WikiLeaks: How supporters tried to take down Visa and MasterCard.

Innovation, the Internet, gadgets, and more.
Dec. 9 2010 5:46 PM

The Oldest Hack in the Book

How WikiLeaks supporters tried to take down Visa and MasterCard.

Illustration by Robert Neubecker. Click image to expand.

As a political statement, a distributed denial-of-service attack ranks somewhere between running naked across your college campus and throwing a brick through a shop window. It's juvenile, not very pretty, and not especially articulate. On the plus side, anyone can do it, it's usually not too damaging, and you do get your point across—the point being that you want the world to start taking you seriously already.

The DDoS, as it's known, has hit the news this week because it's the main tool of the online flash mob that calls itself Anonymous. In the last couple of days they've launched DDoSes on the Web sites of Visa, MasterCard, and various other entities who they believe have hurt or maligned WikiLeaks and its founder Julian Assange. Early on Thursday morning, @Op_Payback, one of the Twitter accounts that seems to be associated with the group, gave out instructions to begin attacking Amazon.com. The plan, though, was quickly abandoned—Amazon, the group determined, was too big to be affected by a DDoS attack, and it was better to stick to smaller, less tech-savvy victims.

Advertisement

The distributed denial-of-service is one of the oldest hacks on the Internet. It's been around for more than a decade, and it first hit the mainstream in 2000, when a Canadian teenager who went by the handle Mafiaboy used a DDoS to take down Amazon, eBay, Yahoo, and other big sites. A DDoS attack is sort of akin to the Mean Girls-esque trick of having your friends prank-call your loser enemy all night long to tie up her phone line. The Internet equivalent of this is getting all your friends—or even strangers, whose computers you've wrangled into a "botnet" via a contagious computer worm—together and directing a bunch of bogus requests at a single Web server all at once. The target machine gets overwhelmed by the requests, knocking it offline for all legitimate users.

It's striking that DDoS attacks can still happen at all anymore. The Internet is very different from the anarchic place it was in the 1990s, and we've conquered many of the earliest threats— spam, e-mail viruses, Nigerian scams—to a peaceful life online. But DDoSes persist. According to a survey (PDF) of network operators conducted by Arbor Networks—which makes tools for systems administrators to detect and fight denial-of-service attacks—just about every network operator working on a large site sees at least at least one DDoS attack every month, and some see dozens. The attacks are getting larger, too. In 2002, a big DDoS attack might consume only around 400 megabits per second of network bandwidth; today's big attacks, which are usually the product of enormous botnets created by worms like last year's Conficker, consume 100 times more bandwidth, up to 49 gigabits per second. Why have DDoS attacks persisted? And why, after all this time, haven't we found a way to quash them?

It's because the means of attack have been baked into the architecture of the Internet. A Web server's main job is to respond to incoming requests, to serve up Web sites based on public demand. Web servers were originally designed not to discriminate—they didn't look to see where a request originated from, or what it asked for, or whether lots of other machines had been asking for the same thing many thousands of times during the last few minutes. All the server knew how to do was respond—that was its reason for being, its only purpose in life. And that's precisely the weakness that a DDoS exploits.

Jose Nazario, a security researcher at Arbor Networks, says that network operators have tried to build more intelligence into Web servers. A lot of major Web sites use anti-DDoS systems that look for deviations from normal traffic—if requests are spiking beyond the baseline, that's a sign the site could be under attack. Security software also analyzes the kinds of requests that outside machines are making, how often they're asking, where they're located on the network, and what software they're using to connect to your server. Through this analysis, the server can determine which computers on the Web are sending malicious requests and blacklist them. "These tools have been remarkably successful at keeping the net up and running," Nazario says. "Considering the number of attempted attacks that we see and the scale, you don't hear about them very often."

TODAY IN SLATE

Frame Game

Hard Knocks

I was hit by a teacher in an East Texas public school. It taught me nothing.

Yes, Black Families Tend to Spank More. That Doesn’t Mean It’s Good for Black Kids.

Why Greenland’s “Dark Snow” Should Worry You

If You’re Outraged by the NFL, Follow This Satirical Blowhard on Twitter

The Best Way to Organize Your Fridge

Politics

The GOP’s Focus on Fake Problems

Why candidates like Scott Walker are building campaigns on drug tests for the poor and voter ID laws.

Sports Nut

Giving Up on Goodell

How the NFL lost the trust of its most loyal reporters.

Iran and the U.S. Are Allies Against ISIS but Aren’t Ready to Admit It Yet

Farewell! Emily Bazelon on What She Will Miss About Slate.

  News & Politics
Politics
Sept. 16 2014 5:47 PM Tale of Two Fergusons We knew blacks and whites saw Michael Brown’s killing differently. A new poll shows the gulf that divides them is greater than anyone guessed.
  Business
Moneybox
Sept. 16 2014 4:16 PM The iPhone 6 Marks a Fresh Chance for Wireless Carriers to Kill Your Unlimited Data
  Life
The Eye
Sept. 16 2014 12:20 PM These Outdoor Cat Shelters Have More Style Than the Average Home
  Double X
The XX Factor
Sept. 15 2014 3:31 PM My Year As an Abortion Doula
  Slate Plus
Slate Plus Video
Sept. 16 2014 2:06 PM A Farewell From Emily Bazelon The former senior editor talks about her very first Slate pitch and says goodbye to the magazine.
  Arts
Brow Beat
Sept. 16 2014 5:07 PM One Comedy Group Has the Perfect Idea for Ken Burns’ Next Project
  Technology
Future Tense
Sept. 16 2014 1:48 PM Why We Need a Federal Robotics Commission
  Health & Science
Science
Sept. 16 2014 4:09 PM It’s All Connected What links creativity, conspiracy theories, and delusions? A phenomenon called apophenia.
  Sports
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.