Chat Networks Identify With Attacked Web Sites
Subnets Have Suffered at the Hands of Hackers
By Ariana Eunjung Cha
The Internet Relay Chat networks--known by names such as DALnet, EFNet and the Undernet--are subnets made up of dozens of servers around the planet. Often compared to citizens' band radio, they host free, real-time conversations about everything from computer graphics cards to gardening. But because the systems allow anonymous log-ins, some areas have become virtual town squares where hackers gather to trade "warez"--pirated software and cracking programs--and to brag about their conquests.
Their visibility in the hacker community has made them "testing grounds" for new attack strategies like the new "distributed denial of service" method that took down more than a dozen popular World Wide Web sites last week, Internet Relay Chat administrators said. This tactic pummels computers with so much data that legitimate users are effectively locked out.
"Anything that you see in the wild you are going to see directed at some sort of chat server first," said a security director for Internet America Inc., a mid-size service provider in Dallas that is traded on the Nasdaq Stock Market under the symbol GEEK.
The Internet America security expert, who did not want to be named because she is participating in a number of investigations, said that in early February, a week before the recent series of high-profile attacks, her company's server was hit with a similar strike that was so powerful that it shut out many of its paying subscribers for about three hours.
She said she believes that was "no coincidence."
Even as FBI agents and independent cybersleuths in the past week have been trolling Internet Relay Chat (IRC) to look for clues about the person who took down Yahoo and other popular sites, the chat networks themselves continue to be hit almost daily with similar attacks.
"We've been fighting . . . for over three years now," said Danny Mitchell, co-owner of Internet Chat Systems in Plano, Tex., which maintains a machine linked to the Undernet and fends off denial of service strikes several times a week. "It's nothing new. At least now it has people's attention since it happened against someone important."
The IRC networks' anarchist nature--born out of the open philosophy of the original Internet--further makes them an attractive target, said Dave Dittrich, a software engineer at the University of Washington-Seattle who has researched denial of service attacks.
The IRC networks allow users to create private chat rooms, known as channels. The most effective way to break into these conversations is to take down the machine being used by the person who owns the room and hijack the channel.
In addition, Dittrich and others say IRC has become such an efficient mode of communication that rival hacker groups have taken down servers to prevent them from speaking with each other.
"It's some kind of power play," said Sven Nielsen, 23, the founder of DALnet. "The hacker will run a denial of service attack proving 'I'm bigger than you because I can run this tool against you.' "
Two days ago, Baltimore-based ABSnet, which is part of the Undernet, one of the oldest and largest gathering places with more than 50,000 simultaneous users during peak hours, was pummeled with massive numbers of bogus requests for data that sought to muscle out legitimate users. Similar attacks hit its servers on Sunday, Monday and Tuesday--and that was considered a good week.
The fake data blocked only about half the pipeline through which users exchange information, rather than closing it completely and crashing the network as it did one midnight in January.
"It used to be very hard to knock us off the map, but now the tools are available to practically anybody" said Howard Leadmon, president of ABSnet Internet Services Inc., which hosts the Undernet's command center. "Joe Blow's kid can now surf the Web and find some hacker site and he's become a one-man warrior."
Albert Ramnath, a director of Chatnet, an Undernet rival, said his network has fended off similar hits for years. "This morning we had six servers fly apart. This is daily. All it is is 14-year-olds having nothing to do, and we take the heat," he said.
Just a few years ago, most IRC services were hosted on university computers. Most of the schools bailed when denial of service attacks began in earnest and they found hosting the services too much of a headache. Now IRC is maintained largely by private companies, almost all of them Internet service providers with large data pipes like America Online Inc. and AT&T Corp. (They are one of only a few places on the World Wide Web that have resisted commercialization; companies donate their services and very few make any money off the service.)
With the invention of new, more powerful software late last year that allows malicious hackers to hijack dozens of machines to use against a single server, the attacks have become even more virulent. That has made several hosting companies either pare back their involvement or unhook their servers from a number of IRC networks; several chat services have had to shut down as a result.
About eight companies have left the Undernet in the past year as a result of the attacks, Leadmon said, and now fewer than 40 are left. He added that several of those businesses lost thousands of dollars in bandwidth and man-hours when their networks were taken down.
"I'll be the first to admit it that if they attacked 24 hours a day I would have to pull every Undernet server down. They would put me out of business," said Leadmon, whose company serves both consumer and business Internet users throughout the Washington-Baltimore area. "There is a limit to nice."
One of the people who have claimed credit for attacking the Undernet in the past uses the name "Coolio" and was once affiliated with the hacker group Global Hell, a group of teens who gained notoriety last year for defacing the White House site and breaking into an Army computer. That name resurfaced last week as a potential suspect in the recent spate of attacks against Yahoo and other sites, although people in the computer underground said many people use "Coolio" because of the rap star of the same name.
© Copyright 2000 The Washington Post Company