DISTRIBUTED DENIAL OF SERVICE ATTACK

Jack Hutchins, president of Aget Clothing, shook his head as he stared at the 1,000-plus page server log from the night before. According to Tim Shelley, Aget's part-time technology support person, the distributed denial of service (DDoS) attack had been 100 per cent effective in shutting down Aget's web services. Fortunately the attack occurred at 1:15 a.m. and lasted only 12 minutes, so that customer impact was minimal ... this time. But Hutchins worried about next time. He had asked Shelley to provide more information about the attack and what they could do about it, and in response had received a stack of books, magazine articles, and white papers dealing with information technology (IT) security.

Hutchins' concerns were well founded, as attested by many recent news headlines: "Computer virus uses Canada Post scam" - "Saskatchewan teen charged with hacking New York City-based website" - "Gambler hit by online glitch unhappy with BC Lottery Corporation response." IT security failures, strike fear into the hearts of technology-savvy business executives who cannot help but wonder, "Will we be next?" A 2009 study by the University of Toronto and Telus Corporation revealed that threats originate from both inside the organization (e.g., unauthorized access to information by employees) and outside (e.g., software viruses), with an average annual loss exceeding $834,000 per firm. DDoS attacks are a particularly debilitating threat, and Canada has earned a notorious reputation in this area thanks to one Canadian teenager.

Canada had developed some notoriety as a source of DDoS attacks. In the year 2000, 15-year-old Michael Calce sat at his computer in Montreal, contemplating which web server to attack next. Three years earlier his best friend had tragically died in a car accident, spawning a sense of powerlessness in the young boy. As he processed his new reality, Calce submerged himself in the dark side of the web, eventually seeking out methods to attack online systems. Says Calce, "With these tools in hand, I began to feel like I was in control of the Internet, rather than the other way around. The sense of power and possibility was intoxicating." From the apparent safety of his alter-ego, "Mafiaboy," Calce launched DDoS attacks on the very largest web companies: Amazon, CNN, Dell, eBay, Yahoo!, and others. His activities rendered the  servers unresponsive to legitimate customers for hours at a time and drew the attention of the financial markets and senior political leaders in Canada, the United States and abroad. Some estimates pegged total damages from Mafiaboy's exploits at Cdn$1.7 billion. The fact that the devastating attacks were accomplished using such inexpensive and ubiquitous technologies as a PC and Internet connection was concerning enough, but that a mere teenager accomplished them was downright terrifying. The authorities eventually tracked down Calce, but only because he bragged about his exploits in some online chat rooms. He was sentenced to a year of probation, restricted use of the Internet and a small fine.

While a DDoS attack may sound technically sophisticated, in fact most are based on a simple and unimaginative idea: the prank telephone call. Imagine a naughty child who picks up the telephone, calls a number at random, makes a joke and then hangs up. To the victim, this single call might be a minor nuisance. If the child calls the same victim several times in a row, the victim might become annoyed at the inane disturbances. However, if the prankster gets 100 friends to call the same victim continuously, legitimate calls would no longer have a chance to get through. The victim's telephone system would have become compromised. Likewise, in a typical brute-force DDoS attack, the hacker may connect with - thousands of software "bots" running on remote Internet-connected PCs (typically compromised using trojan viruses) and instruct them to contact a particular web server at a given time. The server tries to respond to this incoming flood of requests, but it quickly becomes overloaded with the sheer volume of connection requests. Legitimate users have no chance to get through. The hacker can evade capture via "spoofing," i.e., by modifying the return address on malicious data packets. In hacker parlance, the server has been "pwned" (see http://en.wikipedia.org/wiki/Pwn).

Just as technology evolves rapidly, cyber criminal behaviours such as DDoS attacks have become increasingly prevalent and sophisticated, and responding to them remains a challenge and depends on a few key factors. For example, if the content of the incoming DDoS packets is in some way characterizable, it may be possible to filter out (ignore) them and accept only legitimate packets. If the target of the attack is on a particular back-end resource or application, as opposed to the front-end network server, then loadbalancing or authentication techniques may be configured to minimize impact. If the DDoS packets are originating from a constrained geographical locale, a distributed server architecture may be designed to provide localized protection (e.g., duplicate servers in North America and Europe to handle the traffic from those regions).

As Hutchins pondered the attack, he felt decidedly unsettled about the state of his firm's IT security. True, since enabling the online sales channel five months ago, revenue had grown by $1.2 million or four per cent. And yet, a major security breach that resulted in the shutdown of systems or theft of customer data could do irreparable damage to the firm. Perhaps the company should retreat from  online sales and return to emphasizing traditional retail approaches.

DISCUSSION QUESTIONS

1. Did Calce's punishment fit the crime?

2. How much computer expertise do you believe is required to launch a DDoS attack today?

3. Hackers clearly pose a threat to online business such as Amazon and eBay since, if their servers are inaccessible, the companies' business activity can be interrupted. Why should traditional (non ITfocused) businesses pay attention to hacker threats?

4. Should Hutchins retreat from doing business online?