Chapter 14. How Denial-of-Service Attacks Bring Down Websites

Among the most publicized of Internet dangers are denial-of-service (DoS) attacks. In a DoS attack, a hacker floods a website or an Internet service provider (ISP) with so much malicious, junk traffic that the site is no longer able to function or functions at a very low level. Visitors are not able to get to the site.

DoS attacks often make the headlines because their targets are often high-visibility websites and ISPs. Through the years, sites such as Amazon, CNN.com, eBay, and many others have been victimized by these attacks.

But it isn't only these high-visibility sites that are targets. Plenty of smaller sites and ISPs have been targeted as well. In fact, according to researchers at the University of California, San Diego, in 2003 there were nearly 4,000 DoS attacks launched per week.

There are several ways that a hacker can launch a DoS attack. One of the most popular ways is also called a smurf attack, or smurfing. In a smurf attack, a hacker floods the target with so many garbage packets that all the target's available bandwidth is used up. If the target is an ISP, the ISP's customers can't send or receive data and can't use email, browse the Web, or use any other Internet service.

In a smurf attack, a hacker exploits a commonly used Internet serviceping (Packet Internet Groper). People normally use ping to see whether a particular computer or server is currently attached to the Internet and working. When a computer or server is sent a ping packet, it sends a return packet to the person who sent the ping, which in essence says, "Yes, I'm alive and attached to the Internet." In a smurf attack, a hacker forges the return addresses on ping requests so that, instead of going back to them, the return packets go to the hacker's target. The hacker is able to use networks attached to the Internet as a way of relaying her ping requests and magnifying each ping request many times. In this way, a hacker can use networks attached to the Internet to flood the target with so many return ping packets that the target's customers can't use the website or services. A hacker can use multiple networks attached to the Internet in a single smurf attack.

Sites have difficulty fighting smurf attacks because the ping answering packets come from legitimate networks and not from the hacker. The site has to track down where the ping answering packets are coming from and then contact each of those networks to ask them to turn off the ping answering packets. Making this more difficult is that, when an ISP goes down, its customers often send ping requests to it to see whether it is alive and connected to the Internet. The ISP has a difficult time separating the legitimate ping packets from the smurf attack packets.

Until several years ago, DoS attacks were launched for purely malicious purposes. Today, though, that has changed. Today, cyberextortionists have gotten into the act. The extortionists send blackmail notes to websites or ISPs, warning them that if they don't pay extortion money, the extortionists will launch a DoS attack to bring down the site. This can have severe economic consequences that can range into the millions of dollars. Some sites pay up; others report the extortion to authorities or hire experts who can protect them against DoS attacks and hunt down the perpetrators.