(c) 1999 - Kevin Siers, North Carolina -- Editorial cartoons from the Charlotte Observer
Recent international events have drawn large media attention to the dark world of hackers. The power of an individual to do damaging attacks on large corporations, educational establishments is only just becoming understood.
The hacking establishment puts forward the argument that they are only exploiting weaknesses within the well-established protocols and software elements of the Internet and to bring to light the futile attempts of System Administrators to secure systems from determined attack.
Protocols, designed before such mischievousness was conceivable, have loopholes, or more accurately exploitable functionality. The three-way handshake being the most favoured for the hacker attack.
Traditionally a single hacker was at most an annoyance. The ability of a hacker to coordinate with others was possible via communication channels such as IRC gave a certain initiative to hacking groups but it has been the introduction of distributed tools which have made solitary hackers a large threat.
Using such distributed tools a hacker can launch multiple simultaneous attacks on unsuspecting targets. These attacks are made possible by
· Weaknesses of protocols as mentioned earlier.
· Insufficient checking of traffic on ingress links into backbone networks.
· Poor configuration of network equipment at both backbone transport sites and target sites.
· Commonly available attack tools.
Of further concern is that the available attack tools are maturing and becoming stealthier, making proactive defence, and intrusion or attack detection more difficult.
To combat this several measures need to be taken by all involved. Most of the attacks rely on the ability to forge originator IP addresses. Ingress points in the transport backbones need to verify that any traffic that is received is genuine.
Secondly, security of desirable hosts needs to be paramount – lazy administration can lead to outdated configurations of software, leaving security loop holes for the hacker to exploit and gain control of such hosts, increasing the number of hosts a hacker can employ in an attack. System administrators need to scan their networks for existence of such tools already installed on their systems.
Various experts have proposed protocol changes and network topology changes to make the tracking off attacks and attack packets easier, thus enabling not so much apprehension of hackers (as this will be left up to the law enforcement agencies) but give them the ability to locate attacking hosts and so eliminate their ability to be part of an attack.
The world is becoming ever more interconnected. Computer systems across he world can contact and communicate with other computer systems. Much of this inter-working is hidden from view but some recent incidents have brought the vulnerabilities of computer systems to the forefront of public perception.
Mafiaboy is a name that has been on the lips of many federal agents in the US. High profile attacks were perpetrated on major computer systems for organisations such as CNN.com, eBay, Yahoo and others. Mafiaboy launched these attacks supposedly on his own, and the ability of a single individual to bring such systems to their knees is concerning.
The attack used by Mafiaboy is akin to driving to your local store and parking your car in front of the doors of the premises - and thus denying service to others. Hackers like Mafiaboy perpetrate what is known as Denial of Service attacks on target computer systems. The targeted system is flooded and cannot answer legitimate requests for service and thus - is unavailable.
These attacks may seem like some malicious prank, Mafiaboy is a 15 year old Canadian schoolchild who bragged about his "exploits", but in the case of Yahoo and eBay, who depend on their sites generating revenue through visits and advertising, the downtime cost is estimated in the region of $100,000 to $200,000.
Hackers are an ingenious lot. The misguided talents of these individuals are not inconsiderable and the general availability of source code for operating systems, applications, protocol stacks and implementations offers them extreme opportunities for finding weaknesses in systems, be it hardware or software.
More often then not these technological anarchists are content to just break into systems, collecting evidence of their break-in to act like proverbial scalps when they boast to their fellow hackers. Others perform defacement of websites or tinker but the denial-of-service (DOS) attack can leave not only an Internet facing computer unavailable (e.g. a web server) but as was in the case of a targeted American University, leave the entire portal access for a network unavailable, disallowing traffic to flow either in or out of the computer networks affected.
There are a number of tools available to the hacker who wants perform a DOS attack. The knowledge to perform the attack and how to use these tools is also readily available. A search on the web or logging onto certain IRC channels will soon arm a would-be hacker with SYN attack, Fraggle, Smurf and other DOS knowledge.
The underlying protocol of the Internet is TCP/IP, which is a connection-orientated and reliable protocol.
As with most communication systems, a sequence of steps is followed to facilitate a communication session. As an example figure 1 shows the sequence of when a user accesses a website via a URL. When a user selects the URL a data packet is sent to the destination server. The packet from the client is a SYN packet. The SYN packet is used to synchronise and set-up a communication channel and is a normal data packet to send. It contains information such as who the sender is and other pertinent connection information.
