In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server. In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.
A denial of (electronic) service (DoS) attack is commonly referred to as a "hack" because it is a malicious offensive against another computer system; but unlike most other hacks, it does not involve the attacker gaining access or entry into the target server. Instead, a DoS is a massive stream of information sent to a target with the intention of flooding it until it crashes or can no longer take legitimate traffic. The information is frequently in the form of "pings," which are small packets of data sent by one computer to another with the intention of checking to see if the other computer is accessible. The target computer responds to the pinger and the connection is made. But if the pinger gives a false address, the target computer can't return the ping to make the connection. In that case, the target waits and finally gives up. In great amounts, this can overwhelm a server.
A distributed DoS attack is a concerted effort to take down a target. Instead of a one-to-one attack, many computers target a single one - as would be necessary with a target as large as eBay or Amazon. Besides the obvious tactic of having many users simultaneously flood a target, certain publicly available programs can be used so that one user can perform a distributed DoS. The programs are placed on compromised systems - computers that have been successfully entered by the attacker before. The attacker merely needs to run a "trigger" program that tells the planted programs to begin their assault on the target. That kind of attack is not only formidable, but very difficult to trace back to the original source.
The weapons used to execute "denial of service" attacks have existed in rudimentary form for decades. But security experts say several effective assault tools that help automate the launch of such attacks have been released only recently. With names like Trinoo, Tribe Flood Network and Stacheldraht (German for "barbed wire"), these tools take advantage of otherwise innocent computers connected to the global network to launch a vast flood of traffic at their targets. Using these programs, attackers break into dozens or even hundreds of computers around the Net and install a kind of time bomb that is difficult to detect. At a later date, the attacker can send a command to all of the "slave" machines, which then wake up and start firing streams of information that clog their targets' networks.
The Trinoo "zombie" tool gives hackers the ability to launch a coordinated distributed denial of service (DDoS) attack on a company from Windows-based PCs and servers, rather than from high- performance Unix servers. The Trinoo program can be delivered by electronic mail, like other so-called "Trojans" and remote access tools. It allows a hacker to place "zombie" agents on Windows PCs and servers around the world and then wake them up to launch a crippling stream of Internet traffic at a target company's Web site. This makes it potentially more dangerous than earlier Trojans, because of the vast number of Windows-based PCs in place around the world compared to the limited number of Unix systems. With tools such as Trinoo available for Windows PCs means that denial of service attacks now are that much easier to launch. It is taking the sophistication level down a notch because the 'script kiddies' who may not be Unix experts can launch DoS attacks from PCs.
In January and February 2000, e-commerce giants eBay, Amazon.com and Buy.com, along with Yahoo, news site CNN.com, online trading sites E*Trade and Datek, and technology information provider ZDNet have reported denial of service attacks that rendered their sites largely inaccessible. The attacks highlight the unique vulnerability of e-commerce: These businesses can be virtually shut down for several hours by faceless hackers, unlike a chain of Wal-Mart stores.
One of the first sites to be hit by this kind of massive, coordinated attack was the University of Minnesota, which was effectively shut down in August 1999. In that incident, 227 computers were used to inundate the school's system with traffic, some of which were connected to the super-fast Internet 2 academic system.