Beginning from Saturday, March 11, 2000, the server of Falun Gong website "Minghui.ca" was hacked again by malicious hackers. The attack brought down Minghui for several days and made it inaccessible. Hackers used the "Denial of Service" attack and kept sending massive volume of fake requests for page views, which caused the server's bandwidth to reach saturation. As a result, the server was forced down and made inaccessible to real visitors.
This time, hackers used the scoundrel smurf assault to attack "Minghui.ca". Since February, following Yahoo, several other web giants like eBay, Buy.com, CNN.com and Amazon were attacked consecutively with the same assault or its variations and had been shut down for hours. AP reported that FBI has been engaged in the investigation of these attacks.
The difference between the recent attack and last year's is that last year's fake requests came directly from Beijing's state-run Xin'An Information Service Center, while the recent attack was craftily covered up. The attack has two steps.
The first step, the hackers scan the Internet for vulnerable server or host computers. Often times, these servers have relatively wide bandwidth and fewer IPs, for instance, servers operated by universities (.edu) and organizations (.org). The network of these servers is composed of sub-net and network addresses. Usually, a request on its IP will be answered by every computer in the local network. That is to say, if the local network has 40 computers, one request will result in 40 replies. These servers can be used as "Internet request amplifiers". By scanning the Internet, hackers can capture slaves easily by using a hard-to-detect backdoor technique to stash agents. When the agents are set up, hackers can point all bandwidth of those "Internet amplifiers" to the target server.
The second step, hackers issue the signal to their agents, lock up the target, forge themselves as the target, then send out requests to the "Internet amplifiers". As a result, the target server will be paralyzed by a massive bombardment from hundreds of servers that would cause the target server to saturate.
Instead of attacking the target directly, foxy hackers usually used cross-linked chain-reaction type of assault to create an avalanche effect. An order issued from a 28K modem can be magnified one level after another instantaneously, and eventually all will be focused on the target. Thus, it is not easy to dig out the hacker. Investigators must search interface by interface till the origin of the attack. However, if a server in the middle of the chain lost its record, the investigation will be forced to stop.
(Translated Mar. 20, 2000)