INTERNET DENIAL OF SERVICE ATTACKS: LEGAL, TECHNICAL AND REGULATORY ISSUES
By
Jerry Wegman
Associate Professor of Business Law
and
Alexander D. Korzyk
Assistant Professor of Information Systems
ABSTRACT
Internet virus and worm attacks plagued the
Internet during the summer of 2003.
Millions of computers were affected, and Internet traffic was slowed
worldwide. Businesses suffered lost
revenue while computer users experienced crashes, cluttered email inboxes, or
impaired performance. This was only the
latest episode in a continuing problem.
Many of these attacks, including the destructive attacks of August
2003, involve denial of service (DOS). A
DOS attack occurs when an attacker sends malicious communications over the
Internet, crashing computers or interfering with websites. The computer user or website is thus denied
service and access to the Internet. This
paper will explain how DOS attacks are perpetrated. It will explain why technical “black box”
solutions like firewalls and anti-virus software have failed to provide
effective protection. The paper will examine
current remedies in civil and criminal law.
It will explain why law has failed as an effective deterrent in this
area.
Government regulation, which has so far been
rejected as a solution to the DOS problem, will nevertheless be considered and
regulatory objectives will be identified.
Finally, the paper will describe best practices that firms and
individuals can employ now to limit their exposure to DOS attacks or to
mitigate their impact.
INTRODUCTION
In
February 2000 a series of high-profile DOS attacks occurred that knocked
leading e-commerce sites like Ebay, CNN and Yahoo off the Internet. Financial loss has been estimated at $1.1 to
1.7 billion (Katyal 2001). The culprit
turned out to be a Canadian teenager who used the name “mafiaboy”. In the ensuing three and a half years DOS
attacks have gained in sophistication and continue to menace the Internet
community. For example, in July 2002 the
Recording Industry Association of America (RIAA) website was downed for four
days by a DOS attack after it endorsed tighter copyright legislation (McCullagh,
2002). The more recent SQL Slammer worm
is estimated to have disrupted half of all Internet traffic in January 2003,
while the Sobig virus that emerged in late August 2003 affected one in 17
emails worldwide (Economist, 2003).
eWeek magazine estimates that as of the end of August, 2003, 63,000
viruses have plagued the Internet, causing a total of $65 billion in damage (
The events of 9/11 have caused an increased concern for the security of our nation’s information infrastructure. DOS attacks have the potential of doing more than taking websites like eBay temporarily off the Internet. They can shut down power grids, hospitals, airports and other vital services (Guth and Machalaba, D., 2003). The objective of this paper is to provide a deeper understanding of how these attacks are perpetrated and what social mechanisms might be employed to deter them. Law and regulation are two of our most effective social mechanisms for modifying behavior. However, they have so far failed to effectively deter these attacks. This paper will explain why. It will examine the legal sanctions facing those who perpetrate or facilitate DOS attacks. Government regulation, which has so far not been applied in this area, will be considered and regulatory objectives will be proposed. Finally, the paper will describe best practices that can now be followed to reduce the chances of being an attack victim or to minimize the harm following an attack.
UNDERSTANDING DENIAL OF SERVICE ATTACKS
A DOS attack can be said to occur whenever a person maliciously causes an interruption in another’s service over the Internet. There are many sub-types, but they fall into two broad categories: distributed denial of service and hacked denial of service. A distributed DOS attack floods a target with a great number of packets – small segments of information sent over the Internet. The target’s server attempt to respond and establish the connections, but the volume of requests is too great and the server crashes. A hacked DOS occurs when a perpetrator gains unauthorized entry to another individual’s computer and introduces malicious code. The hacker takes advantage of a security flaw, often in the computer’s operating system.
