Making IT simple! 0844 344 1979

Papers and Articles

The Continuing Threat of Large Scale Physical Attacks being Launched from the Internet

December 2005

Introduction

Whilst browsing various web sites related to security and information warfare in April 2003 I came upon a very interesting paper; 'Defending against an Internet-based attack on the Physical World' by Byers, Rubin and Kormann. The paper discusses the dangers to society posed by physical processes being controlled or initiated from the Internet. If every time an action is taken on the Internet a corresponding action is taken in the real world this is open to abuse due to the easy automation of online activity. The original paper is included here for convenience. Reading it before continuing with this page is not essential but is recommended and will give you a better understanding of the issues.

The Attack

The paper by Byers et al describes a very novel attack that they came up with. It is essentialy a form of distributed denial-of-service (DDoS) attack. What makes it different to the multitude of DDoS attacks already known is that the attack takes place in the physical world, using the postal system. Only the initiation of the attack happens online. The theory of the attack is to use automated software which seeks out web forms that can be used to request catalogues and other literature from companies. A target address is submitted to each of these by the software resulting in a large volume of junk mail being received by the target from multiple sources.

At first glance this may seem like no big deal. Indeed, manually signing someone up to receive junk mail has been a common method of harassment for years. The important thing to realise is that there is an incredible difference in scale between that and what is described here. Manually filling in web forms is time consuming, even using cut and paste. You could imagine that maybe someone carrying this attack out by hand might fill out 50 forms if he is very determined and doesnt mind spending the whole afternoon. Automating the process it would be possible to fill in tens of thousands of forms in the same time. This transforms an annoying prank into something much more serious.

The victim of such an attack, whether an individual or an organisation, faces the non-trivial task of finding their legitimate mail amongst the flood of junk mail. The junk mail also needs to be disposed of. This is similar to the problem faced by an Internet user who receives large volumes of spam. However, online there are software solutions to the problem. Mail filtering software can automatically delete email that seems to be spam, or at least direct it to a separate mail folder. When dealing with physical mail no such solution exists.

I have developed a proof of concept script that implements this attack. I wrote the code in April 2003 shortly after reading the paper. However I have never made it public before now due to concerns about it being misused. Byers et al came up with the theory of the attack in September 2000 but did not publish their work until over two years later for the same reason. The original paper has been out for long enough now for people to be aware of the issue and for people to have written their own implementation so I no longer feel that its a problem to release this script.

The Script

The source code to the PERL script can be downloaded here. A step-by-step explanation of the script's operation follows.

• The user configures the script with the target's name, address, phone number and other contact details. An API key must also be obtained free of charge from Google and entered into the script. Optionally a HTTP proxy can also be provided to hide the origin of the attack.
• The script uses the Google API to compile a list of 1000 URLs. Each URL is that of a web form that accepts a person's name and address so that the web site's operator can send out a catalogue or brochure.
• The script then connects to the first URL, using the anonymous HTTP proxy if so configured. The USER_AGENT variable is spoofed to make the script appear to be a standard web browser.
• The script enters the target's contact details into the fields of the form. Once done it outputs the form URL and the name of each field along with the value it has entered. This can be redirected to a text file and examined later to see exactly what the script has done. Provided debug mode is switched off, the form is now submitted.
• The previous two steps are repeated for all 1000 URLs. The script then terminates.

Prevention

So why release this script to the public? I recently used Google to search for catalogue request forms, the first stage of the attack. I was hoping to see a large proportion of the returned forms had some method of preventing unauthorised automated submissions. In fact this was the case for none of the forms I inspected. It is currently over two and a half years since the Byers-Rubin-Kormann paper was made public. So the reason for releasing source code for an attack script is to show that it isn't just a theoretical issue of interest only to academics.

The obvious way to make this attack no longer viable is to make one of the steps carried out by the script require human interaction. The whole attack depends on automation so once one or more steps requires a human the attack is defeated. Requiring human interaction for search engine APIs or for form parsers is not practical. The place to require human interaction is at the stage of submitting the form.

One way to insert human beings into the process is for companies to always telephone someone who requests a catalogue to confirm before posting it. This seems like a good idea at first as the catalogues would never make it into the postal system. However, for every piece of junk mail that the target would have received, he now receives a telephone call instead. So really all this would do is transform the attack from DDoS by post into DDoS by telephone. It is debatable which would have more of an impact. Also, since it requires more time, effort and expense on behalf of companies there would probably be resistance to implementing this.

The best way to make this attack impossible is for web designers to always implement a Turing test as part of this kind of web form. Many free email and web hosting providers already use this on their account sign-up page to prevent automated account creation. It is usually in the form of an image showing a word, with the letters quite distorted. You are required to enter the word into a field on the form. A human can do this but software cannot. Since the technology is already in wide use it would be easy for companies to use the same method on their catalogue request forms. If this became widespread the attack described above could not be done as a human would need to interact with every single form.

Conclusion

Hopefully publishing this simple script will alert more people to the potential danger and result in more companies taking the precaution detailed above. It is currently possible for individuals or groups with moderate technical skills and little or no funding to launch quite damaging attacks against target organisations anywhere in the world. The script provided here is limited in some important ways but engineering software without those limitations is not difficult.