This article was written by Keith Dawson for's DigitalMASS Internet column. It is archived here for informational purposes only because it no longer appears on the DigitalMASS site. This material is Copyright 2000 by

Life, liberty, and Net anonymity

Keith Dawson

Janet Reno is on a tear against Internet anonymity. Somehow the recent denial-of-service attacks are supposed to buttress the assertion that anonymity online is a "thorny problem" that law enforcement needs new laws, new budget, and new tools to solve.

Let's get two things straight. First, anonymity is not a thorny problem, it's a basic American Constitutional right. Second, the methods used by the unknown DoS perpetrators to cover their tracks had very little to do with anonymity.

The right to speak anonymously has long and deep roots in this country, beginning with Thomas Paine's polemic Common Sense, which he published as "An Englishman." As recently as 1995 the US Supreme Court has held that the Constitution grants citizens the right to speak anonymously. Abolitionists and reformers have used anonymity to avoid retribution, as have oppressed Kosovar Albanians in the present day. Alcoholics, victims of abuse, and whistleblowers benefit from anonymity both on the Net and off. News reporters' sources enjoy extra-strength guarantees of anonymity via the First Amendment. Weakening online anonymity could weaken these guarantees by the argument that on the Internet everyone is a publisher.

Let's look at some of the techniques the DoS perps might have employed to hide so completely.

A big part of their stealth was built into the tools they used to bombard, Yahoo, and the other victims. Distributed denial-of-service tools such as trinoo and Tribe Flood Network are carefully designed to baffle tracing and detection. The Net traffic that clogs the victim's network comes from many compromised "zombie" systems. In one mode of attack each Internet packet the zombies send appears to originate from a different, random IP address. Each zombie is triggered to attack by a single, short, possibly encrypted command sent from yet another compromised system (the "master") somewhere on the Net. The zombie machines are all listening for this command on a port whose number is known only to the perpetrators. Users of the zombies might not even notice any slowdown while their machines are bombarding a victim.

The perps enlisted probably hundreds of innocent machines around the Net as zombies to carry out the attacks. Some were at universities where security may take a back seat to open access. They discovered and compromised these victim machines in advance, up to several months before the attacks were mounted.

Here's how a careful system cracker might have proceeded to generate a zombie army.

  • Start with one of the AOL 500-hours-free trial CDs that now blanket North American to an approximate depth of three feet.
  • Or use a previously compromised dial-up account whose details you learned in an IRC chat room.
  • Probe, visit, crack, and infect systems on the Net only through a chain of at least 3 previously compromised systems, preferably on several continents.
  • Encrypt every session by using ssh -- never telnet -- to hopscotch across the "owned" systems.

Once a new system was penetrated, it would be infected with a "root kit," replacing a dozen or more system programs with back-doored versions that look and smell identical. (Root kits are easily available for common Internet operating systems.) Finally, on the way out the door our perp would alter system log files so that no trace of the visit would linger.

The DDoS perps may have done by hand all the work of compromising a few hundred systems. But some knowledgeable analysts claim that automated tools exist that can root-compromise large numbers of systems and automatically install DDoS agents. (If such tools do exist, they are closely held.)

In this scenario our perps didn't gain any particular advantage from anonymity. Their invisibility relied on craft, guile, and clever programming (not necessarily their own). What benefits would law enforcement derive from limiting Net anonymity? If US laws were passed requiring an ironclad and verifiable identity for every Internet user, any person in one of 260-odd other countries could still remain anonymous. If every device on the worldwide Internet were required to generate a unique ID, how would you force every piece of software to do the same? If every US ISP were required to keep detailed records the way phone companies must, how would you track someone who didn't enter the Net through a US ISP?