Distributed
denial of service attacks are the greater danger, because they are more
difficult to defend against, and because they are easier to perpetrate. One common distributed denial of service
attack is called a SYN flood attack because the SYN packet is part of the
initial effort of the sending computer to establish a synchronous connection
with the destination computer (Narayanaswamy, 2002). Typically these packets are sent via
“zombies”, which are innocent computers that the perpetrator has previously
taken over. Thus a hacked DOS can be
combined with a distributed DOS. An
example is the recent Sobig virus, which in addition
to clogging email systems took over 20 home computers in the
It is difficult for law enforcement to track down a DOS perpetrator because the architecture of the Internet does not require accurate return addresses. The sender can easily misrepresent himself/herself by changing that information in the packets he or she sends. Internet routers and servers look only at the “sent to” address, not the “sent from” address. Changing one’s sending address is called “spoofing” and is unfortunately quite common (Nemerofsky, 2000). Spoofing is also used by “spammers” - malfactors who send volumes of unsolicited commercial email that clogs our email inboxes.
Another
difficulty in deterring distributed denial of service attacks is that they do
not currently require great computer expertise.
As noted above, the high-profile attacks of February 2000 were
perpetrated by a teenager, only 14 years old.
The New York Times on
Finally, and most importantly, a distributed denial of service attack is difficult or impossible to defend against. As Ian Hoenish, founder and CTO of ElephantX stated: “denial of service is the scariest thing I’m afraid of at this point, because it’s the most difficult to shield against” (Saita, 2001). This is because once an attack is launched the target’s only defense is to filter the malicious packets. Identifying these packets takes time. But even after they are identified, the sheer number of these packets takes up almost all of the target’s bandwidth, effectively shutting the target down. The only hope a target can have is to stop the flow of these packets at a point upstream from the target, but that requires cooperation from those transmitting these packets. Internet service providers (ISPs) are ideally positioned to cut off this flow. However, ISPs are reluctant to terminate service to their customers (Narayanaswamy 2002). This issue is discussed more fully below.
The second type of denial of service attack, a hacked DOS, does not flood the target with malicious computer code. Rather, it occurs when a perpetrator gains unauthorized entry to another individual’s computer and introduces malicious code. These hackers are often more sophisticated. They may use advanced hacking programs to probe target computers for vulnerabilities. Sometimes these vulnerabilities are inherent in the users’ software. But often they are the result of sloppy computer hygiene, such as failing to employ security patches and updates, leaving passwords blank or selecting obvious ones. Hacked DOS attacks are typically much smaller than DDOS attacks, but they are still destructive and costly. A more technical explanation of both distributed and hacked denial of service attacks is contained in Appendix A.
As we have seen, denial of service attacks are easy to perpetrate, hard to trace, and almost impossible to defend against. The IT industry has not come up with a “black box” solution to this problem. What is needed is a change in behavior within the Internet community. ISPs and large networks need to devote more time and resources to security, and computer users need to maintain better computer hygiene. But how are we to achieve this change?
There are two agencies within our society that seek to modify behavior: law and regulation. Civil law modifies conduct by making undesirable behavior the subject of financial liability, while criminal law deters undesirable behavior with the threat of incarceration. Regulation can be voluntary, that is self-regulation, or it can be government imposed, with legal sanctions to obtain compliance. We will now examine how effective law and regulation have been in deterring DOS attacks.
LAW AS A DETERRENT TO DOS ATTACKS
Civil Law
The area of civil law that could potentially deter DOS attacks is known as torts. Torts are defined as “wrongful conduct by one person that causes injury to anther” (Clarkson, 2003). Examples are trespass and battery. There are two torts that hold potential for deterring DOS attacks: interference with contractual relations, and negligence.
The tort of interfering with contractual relations requires proof of two elements: first, that a legally enforceable contract existed between two parties, and second, that a third party unjustifiably interfered with the execution of that contract (Cheeseman 2003). Perhaps the most famous case involving this tort is Pennzoil Co. v. Texaco, Inc., 481 U.S. 1 (1987). In that case, Texaco was held liable for inducing Getty Oil Co. to breach its contract agreeing to merge with Pennzoil. A jury awarded Pennzoil the largest damage award to that date - $11 Billion. The perpetrators of a DOS attack are interfering with contracts between websites and their customers and between customers and their Internet Service Providers.
