ZDNet: DoS attacks: What really happenedApr 20, 2000, 15:56 (3 Talkback[s])
(Other stories by Bob Sullivan)
"A 15-year-old Canadian computer vandal was charged with toppling CNN.com this week, allowing security experts a bit more freedom to speak about the incident. At least in the case of CNN, and perhaps two of the other attacks, the very device that was in place to defend the site was actually used to cripple it."
"Routers often have Access Control Lists, a set of instructions about what kind of traffic to allow into a network - and what kind of traffic to deny. For example, computers talk to each other by connected to "ports." All Web traffic occurs on port 80, and that's generally considered safe traffic, and the Access Control List would instruct the router to allow port 80 traffic through. Traffic headed for another port known to be used by computer criminals can be denied."
"The custom distributed denial of service tool used to attack CNN, the one allegedly used by mafiaboy... sent so-called synchronization packets, or attempts to connect, to random ports, ranging from 2 to 400. That meant each packet had to be approved by the access control list - normally, synchronization packets are followed by legitimate traffic which simply flows through the router. Quickly, the router's memory was consumed and stopped functioning."