PFIR - People For Internet Responsibility
PFIR Statement on Recent
Internet Denial of Service Attacks

February 9, 2000

PFIR Home Page

Greetings. The recent rash of "Denial of Service" (DoS) attacks on major Internet sites such as Yahoo!, E-Bay, CNN, and others, has caused outcries of surprise and consternation in many quarters, and has become the lead story for many newscasts. But these attacks come as no surprise to many of us, who have long predicted that these sorts of events would come to pass.

It's basically easy to understand. Imagine a small firm with two phone lines. Now have 10,000 people at pay phones scattered around the world all trying to call that company at once, and hanging up as soon as there is an answer. Few (if any) customer calls will get through, and finding the perpetrators will be problematic at best.

A variety of software tools are available for launching effectively anonymous DoS attacks on the Internet, which in many cases may involve otherwise innocent computers "hijacked" for this purpose. While some of the simpler attack methods may be repelled to a degree by "filtering" to block some of the offending data, the fundamental structure of the existing Internet makes complete solutions essentially impossible. We can expect to see a rapid evolution in the sophistication of such attacks and their relative invulnerability to quick eradication. There will not be simple answers of any lasting value.

There are a number of very important lessons to be learned from these events. It seems apparent that the rush to move all manner of important or even critical commercial, medical, government, and other applications onto the Internet and Web has far outstripped the underlying reality of the existing Internet infrastructure.

Compared with the overall robustness of the U.S. telephone system, the Internet is a second-class citizen when it comes to these kinds of vulnerabilities. Nor will simply throwing money at the Internet necessarily do much good in this regard. More bandwidth, additional servers, and faster routers--they'd still be open to sophisticated (and even not so sophisticated) attacks which could be triggered from one PC anywhere in the world.

In the long run, major alterations will be needed in the fundamental structure of the Internet to even begin to get a handle on these sorts of problems, and a practical path to that goal still remains fuzzy at this time.

For now, it might be advisable for everyone to remember that the Internet, for all its wonders, is in many ways very fragile. We must not allow ourselves to get into a position where being cut off from a site for a few hours--or even longer--puts people or property at risk. Our lives should not revolve around guaranteed 24/7 access to E-Bay, or Yahoo!, or any site on the public Internet, regardless of its importance. The need for alternative access methods for critical systems, and the potential recklessness of eliminating older systems in exchange for 100% Internet dependence, cannot be overstated.

The current attacks are sure to be but the beginning. Many even more attractive targets are likely to be appearing that will draw ever more sophisticated fire. Imagine what a concerted denial of service attack might do to an election with Internet/Web-based voting--a technology being pushed on a fast track in many quarters.

It's time to get past the "dot com" hype and to start considering carefully the realities, and limits, of the technology on which we're trying to base so much, so very fast. If we continue to plow ahead without heeding these lessons, it will be at our extreme peril.

Lauren Weinstein
Co-Founder, PFIR - People For Internet Responsibility -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy