Mafiaboy Not the Big Fish in DoS Attacks

FRAMINGHAM (04/20/2000) - The Canadian teenager known as Mafiaboy, who was arrested this week in connection with an attack against the CNN Web site in February, is an amateur who simply copied tactics used by far more sophisticated attackers who may never be caught, security analysts say.

The 15-year-old Montreal youth was arrested April 15 and charged with two counts of "mischief to data" for a distributed denial of service attack that brought down the Atlanta-base CNN Web site and 1,200 CNN-hosted sites on Feb.

8. Despite the hoopla surrounding his arrest, Mafiaboy is likely not responsible for three denial of service attacks launched earlier against Yahoo Inc., eBay Inc. and Amazon.com Inc. The entire spate of attacks took place between Feb. 7 and 14.

"He's a 'me-too guy' just responsible for the CNN denial of service that came after the first major hit of Yahoo," said Chris Davis, CEO of Hexedit Network Security Inc. in Ottawa. "The people who instigated it are a bigger threat.

They are some of the best in the world, and these are the people I fear daily."

Davis added that the tools used in the original attacks were created by much more skillful attackers and could be used again to breach the defenses of e-commerce sites. "They are so good, you won't catch them unless they make a major mistake," said Davis. "They come up with new stuff all the time, and it is very difficult to stay ahead of them."

Davis has some experience hunting down computer crackers. He was responsible for locating two Welsh youths in March who stole thousands of credit-card numbers from e-commerce sites under the name Curador. Davis noted that both Curador and Mafiaboy appear to be amateur crackers who use garden-variety attack tools freely available from Web sites.

Mafiaboy appears to have used an exploit associated with the Washington University File Transfer Protocol. This gave him remote access to machines where he could plant a tool called Tribe Flood Network, which flooded targeted servers with packets. Like the similar Trinoo tool, Tribe Flood Network is commonly available on sites such as rootshell.com.

"You can get Windows versions of any of those, so any 15-year-old with a Windows 98 computer can take down Yahoo," said Davis. "It's scary."

Like Curador, Mafiaboy was also partly brought down by online bragging.

Mafiaboy, whose identity is protected under Canadian law, was first identified as a suspect after being observed on an Internet Relay Chat soliciting suggestions for which sites to invade. Michael Lyle, chief technology officer at Recourse Technologies Inc. in Palo Alto, Calif., who witnessed the communication, told the FBI in February that he actually corresponded with Mafiaboy, who claimed to have attacked CNN, ETrade and several smaller sites.

"They do this for notoriety, and they do it for respect," said Davis. "They are 15-year-old nerds and they get no respect in real life so they go to the Internet and take down a site and get respect from their cyberbuddies."

Lyle says log files show that Mafiaboy's discussions of targeting the sites occurred shortly before they were actually attacked. Mafiaboy was located after investigators traced him to attacks against a computer at a research lab at the University of California at Santa Barbara (UCSB). The UCSB computer was broken into on Feb. 8 and used to send a storm of packets against the CNN site, halting regular traffic. Log files kept by UCSB administrators led to a Canadian Internet service provider allegedly used by Mafiaboy.

"With Yahoo and eBay and Amazon, we believe it was most likely a different individual with a different tool set, such as maybe the French hacker group ADM," said Lyle. "The concept of distributed denial of service has been around for quite a while, but it took some sophistication to attack eBay and Yahoo."

Canadian authorities searched Mafiaboy's home last weekend and seized computer equipment suspected of being used in the attacks. The teen appeared in youth court on Tuesday and was released on bail under the conditions that he not use a computer without a teacher present and not visit stores that sell computers or related equipment.

Inspector Yves Roussel of the Royal Canadian Mounted Police said other arrests could be made in the continuing investigation, which is being conducted jointly by the Computer Investigation and Support Unit of the RCMP in Montreal, the FBI, the National Infrastructure Protection Center and the U.S. Department of Justice.

Janet Reno, U.S. attorney general, said the arrest "demonstrated our capacity to track down those who would abuse this remarkable technology and track them down wherever they may be."

But Lyle gave the FBI only a 50-50 chance of catching those involved in the first set of attacks because much of the evidence has been lost. He noted that if an Internet service provider or a company mobilizes quickly during an attack, traffic flow statistics and other crucial data can be captured by routers to build a data trail.

"It seems that mobilization didn't happen on the first day of the attack," said Lyle. "The individual service providers took corrective actions themselves, but there wasn't the widespread cooperation necessary to preserve evidence and get data on what was actually happening."

Join the newsletter!

Error: Please check your email address.

More about Amazon.comCNNDepartment of JusticeeBayETRADE AustraliaFBIHexedit Network SecurityRecourse TechnologiesTribeYahoo

Show Comments