FRAMINGHAM (04/24/2000) - The Canadian teen-ager known as Mafiaboy who was arrested last week in connection with an attack against the CNN Web site is an amateur who simply copied tactics used by far more sophisticated attackers who may never be caught, security analysts said.
Despite the hoopla surrounding the 15-year-old's arrest on "mischief to data" charges related to an attack on CNN's Web site on Feb. 8, Mafiaboy is likely not responsible for three other denial-of-service attacks launched earlier. The sites affected between Feb. 7 and 14 were Yahoo Inc., eBay Inc. and Amazon.com Inc.
"He's a me-too guy,' just responsible for the CNN denial-of-service that came after the first major hit of Yahoo," said Chris Davis, CEO of Hexedit Network Security Inc. in Ottawa. "The people who instigated it are a bigger threat; they are some of the best in the world, and these are the people I fear daily."
Davis said the tools used in the original attacks were created by much more skillful attackers and could be used again to breach the defenses of e-commerce sites.
"They are so good, you won't catch them unless they make a major mistake," said Davis. "They come up with new stuff all the time, and it is very difficult to stay ahead of them."
Davis said another part of the problem lies in the fact that Internet service providers and other outfits that make up the Internet backbone aren't using Ingress filtering, which prevents packet spoofing.
The denial-of-service attacks defeated many defenses because the packets that flooded the targeted servers appeared to be coming from a legitimate source.
Ingress filtering can determine whether a packet was indeed sent from a particular location; if its address is spoofed, it's stopped at the router.
But Michael Lyle, chief technology officer at Recourse Technologies Inc. in Palo Alto, California, noted that this type of filtering affects network performance. In addition, the database for IP addresses isn't always accurate and could result in a loss of legitimate network traffic.
"Databases need to get better, and there needs to be better tools for putting together filtering lists for different service providers automatically," said Lyle.
Another technology some sites are pursuing is a rate-shaping filter that can choke off traffic to a router before it floods a server. According to Lyle, this type of filter on a Cisco Systems Inc. router could be set so that it wouldn't accept more than, say, 500K bits of data on a network connection.
"This is just a stop-gap solution because, ultimately, the attacker will learn to flood with things that look like legitimate network connections like HTTP requests," said Lyle. "It makes sense to shut off the source of the attacks where they are coming from rather than shut them off as they are coming in the door."
While the initial attackers may never be caught, Lyle said denial-of-service attacks have prompted the information technology community to seek a greater degree of cooperation among service providers to exchange information about attacks, capture data and protect sites.
Mafiaboy appears to have used an exploit associated with the Washington University File Transfer Protocol. This gave him remote access to machines where he could plant a tool called Tribe Flood Network, which flooded targeted servers with packets.
"You can get Windows versions of any of those [tools], so any 15-year-old with a Windows 98 computer can take down Yahoo," said Davis. "It's scary."