However, there is a problem with using the tort of interference with contractual relations as a deterrent to DOS attacks. This tort is committed by the perpetrators of attacks. While it is true that these individuals are the primary malefactors, it is also true that they seldom have the financial resources to even begin to compensate their victims for millions of dollars of losses.
As noted earlier, many of them are children, “script kiddies”. They typically have few assets. Their parents may have greater assets, but parents generally do not have liability for the torts of their children (Mann, R.A 2003). Parents do have liability for negligent supervision of their children. But the plaintiff in such a case will have a substantial burden of proof to establish, and the problem of collecting an adequate judgment remains.
A more promising approach might be to try to use the tort of common law negligence to deter DOS attacks. Negligence could be a more effective legal theory because large corporations with “deep pocket” financial resources could face potential liability. They could be expected to modify their behavior in order to minimize or avoid this liability. Let us examine the tort of common law negligence more closely.
Negligence essentially consists of
failing to exercise a reasonable level of care, thereby causing injury to
another. It is typically described as
requiring four elements of proof: (a) first it must be shown that the defendant
had a duty to exercise a certain “reasonable” level of care in its actions, (b)
second that there was a violation of that duty, (c) third that the plaintiff
was damaged, and (d) fourth that the
defendant’s violation directly and “proximately” caused the plaintiff’s
damage. (
ISPs and web hosting companies might be held liable when they transmit malicious code that infects users’ computers. As we have seen, these corporations have a duty to exercise reasonable care in their conduct. Reasonable care might include taking reasonable security measures to detect and stop a DOS attack. ISPs in particular are well placed to detect attacks; in a sense they are the portals of such attacks. Once an ISP detects an attack it can terminate service from its customers sending out the malicious code.
However, a serious problem confronts the plaintiff intending to use the legal theory of common law negligence: As Henderson and Yarbrough point out (Henderson & Yarbrough, 2002) there is no generally accepted “reasonable” standard of care regarding Internet security. As noted above, the first element of proof in any negligence case is establishing the existence and scope of a duty of care (Cheeseman, 2003). In any negligence case against an ISP for failure to act more vigorously against a DOS attack we are likely to see a battle of the experts, as each party’s expert witnesses contradict each other over the scope of the duty of care owed. Defendant corporations will argue for a lower standard, one that they have met, while plaintiffs will argue for a higher standard that was not met. Eventually our courts will establish what reasonable care consists of in this area.
While the legal system strives to develop a standard of care in computer and Internet negligence cases, some extra-legal efforts are underway to establish a standard. One such effort is by the International Standards Organization (ISO). The ISO in the year 2000 issues ISO 17799, its “Code of Practice for Information Security Management”. ISO 17799 addresses the topic in terms of policies and general good practices. If ISO 17799 is to become a useful tool in negligence litigation, it must first be incorporated into precedents which will show how it will be applied (Sagalow, 2003). A second effort to establish a standard is underway in the insurance industry. Conventional policies do not cover e-commerce risks. New policies that do cover these risks may in the future demand of policyholders that they comply with minimum security standards, prescribed by the insurer, before the policy is issued (Jerry II., 2001/2002). These minimum security standards could establish a legal standard of care owed by ISPs and others.
While ISPs and large networks face potential legal liability for failing to adopt more effective security measures, such litigation has yet to emerge. As a result these large corporations, ever conscious of the bottom line, have been reluctant to spend the money for monitoring and filtering software that produces no visible return on investment and degrades system performance. They are also concerned, and reasonably so, that customer satisfaction will suffer if customers are summarily cut off from service because of sending malicious code. This can happen to an “innocent” customer whose computer has been taken over and turned into a “zombie” by an attacker. And if that customer is, for example, a hospital, then termination of its Internet service may harm innocent patients. However, this may be changing. The Washington Post reported that ISPs are beginning to take this problem more seriously, stating “comprehensive scanning could cost ISPs millions of dollars, but after repeated e-mail attacks capped by the latest version of the “Sobig” virus, customers are beginning to expect it” (Duhigg, 2003).
Nevertheless we must conclude that at the present time tort law has been ineffective in curbing denial of service attacks. Let us therefore turn our attention to the more robust legal sanction of criminal liability.
Criminal Law
U.S.
Criminal law has had a hard time dealing with DOS attacks. This is because no physical “damage” has occured. There is no
“taking” of property, which is the basis for larceny and no physical
destruction, which is the basis for malicious mischief (Sinrod, 2000). The leading federal criminal statute
applicable to DOS is Section 1030 of the U.S. Criminal Code, 18 USC 1030, also
called the Computer Fraud and Abuse Act (CFAA).
Under this statute “damage” is defined as any “impairment to the
integrity or availability of data, a program, a system, or information that
causes loss aggregating at least $5,000 in value during any one year period”.
The maximum sentence is 5 years.
However, prosecutions have been few and the sentences imposed have been
light. This is in part because the
perpetrator often has no previous criminal record and is not a violent offender
(Jacobson & Green, 2002). Script
kiddies are treated as youthful offenders and are seldom removed from their
parents. Consequently, the current
criminal laws are not an effective deterrent to DOS. In the
The
foregoing analysis has shown why the current state of
Regulation
As Fritschler and Ross point out (Fritschler and Ross, 1980) businesses do not like to be regulated. Regulation restricts their freedom and adds cost. Nevertheless business recognizes that some regulation is essential, for example regulation protecting intellectual property. However, other forms of regulation that interfere with the internal workings of the firm, such as worker safety or employment discrimination are generally not welcomed by business. Regulation that would make the Internet more resistant to attacks would fall between these two general categories. It would improve the general climate for Internet business but it would interfere with the internal workings of firms in that it would require some to purchase and use more security resources.
Any
government regulation requires at least two things: first, a legal basis, and second, a rationale
(
The rationale for regulation is more ambiguous. Regulation often adds cost, increases bureaucracy and may inhibit innovation. When is such regulation justified? The answer must lie in those situations where the free market and legal system have failed to achieve an important goal. This can occur in at least two situations: (a) when responsible behavior is penalized, and (b) when only an industry wide, community approach can be effective. Does regulation of the Internet, requiring greater security measures, satisfy either of these two requirements?
First, let us consider the issue of penalizing of responsible behavior. The responsible behavior desired here is greater effort in Internet security. But implementing effective Internet security is costly and incurs other negatives such as slowing system performance. If two ISPs are in competition, and only one adopts responsible but costly behavior, it will be at a competitive disadvantage. It might even be driven out of business. This phenomenon as been observed in many other areas, for example environmental regulation. Manufacturing plants that discharged their pollutants directly into the air or water could produce at lower cost than their environmentally responsible competitors. The higher cost, responsible manufacturer was penalized. In order to level this competitive playing field, industry wide environmental regulations were adopted.
If two ISPs are in competition, but only one adopts behavior that would deter some Internet attacks, such as investing in filtering software and providing frequently updated anti-virus protection, its costs will be greater than its competitor’s. In addition, because increasing security slows system performance, customer satisfaction might suffer compared with the competitor. The responsible ISP is thus penalized for its responsible behavior. The only way to level this playing field is to require both firms to adopt at least a minimum level of security. Federal regulation would provide this leveling.
The second situation in which regulation might be appropriate is where only an industry wide, community approach can be effective. One familiar example involves the problem of the spread of noxious weeds. A responsible landowner can take reasonable measures to control weeds on his or her property. But if neighbors fail to adopt reasonable measures of weed control, weeds will proliferate in the community. I will be extremely difficult, if not impossible, for the responsible landowner to prevent weeds from invading his or her property. Consequently almost all property is subject to weed control regulation.
Internet Security has been described as a community problem. As the influential Computer Emergency Response Team (CERT, 2000) Advisory CA-2000-01 states “security on the Internet is a community effort. Your security depends on the overall security of the Internet in general”. A target is unable to effectively defend itself by employing a firewall or other technical defense. There is no “black box” solution. This is more fully explained in Appendix A. A firewall defense can at best filter out the malicious packets, letting the good packets through. But this leaves the target with much reduced bandwidth, as the blocked packet stream takes up most of the target’s bandwidth. The target is thus effectively shut down. The only way to stop a distributed DOS attack is to halt the upstream flow of malicious packets, coming, as it were, from the Internet community. This requires cooperation from the community, especially ISPs, large web-hosting companies and the large networks of big firms and institutions.
While a
colorable argument can be made for federal regulation to increase Internet
security, firms that would be regulated have resisted it. ISPs and large networks have lobbied against
such regulation. They argue that
government regulation will stifle innovation, slow communications, and add
unnecessary expense. Thus, when the
first draft of the National Strategy to Secure Cyberspace was first released in
September, 2002 by the President’s Critical Infrastructure Protection Board
(CIPB, 2002) it recommended federal legislation to make the Internet more
secure. But as the New York Times
reported on
To date, the federal government has relied largely on self-regulation by industry to protect cyberspace from attacks such as denial of service. But self regulation failed dramatically to prevent the recent spate of worms and viruses in August, 2003. As the New York Times reported on September 7, 2003 “at the epidemic’s peak in mid-August, according to the antivirus company Central Command, Sobig.F-related messages accounted for 73 percent of e-mail traffic worldwide, making it history’s most aggressive online contagion” (Koerner, 2003).
What would federal regulation in this area look like? Congress would enact enabling legislation and would designate an appropriate agency to implement it (Dunfee & Gibson 1984). The legislation would employ general goal setting language such as “enhancing the security of Internet communications and assuring greater resistance to Internet attacks”. The agency would then employ experts, draft specific regulations, and issue them in compliance with the federal Administrative Procedures Act. These regulations might attempt to achieve such goals as:
- Having all ISPs and large networks employ anti-virus protection that is frequently updated.
- Assuring that all software used on the Internet passes a test of minimum security standards.
- Requiring that all computers sold in the
- Requiring ISPs to keep records for a minimum amount of time so that attacks can be back-traced.
- Requiring ISPs and large networks to promptly terminate service to users who send malicious code, and giving firms legal immunity from liability for such action.
- Requiring ISPs to verify email senders’ “sent from” addresses.
- Making parents of “script kiddies” financially responsible for their children’s DOS damage.
As we have seen, neither law nor self regulation has so far been able to effectively deter Internet DOS attacks. A colorable argument can be made for federal regulation, but industry resistance has forestalled it. This leaves firms and private PC users to fend for themselves. By adopting best practices, they can not fully immunize themselves, but they can reduce the risk of attack damage substantially. Let us therefore turn to what can currently be done by users to ameliorate this problem.
BEST PRACTICES: WHAT YOU CAN DO NOW
As we have seen, current law and self-regulation have not been effective deterrents to denial of service attacks. This leaves the individual or firm to “fend for itself” by adopting best practices that will reduce the risk of attack and limit the harm caused if an attack is made. Let us first examine best practices for reducing the risk of attack.
REDUCING THE RISK OF AN ATTACK
Firewalls work by blocking attempts by individual hackers to intrude into your computer. They can therefore be effective against hacked denial of service attacks but they do not help against a distributed denial of service attack. A hacker can enter your computer by exploiting a vulnerability in the computer’s operating system or its applications. There are two basic kinds of firewalls: software and hardware. Software firewalls are cheaper and more common. Some are even free and can be downloaded from the Internet. Examples are ZoneAlarm for free, http://www.zonelabs.com, and Norton Personal Firewall for under forty dollars, http://www.symantec.com. Websites are available which compare firewalls, for example http://firewall.com and http://www.firewall-net.com. PC users should also check their operating systems for built-in firewalls. Microsoft, for example, includes a built-in firewall in its XP operating system. However this requires activation and setting by the user.
