Introduction
Yahoo, Buy.com and many other large commercial sites have been the target of so called "DoS" or Denial of Service attacks. The attacks themselves really aren't very complex; hackers or attackers simply send so much requests to a server, or "flood" a server, making it impossible for other Internet users to communicate with such a server. The reason that access to attacked servers is blocked for other visitors is because the server is getting too busy giving responses to the flood of requests by attackers, it has no time left to handle other requests. In the end such a server can crash.
Denial of Service in more detail
Normally, when an Internet user wants to visit a server on the Net, the visitor sends a message to that server letting the server know he or she wants access. The server will reply (when available) and so on until the connection is established. However, the DoS attacks are requests coming from an address that does not exist.
That means that in such an attack, the attacker would send, for example, several requests to a server, but with a fake return address. This way the server can't find where the requests are comining from and goes into a "waiting state", which can take, for example, 60 seconds. After the waiting state the connection is closed by the server. However, the DoS attackers keep on sending such fake requests, overwhelming and flooding the server so that nobody else can access the server and/or until the server shuts down or crashes.
How are DoS attacks organized?
To launch these attacks, hackers install so called DDoS or "Distributed Denial of Service" tools on various computers. Usually the owners of such computers do not know such a tool is installed on their system. Installing the DDoS tool on various computers helps the hacker create a network of host computers that will allow the attacker to launch a coordinated attack against a server, where all computers (hosts) containing the DDoS tool will join the attack. Sounds scary doesn't it? DDoS tools are tools such as TRINOO (trinoo daemon, trinoo master), Trible Flood Network (tfn daemon, tfn client, tfn-rush client, tfn2k client, tfn2k daemon). If you want to know how to detect such DDoS tools, see "What can you do against DoS?" below.
Is a DoS attack the same as so called ping or ICMP attacks?
IP addresses are the addresses of computers on the Internet. In some multiplayer games such as Quake I, where the IP addresses of players are visible, a well-known problem was that some people would send very large ping requests to another player, slowing down the victim's connection. Such an attack could make it impossible for the victim of the attack to continue playing the game. This is also caused by flooding, but the major difference is that such a ping request is sent from a real IP address, instead of a fake IP address. Because the attacker usually requests a large amount of data in the ping request, and the victim's computer usually returns this large amount of data in an answer to the attacker's IP address, that answer simply "eats up" bandwith of the victim (and usually of the attacker too). So, this problem is in many ways different from DoS attacks, but also has some simularities. By the way, ping is "normally" used to check the throughput of data from "point A" to "point B" on the Internet.
What can you do against DoS?
Software such as sniffers and filters can help protect a server, and special scanners can help you detect if you or your company's computer has DDoS tools installed on it. On the FBI's website a software tool can be downloaded which can help you or your company detect the presence of DDoS (distributed denial of service) tools on a computer, which are the tools that "team-up" to launch a coordinated attack fired up by a hacker. Network Associates also has software that can help protect your system: CyberCop Scanner.
Other sites/pages for more information about DoS attacks:
