Software Author Offers Insider’s View of Attack
Authorities still don’t know who was behind the attacks on many of the most popular Web sites last week. But one figure has emerged who appears to have played a role in creating one of the software programs the perpetrators likely used to carry out their attacks.
He goes by the pseudonym of “Mixter,” and identifies himself as a 20-year-old male living in Germany. He is skilled with computers, and says he has been fascinated by them since he was 6 years old.
Mixter is the author of a piece of software called “Tribe FloodNet,” or TFN. The program is one of several that can be used to launch the sort of “denial of service” attack that crippled Yahoo, EBay and other sites last week.
The program enables a user to take control of other high-powered computers across the Internet and order them to bombard a site with so many phony requests for service that the target Web site collapses under the load.
Mixter insists that he did nothing wrong. He says that, like many other hackers, he looks for vulnerabilities in computer systems not to exploit them, but to expose them to security experts so that they can be repaired.
He is not accused of breaking any laws. Indeed, writing and distributing software is not illegal, even if the programs can be used by others to cause great harm. Mixter surfaced after several security firms identified him as the author of TFN. He agreed to answer a number of questions via e-mail. These are some of his responses, edited for length:
*
Question: What is your real name?
Answer: I really prefer not to give you my real name. Many people have a bad opinion of anyone involved with “this strange hacking stuff” and make no difference between pointing out security weaknesses and exploiting them.
*
Q: What do you do?
A: I finished school approximately half a year ago, and I have been getting some offers from security companies since then. I will probably be going to work in the area of source code security auditing, where I will have a great potential of improving my knowledge of network software.
*
Q: Were you the author of the software used in the attacks?
A: I am the author of the programs called TFN and TFN2K, but not of [an earlier program] trinoo. The original trinoo was made some months earlier than the first TFN, but unlike TFN not distributed publicly. I’m pretty sure a tool derived from TFN and/or Trinoo was used.
*
Q: Why did you write the software?
A: I considered it as interesting from a technical perspective, but also as potentially powerful in a negative way. I published a working version . . . to make the information public and generate awareness.
*
Q: What was your reaction when you heard about the attacks?
A: I heard about the new wave [of] attacks on Wednesday evening, and to be honest, I was thinking, “Oh, what a bunch of morons.” They are probably socially motivated, wanting to gain popularity.
*
Q: Why are you so surprised that someone may have used a tool you wrote for destructive purposes?
A: Well, I did have to expect it to be misused, but not for such overly idiotic and hysteria-generating purposes. My purpose was to generate awareness among the public, among companies and the security community.
*
Q: Do you believe you are accountable in any way for the attacks?
A: Absolutely no. I am a free-time security analyst . . . not involved in any criminal activities. I research and analyze security vulnerabilities and things that might become dangerous issues.
*
Q: Can you understand how the public might misunderstand your role and culpability?
A: I understand that the people want to see someone who can be made responsible.
*
Q: How difficult is it to write the “denial of service” attack tools?
A: Not very difficult. The main concept is simply the client-server concept present in almost all Internet applications. Packet flooding and similar attacks are publicly known and available, and can easily be implemented. [Packet flooding refers to the bombardment of a target site with packets of data.]
*
Q: How difficult is it to take over a sufficient number of computers in order to mount an attack large enough to take down Yahoo?
A: Unfortunately, it is quite easy. It is safe to assume that all of the flood servers are installed on hosts compromised through vulnerabilities that are publicly known, rather old, and can easily be [repaired].
*
Q: How many computers were probably used in the Yahoo attack?
A: As a rule of thumb, 300 [high-bandwidth] machines could hold down a 1 gigabyte-per-second link, like Yahoo and other really big Internet companies have. With averagely (sic) fast hosts, you would need about 700 to 800.
*
Q: How difficult is it to find out who orchestrated the attack?
A: Remote detection is practically impossible, unless the attack goes on for . . . days--in that case . . . some of the “slave” servers could be tracked. There is still the chance of finding attackers if they aren’t extremely careful, and leave traces on the compromised hosts, or manipulate and damage things on the compromised hosts enough so that the administrator detects them.
*
Q: What will be the lasting impact of these attacks?
A: I think that it has caused some damage in terms of image loss to the victim sites in short time, but in the long [term], the security community as well as e-commerce is probably going to benefit a lot from it. They’ve been brought back to reality. I hope that the positive result of all this trouble will be that people will really start caring about security issues and international cooperation in a better way.