Less common is the hardware firewall. This is an external device that is connected to the Internet and which in turn connects to the computer. It is more expensive but offers additional protection. If the hardware firewall is disabled, the protected computer can perform its non-Internet functions normally. Also, the external firewall can utilize a different and less common operating system compared with the computer. This makes it less vulnerable to attack, as hackers typically attempt to exploit vulnerabilities in common operating systems. Finally, a software firewall can be used in addition to or in combination with the hardware firewall for back-up protection.
Hackers are continuously discovering new vulnerabilities, so firewalls need to be frequently updated. The firewall will slow the computer’s operation slightly. Firewalls typically are not effective against the worms and viruses that are used in a distributed denial of service attack. This is because viruses and worms are generally attached to email, and the user normally lets email through the firewall.
A computer
virus requires action by the user in order to spread. This action typically involves opening an
email or an email attachment.
Apply Patches Promptly
As noted above,
the most effective deterrent to worm attacks is the prompt application of a
software patch.
Shut Down the Computer When Not In Use
Whenever the user’s computer is not being used for an extensive period it should be shutdown as opposed to letting it run in Power-Saver mode. Although the computer appears to be shut down in Power-Saver mode, a hacker could gain access to it.
Do Not Open Unfamiliar Email
As noted above, most viruses are spread by email, and require the user to open the message or its attachment. Email with unfamiliar sender addresses or names should be deleted. The most vulnerable part of the email is the attachment. The user should never open an attachment to an unrecognized email address.
Consider Raising Security Settings
Most Internet browsers, firewalls, and intrusion detection systems have security settings. If the user finds that his or her computer is under frequent attack, a higher security setting may provide better protection. The downside of increasing security settings is that they may keep out wanted communications.
Store Sensitive Data Off-Line
Sensitive data
like credit card information and customer lists should not be stored on the
computer’s hard drive, where a hacker could access it. Instead, it should be stored off-line, on
optical disks or perhaps an external hard drive that is not ordinarily
connected to the Internet. In addition,
firms should consider using encryption to further protect sensitive data (Kaplan,
2003).
LIMITING THE DAMAGE AFTER AN ATTACK
If prevention efforts have failed and an attack has been made on your computer or system, there are still best practices that can be undertaken to limit the resulting damage.
Data back-up
Important data should be regularly backed up. Optical discs or an external hard drive are
convenient mechanisms for this. Once the
data is backed up, thought must be given to the physical location where the
back up data will be stored. It is
desirable to store the back up data a reasonable distance from the original
data. Several firms located in
Most firms, organizations, and even some large families use a network of computers. One computer may become infected before the others. A prompt removal of that computer from the network may save the others from infection. It is useful to have an extra computer available and ready to take the place of an infected machine.
Contact Law Enforcement
Promptly
Promptly contacting law enforcement may be required for insurance purposes. It is also important so that law enforcement can secure evidence that may be used in a criminal prosecution of the hacker who perpetrated the attack.
CONCLUSION
Denial of service attacks will continue to be a serious and costly problem. The architecture of the Internet does not require verifiable “sent from” addresses, making apprehension and prosecution of attackers difficult. Our institutions of civil and criminal law have proven ineffective; civil law is hampered because large judgments are uncollectible from minors and most adults, while corporations that could pay large judgments have benefited from the absence of accepted standards of care in Internet security. Criminal prosecutions have been few and punishments light, as offenders are often minors or first offenders. Internet service providers, who are well positioned to cut off a flow of malicious communications through their systems, currently do not have much incentive for doing so. Filtering software would cut off many attacks but it would also be expensive, slow systems and antagonize ISP customers.
So far industry has prevailed on government to abstain from regulating in this area. However, the community nature of the Internet, and the need to “level the playing field” between responsible and irresponsible Internet actors may eventually bring about government regulation. Such regulation would require industry to meet minimum standards of security, such as requiring ISPs to use filtering software and to provide their customers with anti-virus protection.
