Frequently asked questions:
Note: "Macintosh" used below means an Apple Computer "Macintosh" computer using MacOS 9, the latest Macintosh operating system, or MacOS 8.6 on the following hardware models: PowerMacintosh G4, iBook, and iMac (Slot-loading) computers.
Q. Does the Macintosh need to be infected with a virus before participating in a Mac DoS Attack?
A. No. The attacker uses an "unintended feature" in the Internet software shipped as part of MacOS9. Any OS9 Macintosh connected to the Internet can be used. To be an effective tool for the cyber-attacker, the Macintosh must have a high-speed Internet connection.
Q. How would an attacker know that my Mac is connected to the Internet?
A. The attacker uses a "scan" program that sends probe datagrams (Internet data packets) to every address assigned to a company that supplies cable modem or ADSL services. The OS9 Macintoshes respond to the probe datagram with a distinctive 1500-byte ICMP datagram that includes their Internet addresses. The attacker builds up a list of addresses that are used later in the Attack Phase.
Q. Will my Macintosh be damaged?
A. You may not even notice iyour Macintosh is being used. On the other hand, the attacker does not care about damage and may drive your computer so hard that it will be damaged. Apple has publicly released the "OT Tuner" that fixes the problem. You should apply the patch to make it impossible for a cyber-terrorist to use your computer to attack someone else.
Q. How did you discover this scheme?
A. While doing research on Internet hacker activities, I saw probe packets coming to a Macintosh that I did not understand. I noticed the large ICMP datagrams that the Macintosh sent back that did not conform to Internet protocol standards. I wrote and used a special computer program to send similar probe datagrams to a section of the Georgia Tech network which connects to many types of computers. Only OS9 Macintoshes responded in any unusual way. I concluded this particular probe datagram was designed to detect OS9 Macintoshes.
Q. Why would anyone want to collect Internet addresses of Macintosh computers?
A. Criminal hackers frequently want to break into computers and steal data, alter information, or run their own programs which might be used to locate (on the Internet) and break into other computers. Since, as far as I know, there is not a way to break into a Macintosh, the intent must be to use them as part of a "Denial of Service (DoS)" attack. These attacks jam an organization's connecting link to the Internet, effectively cutting them off. The scan datagrams detected would be just the first phase of the scheme, the "Scanning Phase." Next would come the "Attack Phase."
Q. What is the "Attack Phase."
A. In the attack phase a computer on the Internet, probably a LINUX or UNIX machine, will send "trigger datagrams" to 40 or more OS9 Macintoshes (slaves) in rapid secession. The trigger datagrams have a false source address, that of a computer in the target organization. This causes all the slaves to send a rapid steady stream of 1500-byte ICMP packets at the target organization.
Q. Is the information you posted on your Web site a recipe for cyber-terrorists?
A. There is a technical trick that must be used in the trigger pulses that is not described on the Web. I have made the information and implementing code available to the Computer Emergency Response Team (CERT) at Carnegie Mellon and to Apple Computer. Apple Computer has reported by email to CERT that they duplicated the problem in their lab, and are developing a fix.
Q. Have you seen the "Attack phase."
A. Fortunately I have not seen the "Attack Phase" in operation yet, except the attacks I launched to prove the possibility. These attacks used several Macintosh computers at Georgia Tech to flood my cable modem which is on a completely different network. This was equivalent to flooding a T-1 connection that many businesses use to connect to the Internet.
Q. Why is this?
A. I believe an international group is building up the infrastructure for a New Year's Eve attack that will paralyze large segments of the Internet. Web sites that people will try to access for Y2K information are prime candidates, as are news services such as CNN.com.
Q. What do the attackers need to do besides making lists of Macintoshes' network addresses?
A. They must break into other computers (Windows, NT, LINUX, UNIX, ...) to install the attack control program. Most of the scan probes I see are designed to locate those types of computers on the Internet and probe for known weaknesses that can be used to break into those machines. There may be many such computers with attack programs already installed and keyed to start on New Years Eve.
Q. What is being done to stop this possible attack?
A. The Computer Emergency Response Team (CERT) plans to issue an Advisory on Tuesday 12/28/99. This will alert network operators of the potential problem (but will not directly reach the public).
Apple Computer engineers have developed a fix (OT Tuner) but have not formally released it yet . In fact, I have not yet seen a public statement from Apple (12/27 4:00 pm EST).
Forum of Incident Response and Security Teams (FIRST) has issued an advisory to its members.
The Cisco P.S. Incident Response Team has been notified so they can develop advice for Cisco'scustomers.
Q. What remains to be done?
Apple Computer must publicly release the fix, the "OT Tuner."
Individual Macintosh owners must learn about the "OT Tuner" and install it, or disconnect their Macintoshes from the Internet when they are not actively using them.
These things must be done before New Years Eve, to prevent the possibility of a faux-Y2K event.
Q. How do I know this is not a hoax?
Look at the CERT Advisory, and discussion on well-known Web sites:
Slash Dot (Computer-phile Web Page) http://slashdot.org/articles/99/12/28/146258.shtml
Apple - "OT Tuner Information" - http://asu.info.apple.com/swupdates.nsf/artnum/n11559
Mac Resource - http://www.macresource.com/
MacInTouch.com - http://www.macintouch.com/macattack.html
MacWeek.com - http://macweek.zdnet.com/1999/12/26/dosbug.html