The short version: Some computer scientists have found a way to get web servers to do calculations based on the error detection features of the TCP/IP protocol. There's no need to hack the web server or take advantage of some kind of bug or misconfiguration in the server. Simply because of the way the TCP/IP protocol works, the web server's error detection calculations will give a client information about a problem the client is trying to solve.
You can read the full article in the 17 Nov 2001 issue of Science News. Below is an edited/condensed version of the article. The full article also has as short description of how the TCP protocol does error detection.
Physicists Albert-László Barabási and Hawoong Jeong and computer scientists Jay B. Brockman and Vincent W. Freeh of the University of Notre Dame in Indiana describe their scheme in the Aug. 30 Nature . They call it parasitic computing. "The target computers are unaware that they have performed computation for the benefit of a commanding node," the researchers remark.The fact that the target computers are unwitting participants in a computation differentiates this scheme from other efforts to use the processing power of thousands of computers distributed throughout the world for massive data crunching. In the SETI@home project, for instance, users must install special software that enables their computers, when otherwise idle, to download and scan data from radiotelescopes for signals that might point to the existence of extraterrestrial life."If parasitic computing imitates nature by not killing the parasite's host, it could be an interesting technology," Bauer observes. However, like parasitism in biology, parasitic computing can have deleterious effects. It could slightly slow a co-opted computer, but on a larger scale, it might clog or even bring down the Internet.When a computer [like a web server] receives a packet of information, it checks for errors by performing a calculation and comparing the result with the numerical value in the packet's header (see "How TCP error detection works," at the end of the original article). Such a calculation would detect, for example, the change of one bit from 0 to 1 or 1 to 0. Packets found to be corrupted are discarded. In that case, the interrogating [client] computer receives nothing [back from the server] and eventually displays, "The server is not responding" or something similar.To obtain "experimental evidence of the principle of parasitic computing," Barabási and his colleagues embedded potential solutions to a particular mathematical question (see "Getting satisfaction," at the end of the original article) in Web request messages sent from their own computers. When other computers [running HTTP servers] linked to the Internet received the messages and put them through the standard TCP error-detecting routine, they also incidentally relayed information about the validity of the embedded answers [back to the client computer].If a message incorporated a correct answer, it survived the target [web server's] computer's error check, and the target computer replied to the interrogating [client] computer. Otherwise, the target computer dropped the message and sent nothing back to the interrogator. Hence, each reply would signal a correct solution [to the client].
"Parasitic computing does not compromise the security of the targeted servers," the researchers insist. It "accesses only those parts of the servers that have been made explicitly available for Internet communication."
The example chosen and implemented by Barabási and his collaborators in their parasitic computing experiments poses no threat. Their primary goal was simply to prove the idea that the communications protocol of the Internet could be used to carry out computations. Indeed, the mathematical problem they used as a test for parasitic computing could have been solved much more practically and in less time on a desktop computer.