Warning: system overload

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

"I miss my friends," wrote a poster to the Usenet newsgroup alt.irc.dalnet last week. "Dal has been my home for about six years... I feel displaced." Why? Because the world's largest Internet Relay Chat (IRC) network has been intermittently unreachable since last August, and almost completely out of action since 10 December, due to massive attacks coming from across the internet.

For a time in early January, no one could connect at all. Since then, a small portion of it has been revived, and former users who haunt the IRC news services (such as eyersee.org or the internet Federation of IRC) searching sadly for active servers will find addresses they can use to connect. But the number of connected users at any one time is only about 20,000, a far cry from the 127,000 connections Dalnet boasted in early December.

Attacks on the internet are of course nothing new, as anyone seeing the headlines about the SQL Slammer worm will know. SQL Slammer, however, exploited a flaw in commercial software running on individual machines, and had a simple solution: patch the hole. The attacks on Dalnet use vulnerabilities in the internet itself, and there is no simple solution. Even the next generation of the software that makes the internet run, IPv6, is unlikely to fix this particular opening.

The type of attack Dalnet is experiencing is known as distributed denial of service (DDOS). It relies on the fact that in order for the internet to be of any use computers must be able to accept connections from random strangers. Every time you log on to a distant computer, whether it's to join an IRC channel, pick up your e-mail, or visit a Web site, your computer sends a request for authentication. Denial of service is a class of attack in which the target computer is sent such a large flood of such authentication requests that legitimate traffic is drowned out. The physical equivalent might be dumping a giant load of potatoes in front of a shop door. No individual potato is a problem, but a ten-foot pile means customers can't get into the shop.

Similarly, a single faked request to initiate a connection is easily discarded by a server, but millions of them swamp its connection and tie up its processor. A denial of service attack from a single source can be traced and blocked by the ISP upstream of the server. Distributed denial of service attacks, however, come from multiple sources, and may be difficult or impossible to trace to the mastermind behind them.

The first step to a DDOS is planting malicious software on as many machines as possible via techniques like those used to spread viruses. DDOS software may be hidden in Javascripts on web sites, sent by e-mail, or delivered using a file-transfer function IRC enables. The infected machines are often called "zombies" or "drones" – because they can be launched against their owners' will to do the bidding of a distant, unseen controller.

When a load of these zombie machines are sent out on attack, IRC folk call them a "botnet" – and one thing they do is to flood IRC channels with messages advertising Web sites where the software lurks waiting to create more zombies.

That distant attacker is the last link in the chain and almost impossible to trace. Even if law enforcement eventually find the originator, not all countries have laws that would make prosecution possible. A bill to amend the UK's Computer Misuse Act was introduced into the House of Lords in May 2002 specifically to cover DDOS attacks.

But even that may not help much. Emma Monks, an administrator on Tiscali's Dalnet server, notes: "Even when we do find infected hosts, we almost never find a live IRC user. And all too many ISPs don't respond if they're reported." That's understandable: it's hard to hold an ISP responsible if its customer gets infected.

But why Dalnet? It's a hobbyist network, frequented by folks who like having friends on their desktops 24-hours a day and find – or found – Dalnet to be unusually well-run and hospitable. Of course, no internet event is complete without a conspiracy theory. Because some file-trading of music and TV shows goes on, the pet theory is that the Recording Industry Association of American and the Motion Picture Association of America, the people who shut down Napster and prosecuted the 16-year-old who cracked DVD encoding, are behind it.

It's unlikely in the extreme, despite a brief moment of madness last year when the US Congress considered letting such rightsholders hack into networks they suspected were being used for copyright violations. As Dalnet's chief operating officer, "Spike", puts it: "I think it's just as likely that Martians are behind it."

IRC administrators say that all IRC networks, large or small, get attacked every day. What is happening to Dalnet now, however, is off the charts. Says Monks. "These are like nothing we've seen. We've seen attacks in the order of 5 to 8 gigabits per second." That traffic is directed straight at a server – about 100 times the maximum amount of data a domestic broadband connection can send to your computer.

Three things are making that volume of attack possible. First, the Trojans are getting smarter. Monks says that the Trojan software is now so clever that it uses the machines it infects to find and install itself on further machines, whose owners may have never used IRC, downloaded software, or even logged on to the wrong kind of website. The second culprit, therefore, is insecure operating systems in the hands of unsophisticated users who don't run anti-virus software or monitor their Net connections. These scenarios are, says Dan Ingelzaldson, a team leader in research and development for Internet Security Systems, "common because a lot of home users are not familiar with security".

People (and this could include you, dear reader) may have their entire hard drive opened to share across the network, instead of opening only a couple of directories and tightly controlling the files in them; or allow their IRC client to download and run any type of file without intervention. The third culprit is broadband, partly because the fatter the connection the more malicious traffic you can send out, and partly because of the full-time availability to people looking to plant Trojans on them.

What's worrying is that IRC may be only the beginning. An attack that can knock something as big as Dalnet out of action could be turned against much more vital targets such as government and e-commerce sites. "At the moment," says Monks, "the prevailing thought from most ISPs is 'pull the IRC servers and the problem goes away.' Personally, I think that's short-termist thinking. The servers are an easy target, and the most immediate target since these kids tend to use IRC themselves."

But, as she says, if all the IRC servers were shut down tomorrow, the malicious people behind the attacks "will simply move on to things that seem fun – let's get a kick out of downing Google or eBay, etc. It's a scary thought."

wendyg@pelicancrossing.net