t byfield on Thu, 10 Feb 2000 20:23:41 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> PFIR Statement on Recent Internet Denial of Service Attacks

----- Forwarded 

Date: Wed, 9 Feb 2000 21:34:16 -0800 (PST)
Subject: PFIR Statement on Recent Internet Denial of Service Attacks
From: pfir@pfir.org (PFIR - People For Internet Responsibility)
To: PFIR-List@pfir.org

          PFIR Statement on Recent Internet Denial of Service Attacks


	PFIR - People For Internet Responsibility - http://www.pfir.org


Greetings.  The recent rash of "Denial of Service" (DoS) attacks on major
Internet sites such as Yahoo!, E-Bay, CNN, and others, has caused outcries of
surprise and consternation in many quarters, and has become the lead story
for many newscasts.  But these attacks come as no surprise to many of us,
who have long predicted that these sorts of events would come to pass.  

It's basically easy to understand.  Imagine a small firm with two phone
lines.  Now have 10,000 people at pay phones scattered around the world all
trying to call that company at once, and hanging up as soon as there is an
answer.  Few (if any) customer calls will get through, and finding the
perpetrators will be problematic at best.

A variety of software tools are available for launching effectively
anonymous DoS attacks on the Internet, which in many cases may involve
otherwise innocent computers "hijacked" for this purpose.  While some of the
simpler attack methods may be repelled to a degree by "filtering" to block
some of the offending data, the fundamental structure of the existing
Internet makes complete solutions essentially impossible.  We can expect to
see a rapid evolution in the sophistication of such attacks and their
relative invulnerability to quick eradication.  There will not be simple
answers of any lasting value.

There are a number of very important lessons to be learned from these
events.  It seems apparent that the rush to move all manner of important or
even critical commercial, medical, government, and other applications onto
the Internet and Web has far outstripped the underlying reality of the
existing Internet infrastructure.

Compared with the overall robustness of the U.S. telephone system, the
Internet is a second-class citizen when it comes to these kinds of
vulnerabilities.  Nor will simply throwing money at the Internet
necessarily do much good in this regard.  More bandwidth, additional
servers, and faster routers--they'd still be open to sophisticated (and
even not so sophisticated) attacks which could be triggered from one PC
anywhere in the world. 

In the long run, major alterations will be needed in the fundamental
structure of the Internet to even begin to get a handle on these sorts of
problems, and a practical path to that goal still remains fuzzy at this

For now, it might be advisable for everyone to remember that the Internet,
for all its wonders, is in many ways very fragile.  We must not allow
ourselves to get into a position where being cut off from a site for a few
hours--or even longer--puts people or property at risk.  Our lives should
not revolve around guaranteed 24/7 access to E-Bay, or Yahoo!, or *any*
site on the public Internet, regardless of its importance.  The need for
alternative access methods for critical systems, and the potential
recklessness of eliminating older systems in exchange for 100% Internet
dependence, cannot be overstated. 

The current attacks are sure to be but the beginning.  Many even more
attractive targets are likely to be appearing that will draw ever more
sophisticated fire.  Imagine what a concerted denial of service attack
might do to an election with Internet/Web-based voting--a technology being
pushed on a fast track in many quarters. 

It's time to get past the "dot com" hype and to start considering
carefully the realities, and limits, of the technology on which we're
trying to base so much, so very fast.  If we continue to plow ahead
without heeding these lessons, it will be at our extreme peril. 

Lauren Weinstein
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy

----- Backwarded

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net