Two hackers' journals, 2600 Magazine and Phrack, recently published descriptions and recipes for mounting a new kind of attack on TCP/IP services. (Phrack's is at [1].) The cookbooks were first put to use over the weekend of 1996-09-07, when unknown hackers effectively shut down a New York ISP, Panix Internet, for several days [2]. The following weekend hackers used the technique to shut down the Internet Chess Club [3], a subscription-based chess service hosted at Carnegie Mellon University. The idea behind the so-called "SYN flooding" attack is not new -- network experts have known for years about the basic weakness in IP that the technique exploits, but have refrained from describing it publicly. For a good technical overview of SYN flooding see [4]. A CERT Advisory [5] was issued on 9/19 regarding the problem; unlike most such Advisories it does not contain definitive instructions for closing the security hole. The truth is that no ironclad defense exists. Unlike attacks that take advantage of particular bugs in network software implementations, this one exploits a feature of the TCP/IP connection architecture itself. A hacker does not need to break into a system in order to tie it in knots; and tracing the source of such attacks so far has not proved possible.

Most corporate networks, firewalled from the open Internet, are immune to SYN flooding. Those most at risk are ISPs and any site whose computers are in the business of providing TCP/IP services to all comers. All platforms are equally at risk, Unix and Windows NT and Macintosh alike.

Those who want the realtime insights of heavy-duty network experts should peruse the NANOG archive. Members of the North American Network Operators' Group are the people who keep the Internet running, such as it does. The first discussion thread [6] on SYN flooding began on their mailing list on 1996-09-09. For convenience I've collected on the TBTF archive pointers to the 147 articles on the subject that reside in the NANOG archive at this writing [7].

In my research on SYN flooding I found but a single glimmer of hope for defeating such attacks any time soon: Internet Security Systems, Inc. claims to have a software solution -- RealSecure [8] -- that acts to detect and defeat SYN floods in real time. RealSecure is not for sale today, but ISS has clearly rushed to make alpha-level software (for SunOS, Solaris, and Linux systems) available for download from their Web site. To find out more ISS asks that you sign up on their alpha-test mailing list: send the message "subscribe realsecure" to majordomo@iss.net (the subject is ignored). The following cautious but promising wording appeared in the email greeting I received upon subscribing.

> In a local test, we found that a SYN flood at ethernet speeds com-
> pletely shut down our HPUX 9.03 test host. Running RealSecure on a
> Sparc 2 also on the ethernet allowed anywhere from 5% to 30% of the
> valid connections through. Increasing the connection queue length
> increased RealSecure's effectiveness greatly.

[1] <http://www.fc.net/phrack/files/p48/p48-13.html>
[2] <http://www.nando.net/newsroom/ntn/nation/091296/nation17_17702.html>
[3] <http://www.news.com/News/Item/0,4,3520,00.html>
[4] <http://www.cisco.com/warp/public/707/4.html>
[5] <ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding>
[6] <http://www.merit.edu/mail.archives/html/nanog/msg02201.html>
[7] <http://www.tbtf.com/resource/syn-flood.html>
[8] <http://www.iss.net/vd/vuln/dos/syn.html>

And no, I don't mean the Culinary Institute of America [9]. On 1996-09-19 hackers calling themselves "Power Through Resistance" replaced the top page on the Central Intelligence Agency's site with a less institutionally flattering version; see [10] for a copy. Internal evidence suggests that the attackers were Swedish. Among the links placed on the phony page were two into the site of Linus Walleij <triad at df dot lth dot se>, a university student who has researched and written on the Swedish hacker culture. He was neither amused nor pleased by the oblique compliment the hackers may have intended to bestow [11], particularly since he learned of the links from two Svenska Dagbladet reporters who fingered him as the perpetrator [12], an allegation he vehemently and convincingly denies.

[9] <http://www.thomson.com/partners/cia/default.html>
[10] <http://www.is.co.za/mikev/cia_hack/>
[11] <http://www.df.lth.se/~triad/letter2.txt>
[12] <http://www.df.lth.se/~triad/usepost1.txt>

TBTF for 1996-08-08 profiled ForeverMail [14], which sells affinity-based personalized (or "vanity") email addresses based on the domain names fan.org, grad.org, lover.org, and member.org. Another organization has gotten into the business with a different approach, one that is generating some heat at universities that feel they are being impersonated.

