ZDNet: DoS attacks: What really happened

“A 15-year-old Canadian computer vandal was charged with
toppling CNN.com this week, allowing security experts a bit more
freedom to speak about the incident. At least in the case of CNN,
and perhaps two of the other attacks, the very device that was in
place to defend the site was actually used to cripple it.”

“Routers often have Access Control Lists, a set of instructions
about what kind of traffic to allow into a network – and what kind
of traffic to deny. For example, computers talk to each other by
connected to “ports.” All Web traffic occurs on port 80, and that’s
generally considered safe traffic, and the Access Control List
would instruct the router to allow port 80 traffic through. Traffic
headed for another port known to be used by computer criminals can
be denied.”

“The custom distributed denial of service tool used to
attack CNN
, the one allegedly used by mafiaboy… sent
so-called synchronization packets, or attempts to connect, to
random ports, ranging from 2 to 400. That meant each packet had to
be approved by the access control list
– normally,
synchronization packets are followed by legitimate traffic which
simply flows through the router. Quickly, the router’s memory
was consumed and stopped functioning.”