Look at me, Mum! I killed eBay!

2000-02-09

Denial of service attacks have always had an uneasy relationship with other types of security requirement. The main reason for this is that they do not directly impact on that all-important corporate data: nothing is lost, corrupted or revealed to prying eyes. Hence, in security policy definition and implementation, such attacks have often been given a lower priority than they deserve.

This point has been starkly illustrated over the past few days, as a number of major commercial Web sites have succumbed to denial of service attacks. On the 7th February, Yahoo was the first to be bitten. The next day Amazon, Buy.com, eBay and CNN were all brought to their knees for anything between one hour and three hours. While it is not clear whether the attacks were all caused by the same group (as nobody has yet indicated responsibility), it is clear that copycat attacks are inevitable over the coming days and weeks.

Why would somebody want to bring a Web site to its knees? There are as many reasons as there are Web sites. Everything from cyberterrorism to (ironically) disgruntlement with the service, from anticompetitive behaviour to sheer high-jinks can bring a person or group to assault a site. Now that the simplicity of such attacks has been revealed, using “innocent” computers to host a Trojan Horse program which, at a predetermined time or on command, will send a stream of requests to the targeted site, the attacks look set to move into the mainstream of security problems. Given the arrival of broadband communications technologies which enable home computers to keep “always-on” connections to the Web, the pool of relatively insecure devices which can be used as proxies looks set to increase. Denial of service attacks are harder to prevent than they are to cause: the best measures tend to involve the inclusion of tools which can spot this kind of behaviour and either alert the appropriate person or instigate a suitable response.

Above all, denial of service attacks serve to illustrate the fragility of the electronic infrastructures that we are building, if they are not properly constructed to take into account all possible security and privacy measures. The attacks are not only damaging to the bottom line of the businesses they hit, but are bad press for eCommerce as a whole. So far it looks like investors are prepared to ride the storm and stick with the dot-coms, but given the looming issues of the long term financial future of such companies, the tar-brush of denial of service is one which organisations such as Amazon could do without.

(First published 9 February 2000)