How To Destroy The Internet - Disclaimer

First, I would like to make it perfectly clear that I am publishing my twisted and evil method for destroying the internet without any intent to encourage anyone to actually do it. If in fact anyone does this, my Ninja Death Squad will be dispatched to hunt you down and make you watch Powerpuff Girls until you die of cerebral hemmorage.

Part of the art of being a Mad Overlord is that it is quite enough to know how to wreak chaos and devastation. You don't actually have to go and do it (it's messy, there are more fun things to do, and it attracts the unwelcome attentions of the Forces of Goodness, who are real party-poopers).

Thus, this method is published for three reasons; first, and most importantly, to impress you with my evil and devious mind; in the hopes that a certain company whose software will almost certainly be used in carrying out this attack (if someone is so clueless as to try it) will get their act together and put some extra effort into making it more difficult; and finally, in an effort to broadly disseminate knowledge of the technique so that it can be discussed and countermeasures developed.

Distributed Denial of Service Attacks

In early 2000 several major sites (such as Yahoo!) were assaulted by distributed denial of service attacks. These involved a hacker or hackers gaining control of about 100 computers around the net and using them to flood the target server(s) with requests, in the hopes of overloading them. The computers used were "slaves" used to launch a coordinated attack on the target.

The exact details of these denial of service attacks are irrelevant to this discussion. What is relevant is that these attacks are highly assymetric; a small amount of computing and bandwidth (to generate a bogus request and send it to the target) forces the target to consume a larger amount of computing and bandwidth to respond. Thus, each of the slaves can create a load on the target equivalent to thousands of normal users, and a relatively small number of slaves can overwhelm even the mightiest site.

Email Viruses

In the last year or so, we've also seen quite a few "email viruses"; malicious emails with embedded scripts or code that could not only do nasty things on a user's machine (a "trojan horse") but could also exploit security flaws in email applications, most notably those created by Microsoft, and send themselves on to everyone in the victim's address book.

It is important to keep in mind that the reason these viruses targeted Microsoft applications is not necessarily that Microsoft apps are more vulnerable than those from other vendors, but that they are much more common. However, it is also important to keep in mind that after each virus release incident, patches were made to the applications involved, sighs of relief were uttered, and the whole cycle repeated when a new vulnerability was uncovered. Thus, we can have no assurance that there are no as yet undiscovered security problems with these programs.

Put them together and it's adios Internet

Now consider the following hypothetical email virus. The carrier part of the virus exploits a new security hole in a popular email application to email itself to everyone in the victim's address book. But it also installs a trojan horse into the victim's computer, which in it's simplest and most insidious form is what I call an Autonomous Random Denial of Service Robot.

This little chunk of code simply picks urls from major websites at random from a list (or creates them by looking at email addresses from the email application), and makes http requests. It doesn't need to execute any of the fancy denial of service techniques (though it could if it wanted). It just waits until the computer is connected to the internet, and then, as unobtrusively as possible, uses all the extra bandwidth that the user isn't using to pester the target websites.

If 100 slave computers could overwhelm some of the major sites on the internet, think about what 100,000 machines could do, even if their attack technique was not very sophisticated. In fact, if they just acted like regular browsers and requested homepages, the targets would have little clue that they are being attacked apart from the crippling surge of traffic generated. Such an attack would be very difficult to detect let alone defend against.

Scary, isn't it?

Robert Woodhead
December 1st, 2K