Technology News Technology News



Another Perspective



SCRIPT KITTIES

Every once in a while, professionals who work in risky situations are overtaken by the risks.  Watching such people operate can be thrilling; something terrible might happen.  Yet if that bad thing actually happens, the audience might not be thrilled at all.  It's the risk that's invigorating, not the misfortune of the risk-taker.  The best thing that can happen once the worst thing happens is that other professional daredevils might become a bit more cautious.  Human nature and history, however, suggest that people don't learn from others' experience, nor from their own.

It will be interesting to see if performers who work with big cats and other dangerous creatures revise their techniques in the wake of the disaster that recently befell the sensational performer Roy Horn.

Horn, of Siegfried and Roy, an act that is the entertainment centerpiece of the MGM Mirage resort in Las Vegas, was nearly killed by Montecore, one of the white tigers in the show.  Because the mauling occurred before an audience, there is no shortage of information on what happened.  Of course, nobody, not even Roy's partner, Siegfried Fischbacher, knows why the tiger turned on Roy, although reporters had little difficulty in obtaining speculative comments from professional animal handlers and other presumed experts.  Still, one thing is clear: tigers are very dangerous and capricious, even when managed by skilled professionals.

Siegfried and Roy
Siegfried and Roy
The pride of Fischbacher and Horn

The Internet can be pretty dangerous, too.

At the end of July, a number of technology companies suffered extraordinarily effective distributed denial of service attacks.  Some of the targets were big names, like Microsoft.  Others were relatively obscure.  Among the lesser-known victims was the hosting company Chicago Webs, which happens to play a prominent role in the development community that has sprung up around Macromedia Dreamweaver.

The reason why I know Chicago Webs was hit by a DDOS attack is that several of my clients happen to buy computer services from the firm.  When they were knocked out, so was I, and so were other sites I had built in their server farm.

I was pretty surprised by the devastation, but not as surprised as Chicago Webs' technical crew.  They are not only top-notch server geeks with considerable experience cracking tough problems, but they have their servers in a fortress.  Chicago Webs' server farm is housed in a first-class facility owned by Cable & Wireless; it was formerly part of Exodus.

It's not the job of Cable & Wireless to protect Chicago Webs from DDOS attacks, although it does contribute.  What C&W provides is a superior physical plant, steady electric power, and Internet backbone capacity.  There is some network and switching protection built into the C&W environment, but it's up to Chicago Webs to cope with whatever comes down the pipes into its cluster of servers.

In other words, Chicago Webs is in the same position as any other company that has servers exposed to the Internet.  Because it is a small outfit, it does not have so much capacity that it can absorb the packet floods that constitute DDOS attacks without flinching.  Microsoft, on the other hand, has such a huge network that the biggest beating attackers can hand out might be modest when compared with the pounding it gets from ordinary traffic.  At about the same time Chicago Webs was crippled, Microsoft suffered a similar attack and lost some of its network for about two hours.

So Chicago Webs more closely resembles midsized corporations than giants.  Where it differs from organizations that use computers to carry out other business is that Chicago Webs has all its eggs in the same computing basket.  When it was subjected to a large, sustained attack it went off the air for a few days during which it acquired, installed, and configured an Attack Mitigator from Top Layer Networks to supplement its Cisco routers and other network apparatus.

The Chicago Webs story, like that of Siegfried and Roy, begs a question: could the risk-takers have done something that might have prevented the catastrophe?  Siegried and Roy and big cats have been working together for 40 years without any incident like the recent one.  Chicago Webs is not quite six years old, so its history of high uptime might not carry as much weight, but our an informal survey of comments on the company posted to the newsgroups during the past few years indicates they have provided a high uptime on servers used by their customers for strategically important Web sites.  Because it specializes in Windows hosting, it must pay quite a bit of attention to security issues in order to keep its computers alive.

The company was hit by a DDOS attack in March but had little difficulty fending it off.  The July 31 attack, which just plain murdered its routers, was bigger — and different.  It wasn't aimed at Web servers or e-mail servers but at name servers.  A name server can be the Achilles' heel of a network, as not only DDOS victims but also ordinary users who have misconfigured DNS well know.  But a DDOS attack aimed at any server exposed on the Web can be debilitating, making this particular type of high tech villainy a topic of interest, even among outfits that use robust external name servers managed by an outside service provider.  Having relatively secure and resilient name servers does not mean your systems are safe; it only means that DNS is probably not your weakest link.

Chicago Webs has now solved its DDOS attack vulnerability issue, and its experts have unearthed some details on the attack it suffered.  They are not saying whether they ever traced the attack back to its perpetrator or figured out why they, of all corporate creatures hooked to the Internet, were targeted.  The only thing they openly talk about in connection with the DDOS attack is their installation of equipment from Top Level.

What Attack Mitigator and routers from all the major players do to fend off DDOS attacks is to detect evil packets and to flush them before they can get to a server inside their security perimeter.  The packets still come in to the targeted netblock, eating bandwidth and possibly making a Web site or e-mail server invisible behind the cloud of rogue data.  In other words, if somebody wants to slow down or stop a server using a DDOS attack, if that server is on a T1 line with its 1.5 Mbit capacity, or a couple of them, they can do it.

The basic way a DDOS works is that a number of robot programs aimed at the target all start hammering it at once.  Each of these bots is a Trojan horse, living in some PC or server, waiting for a signal and equipped with whatever it takes to flood the target when the order is broadcast.  The attack order is unlikely to come from a single source; instead, it may be relayed through a large number of intermediate bots that also lurk inside PCs or servers connected to the Internet.  These intermediate bots may get their order from the boss attacker, via yet another bot, planted somewhere else.

The army of programs that create an attack does not have to be very large.  Chicago Webs believes it took something like 700 hijacked computers to hammer it into the ground.  There are probably 50 million Web sites on the Internet, and each site has a logical, if not a physical, server that is capable of participating in a DDOS attack.  In addition, there are tens of millions of ordinary PCs with broadband connections fast enough to make them potential threats, too.

The technology commonly used to link the malicious bots is a message-passing system that's widely used all over the world, Internet Relay Chat.  IRC is not part of the business mainstream, but it's very popular among computer buffs and those who want to set up intelligent private communications networks.

The IRC bots that direct traffic within IRC groups or communities are mostly very cute and entertaining programs.  When they're not being used by script kiddies, they are pussycats, not tigers.  But big cats or little cats, IRC bots are things about which most commercial computing staffers know absolutely nothing.  If they never have to learn about these things, they are very fortunate, indeed.

— Hesh Wiener October 2003


Copyright © 1990-2017 Technology News of America Co Inc.  All rights reserved.