I almost was a zombie computer
January 25, 2000. I’m having dinner with some of the other instructors at the National Summit on Cybercrime in Washington, D.C. Almost everybody else in the room is a cop, and once in a while somebody crosses his legs and a holstered service revolver peeks out.
These guys are the genuine article: foot soldiers in the war against kiddie porn, Internet death threats and economic techno crimes. And they’re worried. They’ve heard about something called “TFN” and they don’t like it one bit.
Fast forward two weeks. Web sites are falling like flies. In rapid succession the on-line presence of Amazon.com, Ebay, even E*Trade go silent, as if they were powered by some geriatric 486 that just couldn’t handle the load. The media tells us they’re victims of the Tribal Flood Network (TFN) program or one of its evil cousins. Targeted sites were swamped under a torrent of junk messages, some of them containing cute references to the hacker’s world. Shares of e-commerce companies fall and people started saying that maybe we’re not really ready to order Tilley hats or golf clubs through our computers after all.
What really happened? The Internet is supposed to be robust! It was designed to survive nuclear explosions, so why can’t it handle a few dozen hackers spewing messages at it? The answer is that, in those glorious pre-Internet days of ARPANET, everybody assumed computer users would play by the rules. Sure your enemy might vaporize the cable from Toronto to Buffalo, but the people on both ends were basically your friends — politely sharing resources in a kind of technological gentleman’s agreement.
TFN is the rude brother in law who moves in and breaks all the family rules. It aims at its target, then enlists innocent bystander computers to do its dirty work. The media has dubbed them “Zombie Computers,” brain-dead accomplices triggered by a secret signal to give their all in a torrent of ICMP, SYN and UDP floods. (If you don’t know what those are it’s time to read www.cert.org/advisories/CA-99-17-denial-of-service-tools.html and also www.cert.org/reports/dsit_workshop.pdf.
Now surely that expensive network hardware we’ve all been buying should be smart enough to detect this abnormal condition and shield our precious servers from all the junk messages. “Routers and firewalls are just computers too,” said Tej Minhas, president and COO of Jaws Technologies Inc., a Calgary based computer security firm. “So the problem just keeps getting kicked up one level, as those machines get saturated and stop working.”
triggering a flood
I asked one of Jaws’ top technical people, Brian Lynch, CISSP, if he could launch a distributed denial of service attack from my home computer, which happens to be a Pentium III 733 MHz with a cable Internet connection. “Sure,” he said, “but I would need a week to prepare.”
Scary, that, although one machine, even with relatively high-speed internet access, can’t take down a Web site by flooding it. But if it enlists an army of innocent helpers, by installing Trojan Horse software on them, then the attack is quite feasible.
“You don’t necessarily need a lot of technical knowledge to do this,” said Lynch. “There are places where you can download the tools to do this, then you just point them at the target.”
February 11, 2000. “Computer Scientists predict more attacks,” says the National Post headline. No surprise, since now every 15 year old with a grudge can figure out where to get TFN and trinoo, not to mention WinNuke, Nestea and other “smurfing” programs. We know that computer security breaches are often covered up by the victims. What bank would want its depositors and shareholders to know it has been hacked? But when your Web site is sitting out there like a mute turnip for minutes on end, people kind of know that you’ve been attacked. And the word spreads fast, on hacker bulletin boards and mailing lists. I won’t mention the really ugly ones, but you can certainly get some naughty ideas from www.hackershomepage.com — including the disclaimer that all this “knowledge” is for educational purposes only and you shouldn’t really apply it. Sure.
what to do?
While the FBI and probably the RCMP hunt for the “perpetrators,” it’s a good time to sit back and think about all this. Do we need a new addressing structure for the Internet?
Probably. We’re getting one anyway to cope with the diminishing supply of numeric IP addresses left in the world. At the very least, it will need to give us an authoritative IP address that really leads back to a specific person or at least a computer. Then there’s the matter of all those leaky Unix systems (the main type of site compromised in these attacks) that people are too lazy to fix.
So wake up! Go grab one of those hacker tools and run it against your own system. (Hint: warn the system administrators. If you are the system admin, warn the management.) You’ll find that your machine is almost certainly vulnerable to well-known, documented attacks. And while Unix boxes star in this show, there are lots of things to worry about in Windows NT and Mac OS too. Spending time on security isn’t fun (for most people) but it’s now a vital part of doing business, particularly on the Internet.
On a deeper level, we need to educate our young people about computer security and ethics. Face it, every kid who gets a driver’s license (which you can do at 16 here in Alberta) has the technological capability to go out and run down pedestrians, swerve into oncoming traffic lanes and generally wreak havoc. A few do, but most are far more sensible. Somehow, and it’s probably through education, we need to help young people realize that the fun is in using and improving the tools, not breaking them. I’ve conveyed this message, one on one, to a few youngsters who were headed towards the Dark Side. The key is to show them the challenge: it’s so much harder to design and protect a system than to make it crash.
So, to everyone who breathed a sign of relief when Jan. 1, 2000 came and quietly went…think again. The real Y2K bug is in the heads of thousands of young people around the world. And they’re not going away with the turn of a calendar page.
(Dr. Keenan, ISP, is dean of the Faculty of Continuing Education at the University of Calgary and an adjunct professor of computer science there and at the Asian Institute of Technology.)