WikiLeaks: How supporters tried to take down Visa and MasterCard.

Innovation, the Internet, gadgets, and more.
Dec. 9 2010 5:46 PM

The Oldest Hack in the Book

How WikiLeaks supporters tried to take down Visa and MasterCard.

Illustration by Robert Neubecker. Click image to expand.

As a political statement, a distributed denial-of-service attack ranks somewhere between running naked across your college campus and throwing a brick through a shop window. It's juvenile, not very pretty, and not especially articulate. On the plus side, anyone can do it, it's usually not too damaging, and you do get your point across—the point being that you want the world to start taking you seriously already.

The DDoS, as it's known, has hit the news this week because it's the main tool of the online flash mob that calls itself Anonymous. In the last couple of days they've launched DDoSes on the Web sites of Visa, MasterCard, and various other entities who they believe have hurt or maligned WikiLeaks and its founder Julian Assange. Early on Thursday morning, @Op_Payback, one of the Twitter accounts that seems to be associated with the group, gave out instructions to begin attacking Amazon.com. The plan, though, was quickly abandoned—Amazon, the group determined, was too big to be affected by a DDoS attack, and it was better to stick to smaller, less tech-savvy victims.

Advertisement

The distributed denial-of-service is one of the oldest hacks on the Internet. It's been around for more than a decade, and it first hit the mainstream in 2000, when a Canadian teenager who went by the handle Mafiaboy used a DDoS to take down Amazon, eBay, Yahoo, and other big sites. A DDoS attack is sort of akin to the Mean Girls-esque trick of having your friends prank-call your loser enemy all night long to tie up her phone line. The Internet equivalent of this is getting all your friends—or even strangers, whose computers you've wrangled into a "botnet" via a contagious computer worm—together and directing a bunch of bogus requests at a single Web server all at once. The target machine gets overwhelmed by the requests, knocking it offline for all legitimate users.

It's striking that DDoS attacks can still happen at all anymore. The Internet is very different from the anarchic place it was in the 1990s, and we've conquered many of the earliest threats— spam, e-mail viruses, Nigerian scams—to a peaceful life online. But DDoSes persist. According to a survey (PDF) of network operators conducted by Arbor Networks—which makes tools for systems administrators to detect and fight denial-of-service attacks—just about every network operator working on a large site sees at least at least one DDoS attack every month, and some see dozens. The attacks are getting larger, too. In 2002, a big DDoS attack might consume only around 400 megabits per second of network bandwidth; today's big attacks, which are usually the product of enormous botnets created by worms like last year's Conficker, consume 100 times more bandwidth, up to 49 gigabits per second. Why have DDoS attacks persisted? And why, after all this time, haven't we found a way to quash them?

It's because the means of attack have been baked into the architecture of the Internet. A Web server's main job is to respond to incoming requests, to serve up Web sites based on public demand. Web servers were originally designed not to discriminate—they didn't look to see where a request originated from, or what it asked for, or whether lots of other machines had been asking for the same thing many thousands of times during the last few minutes. All the server knew how to do was respond—that was its reason for being, its only purpose in life. And that's precisely the weakness that a DDoS exploits.

Jose Nazario, a security researcher at Arbor Networks, says that network operators have tried to build more intelligence into Web servers. A lot of major Web sites use anti-DDoS systems that look for deviations from normal traffic—if requests are spiking beyond the baseline, that's a sign the site could be under attack. Security software also analyzes the kinds of requests that outside machines are making, how often they're asking, where they're located on the network, and what software they're using to connect to your server. Through this analysis, the server can determine which computers on the Web are sending malicious requests and blacklist them. "These tools have been remarkably successful at keeping the net up and running," Nazario says. "Considering the number of attempted attacks that we see and the scale, you don't hear about them very often."

  Slate Plus
Working
Dec. 18 2014 4:49 PM Slate’s Working Podcast: Episode 17 Transcript Read what David Plotz asked a middle school principal about his workday.