When the server at the remote site receives the SYN packet it responds with an ACK data packet. The ACK packet is an acknowledgment to indicate to the client that the server is ready for further communication.
When the client receives this ACK packet it responds again with a reply ACK data packet, acknowledging the “acknowledge”. Both client and server are ready to then communicate with the necessary structures implemented at either end of the link and the web page is transmitted. The whole process is known as a three-way handshake.
To grant access to the TCP/IP stack for multiple services such as web serving, ftp, telnet etc a port system is implemented. Different network services are accessed via different ports but common services are implemented on the same port across different platforms. For example the WWW service runs on port 80 whether you are using a Unix box, Windows box or a SunOS system. These transport layer mechanisms along with the IP addresses for a connection (sender and receiver) uniquely identify a connection.
A host system listens on various ports of interest and creates a software structure known as a socket for each incoming connection. A socket holds the information related to the local end of the communications link such protocol used, state information, addressing information, connection queues, buffers, and flags. Each of these structures consumes a finite amount of resources available on the host and so an inexhaustible supply of socket connections is not realisable.
Returning to the example of setting up a connection, on an incoming request the data packet is demultiplexed up the protocol stack (TCP/IP) until layer 4 – the transport layer (where TCP is located). The TCP/IP stack retrieves all its necessary information from the payload of the data packet. Assuming everything is in order the TCP/IP initialises the necessary data structures (creating a new socket) within the host for the connection. TCP/IP replies to the received SYN with the SYN/ACK message. The client that it replies to is recovered from the IP addressing information in the payload of the incoming data packet.
It is now waiting for the return ACK message from the client, where it will then know that the connection is fully established. If the TCP/IP stack was to receive a reset message (RST) whilst it is listening, it would de-allocate the socket and memory structures for the connection. Whilst waiting for the reply acknowledgement, the final part of the three-way handshake, the TCP/IP stack is in the SYN_RCVD state for the socket that it set up.
If there is no response to the SYN/ACK message the TCP/IP stack will keep trying until a timeout is reached, whence it will then clear down the connection and recover all the resources used.
The basis for many attacks is the SYN attack. This exploits the feature of TCP/IP describe in the previous section. The method is to launch multiple connection requests against the target machine.
The attacker will send a connection request to the target machine. The attacker is required to perform one action only to make the attack possible – and that is to spoof the client IP address. Spoofing is where basically the IP address is fake or masqueraded. Further, it is not good enough for the IP address that is being spoofed to be incorrect for the machine that is issuing the attack. The spoofed IP has to be an unreachable IP address.
The reason for the spoofed IP address having to be unreachable is, that if the spoofed IP address is that of a reachable host the SYN/ACK packets will be sent by that target system to that IP address. The receiving host will receive the packets from an unknown connection – it not having established that link and will in fact reply to those packets by sending a reset (RST) message back to the target. The target, on reception of the RST message will then close down the connection.
With the target host receiving SYN packets with spoofed IP address it will attempt to reply to the unreachable addresses. A reverse DNS lookup will occur (RARP/ARP) but as there is no entry for the spoofed address, the reply packets will be passed out to the upstream network. All the time the connection socket is held active as the TCP/IP stack awaits an ACK back from the client.
If the target is flooded with such requests it will soon use up its available number of connections. As the time out can be in the order of half a minute or, on some systems longer, on a poorly implemented TCP/IP stack. The service, which is listening on that port, is effectively tied up waiting for ACK messages from non-existent or unreachable hosts. Whilst it is tied up it cannot service any proper requests and hence the service is denied to legitimate users.
This kind of attack can be orchestrated from a single machine, or more importantly, a single process. There is freely available source code, downloadable from the Internet that will perpetrate such an attack.
The power of the attack can be magnified by a concerted effort from many individuals, or from a single individual who is tied in to several client systems.
Internet Control Message Protocol (ICMP) is a protocol that is tunnelled within TCP/IP and is used for transmission of control and error messages. Typically commands such as ping, a useful tool to test if a host is alive and responding, issue ICMP data packets.
TCP/IP allows a maximum packet size of 65536 bytes (or octets). The actual makeup of a data packet is a header of at least 20 bytes and the rest of the packet is data. Larger packets are split up by the underlying layers of the TCP/IP stack into small packets for transmission and which are then suitably reassembled at the destination system. Usually packets are transmitted much smaller than the maximum size, this is known as the MTU or message transmission unit size – which in most cases is around about the value of 1500 bytes.
Ping, which issues ICMP_ECHO requests is embedded within the IP packet, and by standard consists of 8 bytes of header information followed by the size of the ping packet. This is the packet that will be echoed by the remote host. This leaves the maximum size of a ping packet to be 65536 – 20 (header for TCP/IP packet) – 8 (header for ICMP_ECHO packet), which is 65507 bytes.
Data that is received from a remote host is temporarily stored in a buffer. The TCP/IP stack usually does not reassemble the packet until it has received all of the fragmented packets that make up the whole packet. It knows how to reassemble the packet as the fragments contain not only the data but also an offset of where the data originates.
Malicious programs can forge packets such that the offset, along with the data size of the packet actually add up to being greater than the maximum allowed TCP/IP packet size of 65536. As machines usually implemented the buffer sized to the maximum size of the TCP/IP packet it is easy to see that as the machine reassembled the original packet by writing the data it received into the buffer, there would be overflow, as data overwrites beyond the now undersized buffer. In a poorly implemented TCP/IP stack this would crash the stack and usually the kernel too. Such kinds of programs have received the nomenclature of Ping of Death.
The smurf attack obtains its name from its source program. It utilises normal ICMP_ECHO requests, but not the kind from the ICMP attack that causes buffer overflow. It is an extremely powerful yet relatively simple attack to perpetrate.
The attacker spoofs their IP address to be the address of the targeted system. The attacker then proceeds to ping the broadcast address for the network from which they are hosted on or are going to use in their attack.
Generally all hosts will respond to a broadcast packet and depending on the type of packet that has been received reply with information. An example of proper use is the DHCP service that is used for dynamic IP address allocation on networks.
In the case of the attack, the data packet is an ICMP_ECHO, or ping packet and the intermediary systems that have been pinged now respond to the ping by replying with the received ping packet, as is normal operation. As the sender’s IP address has been spoofed with that of the target system the pings are sent back to the target system. The intermediary hosts are acting as amplifiers and reflectors, in that from the one attacker station the traffic has been amplified and sent on to the target system.
Figure 2 shows this kind of attack in operation. The number of hosts that respond to the broadcast ping from the attacker multiplies the traffic.
As an illustration consider a simple example. An attacker sends 500Kb/s of ping packets to the intermediary network of say 100 reflectors. The reflectors each respond to the ping flood and respond but to the spoofed IP address of the target who is now flooded with 100 * 500Kb/s which gives 50Mb/s of ping traffic to the target.
Generally there are two victims in this kind of attack, the reflector network and the actual target site.
Smurf is the TCP version of this kind of attack and Fraggle is the UDP version.
So far we have only discussed attacks originating from a single machine, or a coordinated group of attackers from disparate machines. The recent attacks discussed earlier were actually perpetrated in a much more ingenious fashion, involving possibly thousands of hosts in the attack.
Programs that fall into this category are Trin00, Tribe Flood Network, TFN2k and Stacheldraht. These are all programs that have a similar modus operandi and only differ slightly in communication ports and certain other less important features.
The attack is not instantaneous. The attacker first of all has to go through a sequence of set-up steps before they are ready to attack the target system.
First of all the attacker needs to break into external hosts. Usually one is set up as the master and code repository. Sniffer programs that listen in on well-known ports such as telnet or ftp will most probably have allowed the hacker access to the host. Once access to the master system has been gained various tricks may be employed to hide the existence of the new user (the attacker) by using such tools as root-kits. These tools replace the standard system tools and are set up to hide the processes that are owned by the attacker. They will most likely change programs such as ps, top, and network type commands.
Once a compromised host has been obtained the next phase starts. The attacker, using some form of remote control of the compromised master host installed with the root-kit, will then initiate a search for other desirable systems. Such systems will be those that exhibit, or are known to exhibit security loopholes, backdoors and compromises. A list is generated of discovered hosts.
The next steps start to take on level of automation. From the list generated in the previous step automated exploitation tools are used to then access these hosts. The tools include buffer overrun exploiters for network services such as ftp, RPC etc. Once the systems have been compromised agents report back to the attack master that they have succeeded.
The attacker needs to prepare (or already have prepared) suitable programs for the systems that may be a Unix type system, Linux, or other platform. There are two kinds of binaries. There are the handler binaries and the daemon or agent binaries. The actual attack programs, at the network front-line, are the daemons. Many daemons are controlled by a handler system, which in turn is controlled by a master system.
The final set-up phase of the attack happens when a script is then generated and automatically run. The script transfers the files from the master system to the handlers and other compromised hosts, readying them for an attack. Various stealth tricks may be employed by the programs to avoid detection. Such tricks include waking up, executing and then sleeping for a set period of time.
The power of this set-up phases is enormous. After the initial intrusion on the master host, the process is automated, with each captured host being used to attack further hosts, gain entry and gain control.
Figure 3 shows how a network of captured hosts would look like. Once the attacker has the systems under their control they are ready to launch multiple packet based attacks on the target host system.
Figure 3 - Distributed Denial of Service host network
The methods of attack that the compromised network can initiate include all of the discussed attack strategies of ICMP_ECHO attacks (ping flood), SYN flood attacks and Smurf or Fraggle attacks.
Attacks are set off by command line at the master station (labelled client in Figure 3), which is being controlled remotely by the attacker. With a single command the target host will be flooded with masses of traffic. The agents themselves will be running software that is IP spoofing to avoid tracing of the source machines.
A German hacker calling himself Mixter authored The Tribe Flood Network (or TFN) attack agent. TFN uses stealthy like communication paths by embedding the commands into ICMP_ECHO requests that are transmitted from the master machine and the commands themselves are sent and forged to look like standard replies to the standard ping command. Often the data part of an ICMP packet is not seriously monitored by systems and so is easily overlooked.
The client control stations (master hosts) contain an IP list of controlled and compromised systems and TFN tries to hide such lists by using encryption techniques on the file. This is to hinder attempts and discerning the spread of a network should a client controller machine be discovered.
The handlers talk to the agents by using ICMP_ECHOREPLY packets, which is again another stealthy technique as it stops the downstream hosts from responding to ICMP_ECHO packets. If the downstream machine (agent or daemon) needs to reply to its handler it will use ICMP_ECHOREPLY as well.
As with the Tribe Flood Network the source code for Trin00 became available after investigators of other DOS problems were witnessing an installation phase of Trin00.
The power of Trin00 was witnessed first hand by the University of Minnesota when an attack network of 227 hosts targeted an IRC server on campus and disabled the whole network on and off for three days.
Communication between the handlers and agents/daemons is done via both TCP and UDP on the ports 1524, 27665 using TCP and 27444, 31335 for UDP. Trin00 attacks using UDP flood.
Stacheldraht is a recent addition to the DOS attack agent scene. It has a choice of attack method from ICMP flood, SYN flood, UDP flood, and Smurf style attacks. The communications path between clients and handlers is, unlike the other attack software agents, encrypted to prevent other users or hackers listening in or using sniffers to hijack the attack network the hacker has set-up.
The agent uses a mixture of TCP and ICMP for its communication network between the master/handlers and the agents. Typical ports used are 16660 and 65000 by default. Also, the agents are able to automatically upgrade themselves by doing a remote copy from a specified server cache, something that the other attack agents cannot do, making this quite a potent DOS tool as agents can mutate to have different signatures, making detection difficult.
TFN2K is an update done by Mixture, the German author of TFN and incorporates new stealthy techniques to fool packet filters.
The spread of such DOS tools is disturbing and their ability to bring a network site to its knees is frightening to a network user, implementer and administrator alike. The problem of countering attacks falls into a multi-layer defence strategy.
First of all some of the attack strategies or propagation methods rely on known weaknesses within OS implementation and/or TCP/IP stack implementation. It is all too easy for a system to fall behind the latest level of release and not be adequately maintained by a system maintainer. The latest patches should be applied to any/all software used. This should start to close loopholes and well known security deficiencies in many systems.
Networks should implement differing forms of IP filtering at ingress points. Many of the attacks rely on IP spoofing. Typically the spoofed address is that of a target host which is usually on a different subnet.
