A Primer: How the Hackers Attack

This week's widespread denial-of-service attacks are a hassle, but not hugely harmful.

The tool to launch a denial-of-service (DoS) attack, which has crippled large retail and news Web sites this week, is one of the simplest, most common, and most vindictive applications in an illicit hacker's toolbox.

Its goal is self-explanatory: It's the hacker's version of "if I can't have it, nobody can." You can't use DoS attacks to steal credit card numbers or user passwords. Rather, the technology denies other people access to Internet services and sites by overwhelming the sites with more information than they can handle.

In the early days of DoS hackdom, it took good organizational skills to launch an effective DoS attack. Using one machine to flood another didn't always work. Network managers and their monitoring software could tell when one machine sent a flood of data to their servers, and they blocked that system as easily as a plumber tightens a leaky pipe.

But the hackers aren't so easily stopped. They know that if enough different machines from all over the Internet swamp a victim with data, administrators can't block them all quickly enough to prevent a server from freezing or crashing. The result is freely available programs that let hackers create Distributed Denial-of-Service (DDOS) attacks.

Let the Smurfs Begin

The earliest of these programs, named Smurf, took advantage of a misconfiguration in operating systems that lets you flood a machine with "Pings." The Ping is a sort of network "Yoo-hoo?" that is built into the infrastructure of the Internet.

It didn't take long for sites like Netscan to identify hundreds of networks with misconfigured systems. Malicious hackers could exploit any of these networks to send a massive amount of data at a target. Fortunately, network administrators plugged this obvious hole soon after it was discovered.

Other ways to flood networks evolved over time. For example, a SYN attack involves a system sending hundreds of requests to a server on the Internet. In an ICMP Echo, or Ping, attack, the attacker sends large volumes of a common network probe to the victim. In any case, the result is the same: A server, unable to cope with the overload, ceases to function.