Update: Mafiaboy a copycat; attacks could have been stopped

The Canadian teen-ager known as Mafiaboy, who was arrested this week (see story) in connection with an attack against the CNN Web site in February, is an amateur who simply copied tactics used by far more sophisticated attackers who may never be caught, security analysts say.

The 15-year-old Montreal boy was arrested on April 15 and charged with two counts of "mischief to data" for a distributed denial-of-service attack that brought down the Atlanta-based CNN Web site and 1,200 CNN-hosted sites on Feb. 8. Despite the hoopla surrounding his arrest, Mafiaboy is likely not responsible for three denial of service attacks launched earlier against Yahoo Inc., eBay Inc. and Amazon.com Inc.. The entire spate of attacks took place between Feb. 7 and 14.

"He's a 'me-too guy,' just responsible for the CNN denial of service that came after the first major hit of Yahoo," said Chris Davis, CEO of Hexedit Network Security Inc. in Ottawa. "The people who instigated it are a bigger threat; they are some of the best in the world, and these are the people I fear daily."

Davis said the tools used in the original attacks were created by much more skillful attackers and could be used again to breach the defenses of e-commerce sites. "They are so good you won't catch them unless they make a major mistake," said Davis. "They come up with new stuff all the time, and it is very difficult to stay ahead of them."

Davis said another piece of the problem lies with the fact that Internet service providers (ISPs) and other outfits that make up the Internet backbone aren't using Ingress filtering, which prevents packet spoofing. The denial-of-service attacks defeated many defenses because the packets flooding targeted servers appeared to be coming from a legitimate source. Ingress filtering can determine if a packet was indeed sent from that location, and if its address is spoofed, it's stopped at the router.

But Michael Lyle, chief technology officer at Recourse Technologies Inc. in Palo Alto, Calif., noted that this type of filtering affects network performance. In addition, the database for IP addresses isn't always accurate and could result in a loss of legitimate network traffic. "Databases need to get better and there needs to be better tools for putting together filtering lists for different service providers automatically," said Lyle.

Another solution some sites are pursuing is a rate-shaping filter which can choke off traffic to a router before it floods a server. According to Lyle, this type of filter on a Cisco router could be set so that it wouldn't accept more than, say, 500k bits of data on a network connection.

"This is just a stop-gap solution because ultimately the attacker will learn to flood with things that look like legitimate network connections like HTTP requests,"said Lyle. "It makes sense to shut off the source of the attacks where they are coming from rather than shut them off as they are coming in the door."

Davis said there is no easy solution to denial of service attacks. "There is no way to particularly fix it without changing your version of the Internet Protocol," said Davis. "IP4 has a problem with the way the packets are routed."

While the initial attackers may never be caught, Lyle says denial-of-service attacks have prompted the IT community to seek a greater degree of cooperation among service providers to exchange information about attacks, capture data and protect sites. Lyle said peering agreements between providers who accept packets from one another will start mandating immediate response times for certain security actions to be taken when an attack occurs.

Davis has some experience hunting down computer crackers. He was responsible for locating two Welsh youths in March who stole thousands of credit-card numbers from e-commerce sites under the name Curador. Davis notes that both Curador and Mafiaboy appear to be amateur crackers who use garden-variety attack tools freely available off Web sites.

Mafiaboy appears to have used an exploit associated with the Washington University File Transfer Protocol (WUFT). This gave him remote access to machines where he could plant a tool called Tribe Flood Network which flooded targeted servers with packets. Like the similar Trinoo tool, Tribe Flood Network is commonly available on sites such as rootshell.com.

"You can get Windows versions of any of those, so any 15-year-old with a Windows 98 computer can take down Yahoo," said Davis. "It's scary."

Like Curador, Mafiaboy was also partly brought down by on-line bragging. Mafiaboy, whose identity is protected under Canadian law, was first identified as a suspect after being observed on an Internet Relay Chat soliciting suggestions for which sites to invade. Lyle, who witnessed this communication, told the FBI in February that he actually corresponded with Mafiaboy, who claimed to have attacked CNN, E*TRADE and several smaller sites.

"They do this for notoriety, and they do it for respect," said Davis. "They are 15-year-old nerds, and they get no respect in real life, so they go to the Internet and take down a site and get respect from their cyberbuddies."

Lyle says log files show that Mafiaboy's discussions of targeting the sites occurred shortly before they were actually attacked. Mafiaboy was located after investigators traced him to attacks against a computer at a research lab at the University of California at Santa Barbara (UCSB). The UCSB computer was broken into on February 8 and used to send a storm of packets against the CNN site which halted regular traffic. Log files kept by UCSB administrators led to a Canadian ISP allegedly used by Mafiaboy.

"With Yahoo and eBay and Amazon, we believe it was most likely a different individual with a different tool set such as maybe the French hacker group ADM," said Lyle.

"The concept of distributed denial of service has been around for quite a while, but it took some sophistication to attack eBay and Yahoo," he added.

Canadian authorities searched Mafiaboy's home last weekend and seized computer equipment suspected of being used in the attacks. The teen appeared in youth court on Tuesday and was released on bail under the conditions that he not use a computer without a teacher present and not visit stores that sell computers or related equipment.

Inspector Yves Roussel of the Royal Canadian Mounted Police said other arrests could be made in the continuing investigation, which is being conducted jointly by the Computer Investigation and Support Unit of the RCMP in Montreal, the FBI, the National Infrastructure Protection Center and the U.S. Department of Justice.

Janet Reno, U.S. attorney general, said the arrest "demonstrated our capacity to track down those who would abuse this remarkable technology and track them down wherever they may be."

But Lyle gives the FBI only a 50-50 chance of catching those involved in the first set of attacks because much of the evidence has been lost. He notes that if an ISP or a company mobilizes quickly during an attack, traffic flow statistics and other crucial data can be captured by routers to build a data trail.

"It seems that mobilization didn't happen on the first day of the attack," said Lyle. "The individual service providers took corrective actions themselves, but there wasn't the widespread cooperation necessary to preserve evidence and get data on what was actually happening."


Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon