photoDistributed Denial of Service (DDoS) attacks were successful in disrupting the Internet activities of Yahoo (Feb. 7, down 4.5 hours), eBay (Feb. 8, down 5 hours), Amazon.Com (Feb. 8, down 4 hours), eTrade (Feb 9, down 4 hours), (Feb. 9, down 5 hours) and other high-profile businesses. The FBI was hit earlier in the month and shut down for three hours.

Yahoo was attacked 30 minutes after a presentation on DDoS security by an AT&T Labs expert. was hit on the day of it’s initial public offering of stock. These attacks were timed to send a message: The Internet is not appropriate for everything.

Here’s a crash-course in DDoS. First you get /root (Unix) or Administrator (Windows NT) access to a “master” system and plant a self-running application — a daemon. Then you plant slave programs on hundreds of “zombie” machines. The best zombies are machines hooked to high-speed lines, and hackers trade ‘em like Pokemon cards.

At a predetermined time, the master tells the zombies to flood a target with packets, jamming routers in front of the targeted site until nothing gets through. The sending IP addresses are usually “spoofs,” a fake ID that prevents the target from determining the attack’s origin. Even if you unplug the attacked machine, the routers continue to clog thanks to the self-healing design of the Internet’s Transmission Control Protocol.

The only things new about February’s DDoS were the targets, the press attention and the general wringing of hands by “eCommerce” groupies. Spoofing is easy to block with ingress filtering, a technique that was described back in January 1998 in RFC 2267 published by the Internet Engineering Task Force. Egress filtering can prevent a machine from distributing spoofed packets, and it’s already built into many systems. Unfortunately, Internet Service Providers (ISPs) turn them off so their systems appear to run faster.

There’s a cry for new laws and a private monitoring agency to lock-down ISP servers, but that won’t solve anything because new zombie-fodder is already out there. Thousands of home computers are connected to the Internet all day long through cable modems and telco ADSL lines. Closer to healthcare, PACS, remote-access ECG management systems, patient monitoring networks and telemedicine systems that employ Web servers are big, fat primo targets. If you want to protect them, you must understand ‘net philosophy.

Connections on the Internet jump across an almost-random chain of servers. The packets of a message are reassembled at the destination. It has to be that way, as the physicist who invented the World Wide Web, Tim Berners-Lee, explained in his book Weaving the Web (HarperCollins 1999): “Philosophically, if the Web was to be a universal resource, it had to be able to grow in an unlimited way. Technically, if there was any centralized point of control, it would rapidly become a bottleneck that restricted the Web’s growth, and the Web would never scale up.”

As a result, Web applications are selling briskly, but they cannot be made as secure as a private network. Even a Virtual Private Network, which uses the Internet backbone with some variations, is more secure.

Private administration is not the answer. Look at what happened after assignment of server names was placed in the hands of a revenue-seeking company, Network Solutions. Now we have cybersquatting, where essentially meaningless domain names are snatched up and are resold for tens of thousands of dollars.

Laments Berners-Lee, “A single centralized point of dependence put a wrench in the gears of an otherwise smoothly running decentralized system. It also shows how a technical decision to make a single point of reliance can be exploited politically for power and commercially for profit, breaking the technology’s independence from these things, and weakening the Web as a universal space.”

“Self-regulation works when there is freedom to set different standards and freedom of consumer choice,” observes Berners-Lee. “However, if ‘self-regulation’ simply becomes an industry version of government, managed by big business rather than the electorate, we lose diversity and get a less democratic system.”

c01b.jpg (4067 bytes)