[iwar] Historical posting
From: Fred Cohen
From: fc@all.net
To: iwar@onelist.com
Mon, Jan 1, 1999
fc Mon Jan 1, 1999
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA15269 for iwar@onelist.com; Tue, 18 Apr 2000 05:21:43 -0700
To: iwar@onelist.com
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, Jan 1, 1999
From: Fred Cohen
Reply-To: iwar@egroups.com
Subject: [iwar] Historical posting
Subject: Hunting Web attackers 'impossible'
Hunting Web attackers 'impossible'
Updated 5:39 PM ET February 10, 2000
By Robert Lemos, ZDNet News
The FBI might have vowed to bring the "packet warriors"
responsible for taking down eight major Web sites to justice, but
several Internet security experts remain doubtful the Bureau can
deliver on that promise.
"It will be virtually impossible (to track the attackers down),"
said a "white-hat" hacker known as Mixter, who authored the Tribe
Flood Network. TFN is a tool used to cause denial-of-service
attacks such as those that hit Yahoo!, eBay, Buy.com, Amazon.com,
E*Trade, MSN.com, CNN.com and ZDNet earlier this week. "All
providers have to scrutinize their router logs tracing back
traffic," Mixter said, and that's a time-intensive process.
Proving Mixter's point, Yahoo! -- the first site to be knocked
offline on Monday morning -- said Thursday its investigation of
the attack would be "a very difficult, long process. It's
definitely going to be difficult to track these people," a Yahoo!
spokeswoman said. "It's largely because the traffic is mock
traffic. It's not easy to track down the IP addresses from which
the attack originated. These are very smart individuals using
very sophisticated software that makes it very difficult to
trace."
FBI investigators refused to comment on its ongoing investigation
Thursday. Even if successful, Federal investigators will most
likely end up just finding the host computers that the attackers
co-opted to do their dirty work, rather than the attackers
themselves. It's no coincidence that, although denial-of-service,
or DoS, attacks take place a handful of times every day on the
Internet, few arrests have ever been made.
Psychology the key
"If the person was smart, they could have gone to the their local
library or public access point to put in the (compromised
computers)," said Troy Davis, administrator for Netscan.org, a
Web site dedicated to highlighting insecure Internet servers that
could be co-opted to launch a specific type of denial-of-service
attack known as a SMURF attack.
Instead, Davis said, investigators will have to rely on
psychology to point them in the right direction. "All of the
instances where we have seen smurfers get caught were because
they bragged, and not because of a technical solution," he said.
Tim Yardley, a senior in computer science at the University of
Illinois Urbana-Champaign and the author of a paper on
distributed attacks, agreed. Attackers that brag of their
attacks tend to be found out rather quickly, he said. "That tends
to be how people are getting caught," he said. "The stimulus for
people to attack a server is that it gives them an illusion of
power, but what good is that if they can't tell anyone?"
Mixter: Hacker greetings a clue
Apparently, some of the attacks seem to have been made by vandals
who want bragging rights, pointed out Mixter. According to the
20-year-old hacker and other reports, several of the packets used
to flood networks included messages to the attackers' peers,
including Mixter. "They included hacker greetings and other
stuff in the packets," he said. Those greetings could contain
clues into the identity of the person, or people, he said,
"However, they could also be just there for decoy purposes."
Already, many other decoys are taking up investigation bandwidth,
and several groups and individuals have jockeyed to claim credit
for the attacks. On Tuesday, a Florida man calling himself
Captain Zapp sent out an 18-page manifesto to MSNBC claiming
credit for the crime. On Wednesday, someone using the handle
"mafiaboy" and allegedly based in Canada claimed that he
initiated the attacks.
Another group calling themselves the "Sovereign Anarchist
Internet Militia" also claimed responsibility. "If the federal
government, or any branch of government for that matter, or any
corporate board continues to threaten more control of the
Internet, I can guarantee that more attacks will occur (not only
ones similar to this week, but more severe attacks) by the many
underground organizations that share our same cause and beliefs,"
threatened a spokesman calling himself F. Reed Omman, or Freedom
Man. "You can, in a sense, consider what has happened as a
warning shot."
The "statement" reached a variety of news organizations,
including the Associated Press, Reuters, MSNBC, CBS, United Press
International and ABC News.
"There are red herrings in any investigation," said one FBI
spokesman. "As a rule, everything is on the table until we have
proof otherwise."
Source URL:
< http://news.excite.com/news/zd/000210/17/hunting-web-attackers >