Information Warfare for Dummies
A primer on the Internet vis-a-vis aljazeera.net, hacking and information warfare.
I know I have a lot of readers who are non-technical people. I'm blessed like that. However, I think an working knowledge of how the internet works is important in the 21st century. However, most of the documentation out there is either too dumbed-down, too theoretical or it's too "by geek for geek" to be of any use to the average person. As such, I've written this little primer that explains a bit of how the internet works in layman's terms, focusing on what's been going on lately with Al Jazeera's website as the object example. If you're not familiar with the story so far, read this first; it's a good overview of what's been happening.
The internet is a two-way street. Every time you click a link on the web, a request (small amount of data traffic) is sent from your computer to the server in question. If all goes well, the web server gets the request and sends back a page, which is usually made up of html text and images (larger amount of data traffic).
But what if you wanted to shut off some site, keep people from getting access to the information there? The internet is designed to route traffic asynchronously and there are many ways to get from point A to point B (see the map), so you can't just block the road. It's possible in some cases to jam up a weak point in the network, but if a site is well connected there are always alternate routes. Rather than trying to directly block traffic, the easiest way to cut off access to any point on the network is to stuff up the streets with too much of it.
This is called a Denial of Service (DoS) attack. A server is flooded with erroneous requests for data and is forced to a standstill because all the outgoing lanes are jammed. It would be like calling in to a pizza delivery shop non-stop and ordering pizzas for addresses that don't exist: pretty soon the pizza shop would be unable to get few (if any) legitimate deliveries made.
Just like in real life, if all the requests have something in common, it becomes possible to discriminate the fake from the real. You might disguise your voice each time you hit radial to the pizza shop, but if they have caller-id, your ruse isn't going to get that far. That's why most successful attacks are of the Distributed Denial of Service (DDoS) variety. This would be like having 100 friends all over town besiege the pizza joint with fake orders, and there's pretty much no way to defend against this. At first you can't tell whether you're just really popular (e.g. hundreds of thousands of people are trying to visit your site, ala the "slashdot effect") of if you're under attack. This only becomes clear if the barrage keeps up long after your server has ceased successfully delivering requested pages.
Major websites (yahoo, amazon, ebay) have all fallen victim to DDoS attacks in the past, mostly the work of "script kiddies", young hackers who make use of automated tools/viruses to marshall a virtual army of connected machines to do their bidding.
In reference to Al Jazeera, this is what seems to have happened as soon as the english-language translation came online. A lot of people wanted to get at the pages, true, but it seems clear that there was also a concerted and sustained DDoS attack at work.
Eventually over days and weeks DDoS attacks can be defeated as attacking machines are identified and blocked one by one. Usually this requires cooperation from the ISPs providing access and a fair amount of technical know-how on the part of the defenders, but keeping up a successful DDoS attack for more than a few days is tough.
Here's where the plot thickens. It looks like there was more going on with aljazeera.net than a plain-old DDoS attack. Not only was the website apparently swamped, but it was also defaced and/or targeted on the nameserver level.
First of all, Frank says he got through to the page from work and saw this:
Ok, when I checked out the link earlier today there was a graphic depicting an outline of the United states that was filled in with the American flag. On the bottom of that graphic it said something like "This site has been hacked by the Clear Patriot (something something, it was like a five word patriotic sounding name)" And below that in big letters it said "God Bless Our Troops!"
CNet.com confirms that this happened.
There are two explanations for this. One is that the server was hacked in to and the files changed around. According to the talk on slashdot, english.aljazeera.net was running on Windows 2000 with the web server software used being IIS 5.0. Microsoft's internet software is notoriously riddled with holes, so it's possible someone got in and put up the Clear Patriot message. It's unlikely we'll ever know who.
On the other hand, both english.aljazeera.net and the regular arabic site have been down for some time. This suggests that some form of attack was underway against both of them, even though they appear to have been running off separate servers. Also, the problem in reaching either site has been that they come back as "unresolvable domains," rather than as simply "timed out connections." This suggests their nameservers were under attack.
Ok, time to step back and talk about how the internet works for a second. One of the main things that makes the world wide web work is the nameserver system. In reality, computers on the internet talk to each other by number, referred to as IP (Internet Protocol) addresses. My local network, for instance, has the number 22.214.171.124, while my website lives at 126.96.36.199. There's a lot more to IP numbers that I won't get into, but for now just think of it like a phone number for a specific point on the network.
The problem is that we humans don't want to have to remember all these numbers. In fact, if we had to do this it would make the internet (esp. web and email) as we know it a practical impossibility. Enter the DNS (Domain Name Server) protocol. DNS allows you to associate a tiered name (e.g. www.outlandishjosh.com) with a given number by layering a more human-friendly organization over the top of the machine-based IP number system.
Here's how it works. There are 13 "root" DNS servers in the world, big burly machines that act like giant phone books for the internet. They mainly keep track of what nameserver serves what 2nd-level domain. My domain, outlandishjosh.com, has its DNS record (and actual hosting) through Neureal.com, so somewhere in all the root records, oj.com points to dns1.neureal.com. That server actually keeps track of the IP address that outlandish is living at. Local ISPs also run DNS services that keep track of local domains and frequently visited sites to keep things quick.
You get your listing on a root DNS server by registering your domain with one of the companies that ICANN (the NGO that governs the internet) trusts with this authority. I use doster.com, but there are many other authorized Top Level Domain (TLD) registrars. Top Level Domain refers to .com, .org, .net and so on. In addition to the common TLDs, every country has a two-letter designator that each nation handles however they see fit.
Multi-level DNS requests are handled in right-to-left order via whoever the nameserver points to. For instance, if I request data from example.outlandishjosh.com, Neureal's nameserver will rout requests for the example domain via the IP address associated with outlandishjosh.com. A request bob.example.outlandishjosh.com would be directed via whatever is set up at example.outlandishjosh.com, and so forth.
It appears that in Al Jazeera's case, someone attacked their Nameservers directly, making it impossible for anything.aljazeera.net to get through. As of this time, their nameservers have been changed -- meaning the domain name is now being handled by a different machine and apparently directed to different IP addresses. It's unclear whether they are still in control of this or not. It's possible that the Clear Patriot message was a result of the domain english.aljazeera.net being re-directed to a different server, and not of someone breaking in.
Interestingly, you can get access to the arabic site at least via their old ip address. http://188.8.131.52/.
Causes for concern here are numerous. The most distressing thing is that the domain name has been moved. While it's possible that individual actors are behind the DDoS attack and the defaced website, the updating of the domain name record requires either a request from the owner or some form of legal intervention to alter. Heretofore the only examples I'm aware of where a DNS record has been changed against someone's will have to do with copyright infringement or a direct action by the US Department of Justice.
If the aljazeera.net domain was moved as a result of some action by our (or any) government, the shit is really hitting the fan. Right now the records are fishy looking, with root servers reporting one thing and the ostensible registrar (networksolutions.com) for the domain reporting something else. No one can confirm or deny who/how the switch was made at this time.