Figure 4 - Ingress filtering
The above diagram shows a scenario where the attacker is on a particular subnet (192.168 class B address scheme). If the attacker on the given subnet spoofs an illegal address (that of the target system which is on a completely different subnet) the router of ISP A should detect that the IP address is incorrect. Attacks such as Fraggle and Smurf are powerful but they rely on spoofed IP addressing being allowed on the network. A rule something should be implemented at the router something like:
Packet comes from legal address in subnet then forward
If ISP A’s router discard the erroneous packets before they have propagated onto the network then spoofed packet entry is denied. Also if logs are maintained than evidence is retained at the ISP site of strange behaviour on an ingress link.
Another typical spoofing technique is to forge the IP address of packets to be originating from the target network. So the target’s ingress router should also be configured not to allow traffic into the target’s subnet that is claiming to have originated from the target subnet but is in fact coming in from say a neighbouring network.
The two types of malicious ICMP packets, ping-of-death and the ICMP_ECHO communication packets of the DOS agents are more difficult to counter. The useful tools such as ping and traceroute use ICMP_ECHO packets in their everyday use and denying access completely to such traffic would break these tools, and no doubt some others as well.
One solution alternative to blocking all ping like traffic is to block only fragmented pings. This will allow the standard 64-byte test ping and disable attack from ping-of-death. Also up-to-date patching of OS’s will rectify this problem.
For the other form ICMP malicious traffic detection and eradication becomes extremely difficult and involves third party software. As the control for the agents is embedded within the ICMP_ECHO packets the only clue that a system will receive that something is amiss is the sudden rise in that type of packet. Intrusion Detection Systems can do this kind of traffic profiling. Throttles could also be placed on the ingress side of a network so that if the ICMP_ECHO traffic breaks a certain limit than those kinds of packets are dropped. This is a tricky metric to generate and achieve correctly. To perform this kind of action support will probably be necessary from network specialists from the vendor of the routing equipment.
Throttling connections will also work for the SYN flood attack. Public access servers have capacities, which are easily measured and figured for how many connection attempts they should be able to handle. By throttling the SYN ingress rate the unruly consumption of resources during a SYN attack should be decreased. Further up-to-date patching of OS’s will also help as OS vendors have implemented such triggers in software too.
There are numerous tools that can be employed to see if a particular host has been compromised. These involve searching for fingerprints of the attack agents looking for well-known strings that are embedded in the binaries. One of these is available at http://staff.washington.edu/dittrich/misc/ddos_scan.tar and can scan for Trin00, TFN, Stacheldraht, or “gag” can be used to scan for Stacheldraht alone and is available at http://staff.washington.edu/dittrich/misc/sickenscan.tar. The FBI has a site where scanning tools can be downloaded for various platforms (but not Windows) at http://www.fbi.gov/nipc/trinoo.htm. Other tools include “lsof”, “sniffit” and “ngrep” that can be used to try and discover any daemons on local systems. These are obtainable at:
lsof - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
sniffit - http://sniffit.rug.ac.be/sniffit/sniffit.html
ngrep - http://www.packetfactory.net/ngrep/
There is a comprehensive set of online tools that users can use to test their computers for well-known footprints of attack agents. These can be seen at the Whitehats security site at http://dev.whitehats.com/scan/ddos/ddos.html.
More long-term solutions exist, or at least have been proposed. In a recent North American Network Operators Group, Robert Stone of UUNet proposed a network overlay for IP where dubious or interesting packets can be quickly and efficiently routed to specialist investigation routers that examine the contents of the packets. This would enable quick and simpler tracing of attacking connections, something at the moment that is difficult to do.
Steven Bellovin proposed via a white paper through the Internet Engineering Task Force a new set of ICMP messages that would enable a trace-back of packets. Every so often routers would emit ICMP packets with tracing information – similar in operation to call tracing of malicious phone calls. This would help identify originating hosts on a heavily used link. The traffic increase from the subnet may indicate a DOS attack. Further information can be found at http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt.
For a definitive source of information readers should go to David Dittrich’s website at the University of Washington. He has been instrumental in analysis of recent DOS tools featured earlier and has been worked with the CERT Coordination Centre on raising awareness of DOS attacks. He can be found at http://staff.washington.edu/dittrich/misc/ddos/.
Denial of service attacks and attack methods are maturing. From what started as pranks and random exploitation of security holes has become a coordinate suite of attack tools.
