Denial of Service Attacks

In the first quarter of 2000, there were several attacks on very popular Web sites. Most of these were "Denial of Service" attacks -- attacks that served to prevent regular readers and customers of the sites from getting a response to their requests. How did someone manage to do this? They did it by flooding the servers, and their attached routers, with requests for information at a rate far too great for the system to handle.

Most routers have rules in the configuration table that won't allow millions of requests from the same sending address. If too many requests from one address are received in a short period of time, the router simply discards them without forwarding. The people responsible for the attacks knew this, so they illicitly planted programs on many different computers. These programs, when triggered, began sending thousands of requests a minute to one or more Web sites. The programs "spoofed" the IP address of the sender, placing a different false IP address on each packet so that the routers' security rules wouldn't be triggered.

When the packet floods were triggered, millions of requests for information began to hit the targeted Web sites. While the servers were being heavily taxed by the requests, the real impact was to the routers just "upstream" from the servers. Suddenly these routers, which were robust but of a size appropriate for normal traffic, were getting the levels of requests normally associated with Internet backbone routers. They couldn't handle the massive number of packets, and began discarding packets and sending status messages to other routers stating that the connection was full. As these messages cascaded through the routers leading to attacked servers, all paths to the servers were clogged, legitimate traffic couldn't get through the logjam, and the attackers' goals were accomplished.

Web content providers and router companies have placed new rules designed to prevent such an attack in the configuration tables, and the companies and universities whose computers were used to launch the attacks have worked to prevent their systems being used maliciously. Whether their defenses, or the new attacks designed by criminals, will prevail remains to be seen.