The Guardian in the UK was one of several media outlets that ran with stories inspired by my DDOS editorial in 2000.


The Guardian – United Kingdom, Feb 17, 2000, 399 words

One point that was usually missed last week, in the furore over so-called Denial of Service (DoS) attacks on leading websites, was that we all suffered.

We suffered because some useful websites, such as Yahoo! and eBay, were not available for several hours while their routers and servers coped with a flood of spurious data. We also suffered because the internet slowed down, both because of the attacks and because of the extra traffic generated as people tried to find out what was going on. According to measurements taken every 15 minutes by Keynote, a US-based internet monitoring company, the net’s average performance ‘degraded by 26.8%’ on Wednesday, February 9. That assessment is based on Keynote’s Business 40 Index, which includes only three of the websites attacked: Yahoo!, ZDNet and Excite.

Although DoS attacks are, technically, old hat, this may be the first time they have been concerted enough to have a measurable effect.

Another point – though one less often missed – was that ‘innocent bystanders’ made a major contribution to the problem.

DoS attacks work by flooding the target site, and this involves using hundreds of computers around the internet to generate traffic. Each of these computers must be running one of the DoS agent programs, such as Tribal Flood Network, Trinoo or Stacheldraht, which has been put there by the attacker, undetected by the machine’s owners. Each of these agents is also communicating with its master program in detectable ways.

Matt Devost, a senior consultant with Security Design International in Virginia, put it like this. ‘Corporate executives are spending a lot of time worrying about whether they will be the next victim of attack,’ he said, ‘when in reality they should be worrying about whether their organisation unknowingly participated in the attack.’

Anybody can be attacked, and the victim can do little about it. But anybody with a computer attached to the internet could be taking part in the attack. That is avoidable, and from now on, it’s inexcusable.

Just as companies routinely scan their computers for viruses and (if they have a clue) trojans such as SubSeven, they will have to start scanning for DoS agents or ‘Zombies’.

This week, Network Associates, an anti-virus company in California, announced a free web-based CyberCop Zombie Scan service, and has started notifying network administrators that their systems are infected. Users can access this service by going to; no doubt alternatives will appear.

It’s going too far to say that the perpetrators of the latest DoS attacks, whether they were infowar experts or ‘script kiddies’ having a laugh, performed a useful public service. However, they certainly got the message about DoS attacks right under chief executives’ noses. This is something network administrators have never managed to do, even though they’ve known about the problem for years.