APPENDIX A: DENIAL OF
SERVICE ATTACK METHODOLOGY
The goal of a DOS attack is to prevent host computers or computer networks from communicating (Harris, 2002). These attacks can either be distributed, involving numerous attacking computers (zombies) controlled by a hacker, or they can be individual attacks in which the hacker penetrates a single target computer. The distributed attack is more serious, as millions of computers may be affected, and defenses against such an attack are poor. We will first examine distributed attacks, then individual hacked attacks. We will also describe the tools, viruses and worms that are often used in a distributed denial of service attack.
A distributed DOS attack occurs when a hacker executes a command to multiple (zombie) computers to attack a target computer connected to the Internet. This type of attack consumes all available bandwidth for the target’s computer connection, as it is bombarded incessantly by the zombies. It is sometimes called a SYN flood attack because the zombie’s computer sends an initial connection message, called a SYN, in such a way that the connection is never completed. The victim’s computer continues to send synchronization requests for the connection to the attacking computer (CERT, 2000). While the victim’s computer waits for a response from the attacking computer, the victim’s computer cannot connect with any other computers, effectively denying legitimate connections. So long as the SYN communications arrive, the target is powerless to protect itself. The only hope the target can have is to cut off the flow of SYN communications coming to it, but this requires cooperation from upstream senders such as Internet service providers. As explained elsewhere, these upstream Internet participants have little incentive to take vigorous action to prevent or stop these attacks.
Computer
viruses are often used by hackers to perpetrate a distributed DOS attack. A virus is a malicious computer software
program that is attached to a non-malicious
program. Email is probably the
most common example. The salient feature
of a virus is that it requires human activity, such as opening the email, in
order to spread. The victim’s computer
then executes the malicious computer program.
The severity of the disruption depends on the malicious program code’s
instructions. Some computer viruses
erase all stored computer programs on the computer’s hard drive. Other computer viruses simply shut the
computer off immediately and then shut it off every time the user tries to turn
on the computer. For example, when an
email user opens the Sobig.F virus, the virus copies the recipient’s Outlook
address book, and sends email with the attached virus to every email address
from the recipient’s address book. The
amount of email traffic on a company’s network may become so great that its
network server is overwhelmed. CSX Corp.
and Air
As can be seen, containing a virus attack is difficult. A rare success story occurred in August, 2003, when the FBI discovered 20 zombie computers that had been programmed to attack, and took them off-line before the attack could be commenced (Guth and Fields, 2003).
A second type of malicious software used by hackers is called a worm. A computer worm can be far more destructive than a computer virus because the computer worm does not require human action in order to spread to other computers. The worm looks for flaws in the computer system software such as its operating system. Each of these flaws is a potential vulnerability that a hacker could exploit. Once providers become aware of a vulnerability, they issue a corrective program, called a patch. Users who have downloaded the patch are then immune from that particular worm. Unfortunately for millions of computer users who had not loaded a patch from Microsoft by the end of July, 2003, the BLASTER worm propagated so quickly that if the victim’s computer was turned on and connected to the Internet, it became infected (Guth and Machalaba, 2003).
A hacked DOS attack involves an individual hacker acting alone, without zombies. The hacker exploits an operating system or an application software flaw to gain control of the victim’s computer. Once inside, the hacker can access confidential information or destroy programs. One technique used by hackers to gain entry is called buffer overflow. The hacker sends more data to a holding area in the software than the software can accept. This data packet contains the malicious code. The data packet overflows to other areas of the computer’s memory carrying the malicious code with it (Chieuh, 2003). This attack requires surprisingly little skill to effect. Off the shelf hacker programs are available free of charge on the Internet. The First Amendment to the U.S. Constitution prevents censorship of such information.
