FBI Investigates Attack Against AboveNet

Computerworld - The FBI is investigating a denial-of-service attack launched last week against a San Jose-based Internet provider that blocked traffic to almost 1,000 content and service providers for several hours, according to the victimized company.
FBI spokeswoman Deb Weierman said the bureau is looking into the incident "to see what activity went on." However, because it's an ongoing case, she couldn't divulge any details, she said.
Unlike the distributed denial-of-service attacks in February that flooded e-commerce sites with false data traffic, the attack against AboveNet Communications Inc. was directed against a switch in its network, said company officials.
AboveNet's Internet Service Exchange (ISX) network provides co-location services and Internet connectivity to companies such as NetZero Inc., CNet Inc. and America Online Inc., which wasn't affected.
"This wasn't just a teen-ager with a $300 Linux machine. This was someone who had time to learn the trade," said Paul Vixie, senior vice president of Internet services at White Plains, N.Y.-based Metromedia Fiber Network Inc., AboveNet's parent company. "It was certainly severe; most of our customers were impacted for hours."
According to Vixie, the attack was directed at a network device called a customer aggregation switch. The switch bundles co-location customers at the firm's ISX facilities and links them to an Internet backbone. Vixie said the attack hit three switches at facilities in New York, San Jose and Vienna, Va.
Vixie said the attacker exploited a flaw in the switch's configuration management process that his company has since changed. He said he believes there is little opportunity for copycat attacks because of the methods AboveNet uses to manage its network.
The company suffered rolling outages from midmorning Pacific Standard Time Tuesday until midafternoon. Many customers had alternative carriers that ensured their network traffic got through - a common fail-over strategy for high-end customers, Vixie said.
Very large customers, such as AOL, whose traffic wasn't funneled through the aggregation switch, weren't impacted. Vixie advised other information technology managers who may be concerned to consult with their switch vendors.
He said swift action is also needed to deflect such attacks. "We called everyone in on the shift and went through the network with a fine-tooth comb, not only to get everyone back up online but to make sure there were no time bombs," Vixie said. No back doors or other delays were detected, he added.
Stephen Northcutt, director of the Global Incident Analysis Center for the SANS Institute, declined to comment on the specifics of the AboveNet case. But he said the real issue isn't theattacks but rather what can be done about them. "What we need to focus on are the systems that are being compromised every day," he said.Online editor Brian Sullivan contributed to this story.