Informative Services Group

Articles about Computers and Computing

Articles about Computers and Computing

The World Wide Wait

Informative Services Group Home

Web Site Design & Deployment Web Sites

IT Consulting & Project Management Consulting

Accounting Services & Packages Accounting

Digital Life and Living Digital Life

Articles about Computers and Computing Articles

Project Management Projects

Internet Technology & eLearning eLearning

Contact Us Contact Us

The Anatomy of a 'Denial of Service' Attack

Written on March 15, 2000 by Robert & Karen Vanderzweerde

Appeared in Greenmaster Magazine

If you tried to access Yahoo!,, E*Trade,, eBay, ZDNet, or CNN during the first week of February on the world wide web, you might have experienced the 'world wide wait'. Even HMV in Canada was affected. But wait (sic) … this delay was not caused by thousands of users, poor site design, or inadequate network or computing capacity -- the usual causes of slow response. These sites are well designed and readily able to process the high demands put upon them by their visitors and customers.

So what happened?

This delay was caused deliberately and maliciously. Called a 'denial of service' or 'flood', torrents of bogus requests were sent to each site. We're not talking about a doubling or tripling of network traffic … Yahoo! received millions of messages every hour (most companies dream of receiving this much usage in a year, let alone each and every hour). While each site tried to process or even discard the junk being sent its way, normal users of the site were effectively blocked from accessing the site … hence the name, 'denial of service'.

How did they do that?

Now, you can't just use your average personal computer to create this kind of bogus traffic. For one thing, you just can't type fast enough to flood one of the major sites -- they expect thousands of people to use their site every minute. Also, the requests you make could be traced back to you and you will be caught. So how did these people, known as 'crackers' or 'hackers', do it and get away with it?

To create a 'flood', tens or hundreds of computer need to be used (i.e. many small hoses coordinated to fill a very large pipe) but this is expensive. Where did the cracker get the money? Believe it or not, there is software freely available on the world wide web to create world wide waits. Anyone with some computer experience can download and implement this software. The commonly available ones are Tribal Flood Network (TFN), trin00, and stacheldraht (German for barbed wire).

To implement an attack, the cracker uses well-known security holes to break into other computer systems or servers and installs a small piece of software. This is known as a Trojan Horse as it is later triggered by the cracker to do its dirty deeds (as opposed to a Virus on an computer which is triggered by an event such as a date). When the cracker has installed enough Trojan Horses, they initiate the 'flood' by telling all the Trojan Horses to simultaneously send bogus messages at the specified target site. The administrators of the computers running the Trojan Horses don't even know that they have been conscripted as part of the attack force. The target site may not even know that an attack is taking place until someone complains of slow service.

Figure 1 - Anatomy of a Flood Attack

The target site must act quickly to stop the attack, often by shutting down their servers and switching over to backup systems.

How do you prevent an attack?

While denial of service attacks are not new, the presence of Tribal Flood Network, trin00, and stacheldraht were detected and alerts were issued in 1999. All administrators were urged to see if Trojan Horses had been installed on their systems without their knowledge. There is even free software available that could scan systems and report if the Trojan Horses are present (much like a Virus scan). But, like the rest of us, these administrators are pressed for time and many of them have not yet scanned their systems.

Detecting and blocking an attack is difficult. At best, an early response can be initiated rather than waiting for a customer to complain about slow service. To respond, simply blocking the bogus traffic is not enough -- the traffic must be examined to see if it is bogus but by that time, the network link is already flooded. While there isn't much to actually prevent an attack, the effects can be lessened. For example, network links can be made very large to make it difficult to flood (this is why an attack on AOL was ineffective).

More attacks are certainly possible and probable in the future. 'Floods' are annoying to people trying to legitimately use a site and damaging to companies because of lost revenues and bad publicity. The good news is that information on the sites under attack remains secure. The integrity of these sites and any order/payment information was not compromised. Nevertheless, you should always be careful about proving credit card and other key information about yourself over the web.

Copyright 2007-2011 © Informative Services Group. All rights reserved.