>>From EDUPAGE (1996-09-19):

> VANITY E-MAIL BUGS COLLEGE ADMINISTRATORS

> A new e-mail service offered by New Century Technologies gives custo-
> mers an e-mail address sporting a prestigious university domain name
> for $25 a year. The customer, who must have a valid e-mail address
> somewhere else, then receives mail addressed to user@DukeU.com, or
> whatever school is chosen. The vanity address closely resembles the
> real thing, except it ends in .com instead of .edu. The universities
> aren't happy about the impersonation: "You can't assume people under-
> stand that the address isn't affiliated with the university somehow,"
> says Florida State's director of Web development. A member of Georgia
> Tech's licensing committee is even more adamant: "They can't do that.
> People can't sell anything over the Internet and use our name without
> paying us royalties. We will fight this." (Chronicle of Higher Educa-
> tion: Academe Today 19 Sep 96)

A visit to New Century Technologies' home page [15] does not reveal any obvious way to order this service; perhaps they're relying for advertising on their customers' .sig files. A barefoot run through the InterNIC database shows that "dukeu.com" is indeed registered to NCT Inc. and seems to be in good standing, while "georgiatech.com" is registered to someone else entirely and is on hold, which means that the NIC has received a trademark-based claim against the name. Perhaps the CHEAT reporter (great name for a journal covering academe) conflated the two controversies. I was unable to find any other university-related .com domains that NCT has registered, though there probably are some. Anyone who knows a way to query the NIC for the registered domains associated with a handle, please email me.

[13] <http://www.tbtf.com/archive/1996-08-08.html>
[14] <http://www.forevermail.com/>
[15] <http://www.nctinc.com/>

Phil Agre has an enviable gift for humanizing this disembodied virtual life we've all chosen to embrace. When mail from his Red Rock Eater news service comes through I tend to read it first. Phil writes the occasional essay but mostly forwards others' missives on such Internet topics as privacy, censorship, online communities, and the social import of all this technology. Now and again he asks his readers to write to him on a particular subject and posts the results, sometimes using them in his classes at UCSD. A recent RRE project was this request to readers: describe your immediate surroundings right now, as you work at your computer, in any terms you like. You can downloaded the 81 responses, prosaic to poetic to otherworldly, from [16] (156 KB).

[16] <http://www.tbtf.com/resource/where-I-sit.txt>

>>From EDUPAGE (1996-09-22):

> The Bank of Japan and Nippon Telegraph & Telephone Corp. have jointly
> developed a very advanced, secure electronic money system, using NTT's
> high-speed digital signature system and its patented E-sign algorithm.
> The new system allows a number of banks to issue the same type of e-
> money to customers, relieving them of the responsibility of developing
> their own proprietary e-money systems. NTT hopes its new system will
> become the de facto standard for e-money in the country. (BNA Daily
> Report for Executives 13 Sep 96 A2)

The "patented E-sign algorithm" is almost certainly the one that NTT subsidiary NTT Electronic Technology reverse-engineered from the RSA algorithm. Correction added 1996-10-17: from Bodo Moeller <Bodo_Moeller at public dot uni-hamburg dot de>:

This is almost certainly not the case. (Besides, there is no need to "reverse-engineer" the RSA algorithm: The algorithm is publicly known world-wide, both specifications and free software implementations are available to everyone.) Section 20.6 of Bruce Schneier's book "Applied Cryptography" (2nd edition) describes an algorithm called ESIGN: "ESIGN is a digital signature scheme from NTT Japan [...]. It is touted as being as least as secure and considerably faster than either RSA or DSA, with similar key and signature lengths. [...]"

A call for papers [22] has gone out for a 5-day conference on financial cryptography next February in Anguilla, British West Indies. The general chairs of FC97 are Robert Hettinga <rah at shipwright dot com>, who runs the e$ list [23], and Vincent Cate <vince at offshore dot com dot ai>, whose offer to make you an international arms trafficker in one click was covered in TBTF for 1996-05-05 [24]. (At that writing the list of known traffickers [25] numbered 14; it now stands at 606.)

[22] <http://www.cwi.nl/conferences/FC97/call.html>
[23] <http://www.vmeng.com/rah/>
[24] <http://www.tbtf.com/archive/1996-05-05.html>
[25] <http://online.offshore.com.ai/arms-trafficker/known-traffickers>