The denial of service attacks themselves are not so much “hacks” in the traditional sense of the word, although tools like TFN etc rely on “hacking” a root account on a host. The tools are, in fact, an exploitation of network hardware, software and protocol weaknesses.
The explosive growth of networking will have lead to many features such as security not being implemented – either through non-understanding of consequences or more than likely naivety. Who would have thought that someone would want to spoof an IP address?
There can be surely no doubt that the exploitation tools will mature further incorporating more exotic attack strategies, stealth and wider more easier propagation. Already TFN2K tries to get around boundary IP filtering.
High profile attacks such as those mentioned earlier can have damaging effects and it cannot be ruled out that some attacks may be financially motivated. What is required is a thorough understanding of the situation from anyone involved with networking.
A parallel can be drawn to the earlier “Internet problems” of spamming. First of all the spammers would send their mail via ordinary methods – but after mass complaints many had their email accounts and access shutdown. They moved to more esoteric means and started to exploit weaknesses in many mail transfer agents (MTA’s) such as sendmail. Many MTA’s would blindly forward mail from not only their host domains but also from anyone who connected to them. Complicated set-up rules had to be changed to stop this kind of activity – something a lot of system administrators had difficulty with and so neglected. It wasn’t until agencies such as The Open Relay Broadcast Organisation (Orb’s), who can be found at http://www.orbs.org, started to automatically test and record MTA’s did the problem really get addressed. Other MTA’s could subscribe to the Orb’s list and refuse mail from those that were open relay stations – this prompted system administrators to change the configuration files.
Likewise services should be implemented for network traffic. As network providers become more aware and ready to close down the loopholes they could subscribe to, or have knowledge of networks that say don’t adequately perform boundary IP filtering. Or if Steven Bellovin’s proposals get implemented than any network that doesn’t provide adequate tractability could have their traffic denied.
Network connectivity is increasing and with the rolling out in many countries of digital subscriber lines (DSL) the number of hosts with usable bandwidth will increase dramatically, allowing attackers to infiltrate even home user computers that are connected, via DSL lines, to the Internet permanently.
Mixter, the German hacker and TFN author puts forward his future visions of DOS attacks at http://packetstorm.securify.com/distributed/tfn3k.txt. He mentions some new thoughts and new attack methodologies.
Other possibilities for attack agents will also include greater use of encryption to hide payload contents of control packets (ICMP or other) – rotating and dynamic port usage to try and avoid long standing static connections and even logic bombing threats such as if a client or master is discovered the program “free-falls” into overwriting critical data.
It is going to be a difficult time for network operators and users alike unless rigorous guaranteed protection can be assured.
Internet Security Advisories, Cisco Corporation
RFC2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,
Free DDOS Scanning Service - Whitehats
CERT Advisory, The CERT Coordination Centre
Results of the Distributed-Systems Intruder Tools Workshop, The CERT Coordination Centre
Trinoo Analysis, David Dittrich
TFN Analysis, David Dittrich
Project Loki, Phrack Magazine
 To use the generic “paint all” phrase – and meaning those who perform illegal activities.
 Internet Relay Chat – an online, real-time chat network.
 Universal resource location – e.g. http://….
 Indicated by the client IP address.
 The core service that is within the kernel of the host machine OS
 called Neptune.
 Embedded within other protocols.
 RFC 792
 This kind of attack usually takes only one attempt at crippling a target host and it is very easy to set up a program to just start iterating through a set of target IP addresses.
 The broadcast address is usually of the form x.y.z.255 for a class c type IP addressing scheme.
 Apparently German for “barbed wire”.
 Open source in the hacker community – hack someone else’s hacking tool and call it your own.
 Ideal master sites are sites that have high bandwidth connectivity and have many users.
 Source of picture - http://www.cisco.com/warp/public/707/newsflash.html
 The source code for TFN became available after it was intercepted during an active propagation session was discovered on a host computer.
 See http://staff.washington.edu/dittrich/misc/trinoo.analysis Appendix D for a fuller transcript of the occurrence.
 By default, but this may change if the source code is edited by an attacker.
 In a version of Irix, for SGI machines, it is reported that for incoming connections checks were implemented so as to not break the 64k barrier but not for outgoing connections. This is rumoured to have enabled administrators to counter-attack an attacker.
 Bulk sending of unsolicited email.
 and ultimately accountability?