You may not be aware that your business and personal Internet connections can be indiscriminately targeted for a Distributed Denial of Service (DDoS) attack at the whim of just about any other Internet user to whom your connection's IP address is exposed. What may also come as a surprise to you is that there isn't much you can do about it--not technically or legally.

Despite DDoS attacks violating legal statutes, the "law" and even your ISP may prove to be uninterested in your plight, as they were in mine when my Internet connection was singled out for such an attack. Unlike other Internet vulnerabilities like viruses and spam, there are no patches, personal firewalls, or other technical measures that business or individuals using DSL or cable modem-based Internet connections can take that will guarantee immunity from such transgressions. As far as I can tell, no agency or organization has taken on this vulnerability as an action item that needs to be addressed.

When an Internet connection is victimized by a DDoS attack, it usually means that it was purposely overwhelmed with enough traffic from two or more other systems (thus "distributed") so as to deny the reliable passage of any other legitimate traffic.

Unfortunately, most, if not all, tools and services designed to thwart a DDoS attack are developed for large corporations and hosting centers with commercial-grade Internet connections. Even commercial class countermeasures don't always work. Although Microsoft was recently able to fend off the DDoS attack that was connected with the e-mail borne MyDoom virus, the SCO Group eventually buckled under the load. To make matters worse, with no cost effective tools or services at their disposal, businesses and individuals with sub-commercial grade connections rely almost entirely on their Internet Service Providers (ISPs) to shield them from such attacks.

According to Steve Woo, vice president of marketing and business development at carrier-class DDoS security appliance provider Riverhead Networks, "Businesses aren't getting a lot of help from their ISPs either. One of the reasons is how surprisingly easy it easy to launch a DDoS on lower bandwidth connections in a way that it slips below the radar of any solution that's on the lookout for such an attack."

Woo was alluding to the sort of forensics that security appliances use to spot DDoS attacks. As happened with SCO, big attacks involving hundreds or thousands of distributed systems all firing the same sort of traffic at one IP address or Web site are easy to spot. However, it's much more difficult to spot a DDoS when only two systems are involved in an attack on a lower-bandwidth connection. As I learned from personal experience, that's all it takes to bring down a cable or DSL-based connection. To add insult to injury, the tools to do it are easily downloaded off the Internet.

Recently, my broadband connection was singled out for such an attack by the administrator of the online gaming server to which my son's computer was connected. The chat logs, which I monitor using a variety of surveillance tools, verify that via AOL Instant Messenger (AIM), the perpetrator wrote to my son that he would bring down our Internet connection. My teenage son responded with, "Yeah, right." Moments later, poof, our entire household--including the system that I was using to do my job (telecommuters take note)-- was knocked off the Internet.

My router's log indicated a flood of traffic coming from two IP addresses, each in a different state. Despite pleas to my ISP, service was not restored until an hour later when the attacker decided to back off. How did I know he backed off? When my son's AIM client sprang back to life, the attacker opened a line of communication with my son to brag about what he'd just done.

I was stunned. It was that easy. Pick a target and shut it down. This is not just a wake up call for telecommuters who rely on their connections to get their jobs done. It should be a wake up call to any company that has either widely embraced a telecommuting-based culture or is considering such a move. To the extent that companies depend on the reliability of their employees connections, these mini-DDoSes represent a vulnerability over which they have no control.

Other than staying off the Internet, there's not much that can been done to avoid attacks. In my case, the attacker used the logs from the gaming server he was the administering to determine our IP address. Providing your IP address to would-be DDoS perpetrators is like giving thieves the keys to your house with instructions on where to find and how to open the safe in your wall. Whereas you know how to safeguard the information about the safe in your wall, hiding your IP address from other systems to which your systems are connecting isn't so simple. That's because your system and the systems it connects to rely on IP addresses to complete their communication. Mostly in the name of privacy, third-party proxy services, whose sole purpose is to hide IP addresses, can be used. Unfortunately, they don't work for all applications.

Anonymizer.com is about the only service that I know of that comes close to solving this problem. According to Lance Cottrell, Anonymizer's president and founder, most services like his, which costs $100 per year, will mask IP addresses for some of the Internet's most common applications and protocols like Web and e-mail. For specialized applications, such as certain peer-to-peer applications and Internet-based games, there may be no protection. "Some games we support of the shelf. Others we don't" said Cottrell. "It depends on how the games connect. There's no question [protection] is doable, but it's complicated. I'd have to sit down with each one them and take a look to see how they do what they do before we could support them."

