The need to place blame

Last week, a number of big Web sites, including Yahoo Inc., Inc., eBay Inc. and Inc., were each shut down for a few hours by a series of distributed denial-of- service attacks. Now we’re all looking for the bad guys – we want someone to blame.

These attacks were achieved by simply flooding the target sites with more traffic than they could handle, and the victim sites we know of had little or no defenses. Consequently, the sites suffered outages of several hours while the folks at the afflicted sites did a headless chicken routine.

The bigger consequences were the embarrassment and image damage for the Web brands, and the cost – the total losses have been estimated at somewhere in the billions of dollars from lost revenue and staff time.

There were several interesting attributes to these attacks. First, they were targeted at the most-trafficked sites. Second, the attacks were timed, curiously, to coincide with the recent meeting of the North American Network Operators Group. Is there a connection or some bigger agenda? So far, no one but the guilty parties know.

The other notable thing about the attacks is they didn’t come from a single machine – remember that I referred to them as “distributed.” I have read that more than 50 machines were used in the Yahoo attack alone.

The way this worked was that the hackers got access – illegally – to other people’s machines and planted some traffic-generating software on them. All copies of the software on the various machines (called “zombies”) were triggered to start simultaneously, generating a flood of data packets directed at the victim Web sites.

Now we want to find the guilty party but there’s a small problem: We don’t have a clue who they are. The U.S Federal Bureau of Investigation is supposedly collecting server logs from attacked sites, but how much good will that do? I rather doubt the FBI is going to find, say, a hacker’s home phone number in the data. Indeed, I wonder how much of this log collection is merely posturing on the FBI’s part to make it look like it is taking action.

If we can’t string up the hackers by their tender bits, whom can we punish? Much to my surprise, I read there is a move afoot to prosecute the owners of the zombie machines. The idea is that because the owners haven’t adequately managed their systems, they have put other people’s computers at risk. What a crock – distributed blame for a distributed attack!

The idea of punishing the zombie owners is as unfair as it is unworkable. For example, if someone is supposed to apply the latest Microsoft NT or Sun Solaris bug fixes and misses one and the next fix doesn’t apply the missed fix, or there’s something odd about the machine’s configuration that disables the fix, where does the system owner’s responsibility end and the operating system (OS) vendor’s responsibility begin?

I say that if we’re going to look for people to punish, let’s go after everyone who can be dragged in: We’ll start with the system administrators for not keeping their patches up to date and go on to the OS vendors for not providing a reliable and manageable patching system, the zombie sites’ ISPs for not controlling the traffic, the intervening ISPs for the same sin, and hell, let’s include the attacked sites for being vulnerable!

Let’s face it, just as in the real world, sometimes the bad guys don’t get caught. And before you get all fired up and write angrily that the zombie owners should be punished for negligence, ask yourself how you’ll feel when you become the target of distributed blame for some future problem.