A major difficulty in apprehending Internet attackers is that they can easily cover their tracks by hiding their identities on-line. The architecture of the Internet requires only accurate “send to” addresses. “Sent from” addresses need not be accurate. When hackers substitute another’s return address for their own, it is called spoofing. It is also a common practice among spammers. The Internet has no central authority that requires ISPs to verify the source addresses of outgoing data packets. The effort to check the source address would require time and additional computing power, which would be costly and slow down the performance of an ISP (Cohen et al, 2003).
REFERENCES
CERT (2000)
Cheeseman,
H.R. (2003). Contemporary Business
& E-Commerce Law, (Fourth Edition).
Chieuh, T. and Hsu, F. (2003, August 9) RAD: A Compile-time Solution to Buffer Overflow Attacks from http://citeseer.nj.nec.com/cache/papers/cs/18040.
Clarkson, K.
Miller, R. Jentz, G., and Cross F. (2004). West’s Business Law. Southwest Publishing.
CIPB (2002). President’s Critical Infrastructure
Protection Board Report.
Cohen, D., Narayanaswamy, K., Cohen, F. (2003, June, 23). Changing IP to Eliminate Source Forgery. from http://www.cs3-inc.com/sf.html.
Dunfee, T. and
Gibson, F. (1984). Legal Aspects of Government Regulation of
Business. John Wiley &
Sons.
Duhigg,
C. (2003, August 22). Record Computer Infections Slow
Economist (2003, August 21). Target:
Microsoft. Economist.
Fields, G. and
Guth, R. (2003, September 2). Teen Had No Direct ‘Blaster’ Role. Wall Street Journal.
Flynn, L. (2003, August 27). Sleuths Try to Stay Step Ahead of Online
Worms. New York Times.
Fritschler, A.
and Ross, B. (1980). Business Regulation and Government Decision-Making. Winthrop Publishers, Inc.
Goodwin, B. (2002, May 16). Peer Backs to Outlaw Denial of Service Attacks, Computer Weekly, 3.
Guth, R. (2003, August 26). Welter of Viruses Is a Wake-Up Call for Software Industry. Wall Street Journal.
Guth, R. and
Fields, G. (2003, August 25). FBI Averts
Fresh Computer Attack. Wall Street Journal.
Guth, R. and Machalaba, D. (2003, August 21). Computer Viruses Disrupt Railroad and Air
Traffic. Wall Street Journal.
Harris, S. (2002). CISSP All-in-One
Guide. McGraw-Hill.
Henderson,
S.E. & M.E. Yarborough (2002).
Frontiers of Law: The Internet and Cyberspace: Suing the Insecure? A Duty of Care in Cyberspace.
Jacobson, H. & Green, R. (2002). Computer Crimes. American
Criminal Law Review, 39, 273-310.
Jerry II, R.H.
& M. Mekel (2001/2002). Cybercoverage for
Cyber-Risks: An Overview of Insurers’ Responses to the Perils of
E-Commerce.
Kaplan, S. (2003, May). When Bad
/things Happen to Good Companies. CSO Magazine.
Katyal, N.K.
(2001). Criminal Law In Cyberspace.
Koerner, B. (2003,
September 7). In
Computer Security, a Bigger Reason to Squirm. The New York Times.
Mann, R.A.
& B.S. Roberts (2003). Smith and Roberson’s Business Law, (Twelfth Edition).
McCullagh, D. (2002, July 30). RIAA Web Site Disabled by
Attack. ZDNet News, Retrieved
Narayanaswamy, K. (2002, May/June). ISPs and Denial of Service Attacks, Information Systems Security, 38-46.
Nemrofsky, J. (2000).
The Crime of “Interruption of Computer Services to Authorized Users”
Have You Ever Heard of It?
Sagalow, T. (2003,
January 27). Ask the Expert. CIO
Magazine.
Saita, A. (2001, September). How ElephantX Faced an 800 Pound Gorilla, Information Security, 55-56.
Sinrod, E.J.
& W.P. Reilly (2000).
Cyber-Crimes: A Practical Approach to the Application of Federal
Computer Crime Laws.
Warren, K.
(1982). Administrative Law In The American Political System.