While his service is mostly for those looking to connect to the Internet anonymously, Cottrell says his service has the bandwidth to absorb most DDoS attacks and includes the technology necessary to keep DDoSes from being passed down the line to his clients. But it may require a phone call since, as Riverhead's Woo said earlier, the smaller-scale attacks are harder to detect.

So, short of technological solutions, what can businesses and individuals do to make sure they don't become the target of a DDoS attack? Avoiding DDoS attacks altogether requires that you not reveal your IP address to someone who may be in a position to launch such an attack, which is a difficult proposition. You obviously want to be careful about what systems the computers on your network are connecting to through the Internet. For example, directly connecting to another system for a peer-to-peer application like file sharing (music swapping) or voice-over-IP (VoIP) is one practice that gives away your IP address--often to someone you know nothing about. Unfortunately, if the reputation of the person who runs the system on the other end is what you need to make a decision, that information is tough to come by. You might as well disconnect from the Net.

Another recommendation for users of Instant Messaging is to stick with services like AOL, Yahoo, and MSN that don't reveal your IP address. Depending on their configuration, some Internet Relay Chat (IRC) clients will make your IP address readily available to those with whom you are chatting.

If you're feeling my sense of hopelessness about the situation, it gets worse. For example, based on my experience, if you are targeted for a DDoS attack, you have just as many options for dealing with it after it has happened as you did before it happened--almost none.

Calling your ISP in hopes of talking to a network manager who can spot a DDoS in progress and cut off the perpetrators may not get you very far. In my case, my ISP (Comcast) didn't have a live person manning an emergency number for such situations. Instead, I had to navigate a labyrinth of touch-tone phone menus before getting to a beep where a message could be left. Eventually, when my call was returned and I demanded that Comcast track down the perpetrators, I was asked if I could e-mail a log from the router. If there's one thing I can recommend now, it would be to make sure your router is capable of producing a log file that can be downloaded and distributed. My router, which is about four years old, could not. Without a log (I had a screen shot, but that wasn't good enough for Comcast), Comcast said there was very little they could do (even though the technician I spoke to confirmed the attack in progress). Comcast didn't even stop the attack. I had to wait until the perpetrator decided to end the game.

In terms of bringing the attacker to justice, businesses and individuals may have limited recourse. I called the FBI and spoke to a field agent. He declined to identify himself, but told me he thought the case was worth investigating and that he'd escalate it to the next level. It's been about a month, and I have yet to hear back from the FBI.

According to FBI spokesperson Paul Bresson, it's not unusual for the FBI to take a month or longer to get back to someone that has filed a complaint. More importantly, however, and probably relevant to my case, for a federal authority (FBI or otherwise) to get involved in a complaint, the aggregate damages (across all victims if there are more than one) have to exceed $5,000. It's not an FBI policy, it's a federal policy.

Although I provided a detailed account of the attack and even had information that could lead to the easy apprehension of the attacker, my incident did not meet the FBI's criteria for further investigation. Even if the FBI does get involved, that may not ensure a proper turning of the wheels of justice. According to Anonymizer.com's Cottrell, based on his experience with clients and prosecutors, the threshold for prosecutors to move forward with a case is closer to $10,000.

Bresson said that when the FBI receives complaints (by way of phone or the Internet Fraud Complaint Center) that don't meet the necessary thresholds, the FBI general refers them to the local law enforcement agency. Depending on where your business is located, or where you live, and the degree to which your local law enforcement takes interest in such matters, your success in pursuing justice will vary. Given all that your local cops have to deal with and how thin their resources are stretched, don't expect a technological attack that very few can comprehend to get added to their list of priorities.

Complaints from sites outside of U.S. jurisdiction are likely to fall on deaf ears as well. According to Riverhead's Woo, DDoS threats were used to extort money from many of the Internet's gambling sites (usually off-shore) during the weekend of the National Football League's SuperBowl. Sites that didn't respond with timely deposits of $50,000 into off-shore accounts were given a quick taste of the blackmailer's DDoS wrath and then offered another opportunity to pay. According to Woo, most paid.

As far as I can tell, with little technological or legal recourse, the outlook for dealing with this Internet vulnerability is pretty grim. After talking to the FBI's Bresson, I wasn't even sure what organization or agency would be interested in addressing the issue from a strategic point of view. While I try to find out, rest assured that a new router that's capable of producing detailed, e-mailable logs will be going online tomorrow.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.