on a target from thousands of compromised machines in which the necessary server software has been installed.

"I call these compromised machines 'zombies' because of the intended use of them in denial-of-service attacks," Claus says. Attackers can remotely install Tribal Flood Network and Trin00 on unsuspecting hosts by exploiting buffer-overflow vulnerabilities or one of a handful of other vulnerabilities.

Claus says thousands of these ping-launching zombie machines have already been identified, many in university and government networks that are unprotected by firewalls.

This new type of ping flooding capability means that a single attacker at his desktop could masquerade as a huge group sending out disabling pings.

What if your site gets hit by a distributed denial-of-service attack? According to a recent CERT Coordination Center advisory, the target of an attack may not be able to rely on Internet connectivity for communications. CERT suggests that firms have alternatives to the Internet for data communications.

CERT also recommends that if you discover one of these distributed attack tools installed on your servers, realize that it might provide information useful in locating or disabling other parts of the distributed attack network. "We encourage you to identify and contact other sites involved," CERT says.


RELATED STORIES:
Known vulnerabilities are No. 1 hack exploit
December 17, 1999
DVD-hack concerns delay audio products
December 2, 1999
Activist defends DVD hack
November 8, 1999
Cyberattacks against DOD up 300 percent this year
November 5, 1999
DVD encryption hacked
November 5, 1999
Hacking contest spotlights many ways to attack Web sites
November 3, 1999

RELATED IDG.net STORIES:
Domain name bullying
(The Industry Standard)
An eToy(s) story
(PC World)
eToys vs. Toys R Us
(CIO)
NFL sues site for cybersquatting
(The Industry Standard)
The war for Drugs.com
(The Industry Standard)
Senate approves anti-cybersquatting bill
(IDG.net)
Who's the master of your domain?
(PC World)
Year 2000 World
(IDG.net)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
RTMark - An online "sit-in" against eToys.
The First Amendment Project: SLAPP - Strategic Lawsuits Against Public Participation
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.