Denial-of-service aftermath

Attorney General Janet Reno announced earlier this week that the FBI has launched an investigation into the source of the denial-of-service attacks. Reno said the U.S. Department of Justice still doesn't know who instigated the attacks, where they originated, how many computers were involved or the motives of the perpetrators.

But they were effective. "We experienced 1GB/sec., and we can handle 100M bit/sec. on a typical strong day operating at 30% capacity. During the attack, we had eight to 10 times regular capacity, and no one can sustain that," said Greg Hawkins, CEO of Buy.com Inc. in Aliso Viejo, Calif.

Hawkins said the attack, which came from multiple locations, overwhelmed the site's monitoring software, which scans for unusual traffic loads and blocks invasions from one IP address.

U.S. Department of Commerce Secretary William M. Daley warned that sites remain vulnerable. "There is no surefire defense," said Daley, who appealed to the computer industry to improve security monitoring and intrusion response to detect malicious code before it can do damage.

"It points to vulnerabilities that need to be addressed in the new world we are going to," said Daley. "The private sector has a greater stake in making sure there are protections than we do."

The online assaults began Monday on Santa Clara, Calif.-based Yahoo Inc.'s Yahoo.com, which was blasted with packet traffic at 1GB/sec. -- more than some Web sites receive in a year. The site was down for three hours. On Tuesday, San Jose-based eBay Inc., Seattle-based Amazon.com Inc., Buy.com and Atlanta-based CNN.com were hit with the same type of attack. Palo Alto, Calif.-based ETrade Group Inc. and ZDNet Group in San Francisco were the victims on Wednesday. In addition, Excite@Home suffered a brief denial-of-service attack this week, according to a company spokeswoman. The attack began around 7 p.m. PST and lasted less than an hour.

The Department of Defense is also investigating this week's hack attacks. Navy Rear Admiral Craig Quigley said all elements of the DOD have been ordered to examine their computers worldwide to ensure they weren't used as hosts for the denial-of-service attacks.

"But so far, we have not seen anything. We certainly continue to watch," Quigley said during a DOD briefing.

The University of California at Santa Barbara has confirmed that one of their computers was used in the distributed denial-of-service attacks that took place last week. MyCIO.com, a division of Network Associates Inc. based in Santa Clara, Calif., which offers a Web-based vulnerability assessment service called CyberCop Zombie Scan, said a user detected the presence of a version of Tribe Flood Network, a distributed denial-of-service attack tool, on a single server at university computer system in Germany. The program was detected 12 hours ago, said MyCIO.com President Zach Nelson, and the user has removed the system from the network.

Despite Daley's insistence that the attacks came without warning, the incidents followed a pattern of well-documented, distributed denial-of-service attacks. In each case, sites have been targeted with a high volume of packets using falsified Internet addresses, which made the source of the attack hard to trace. Distributed denial-of-service attacks embed malicious code in weakly defended computers to create entire networks of master machines and subnetworks of slave machines.

Many of the attacks have targeted large Internet service providers and the hosts of the high-profile sites. Gary Grossman, director of security research and development at Santa Clara, Calif.-based Exodus Communications Inc., said this isn't the first denial-of-service attack directed toward his customers. Buy.com is an Exodus client.

"We host 40% of the major sites on the Internet, and so statistically, we are going to see a good fraction of those," said Grossman. "It's not infrequent. It just means that we have to do more sophisticated analysis and have a wider range of addresses that we filter for."

But David Remnitz, CEO of Ifsec LLC, a New York-based information security firm, noted that this strategy only works up to a point. If the attackers shut off the original master hosts that are used in the attacks and assign false IP addresses to another set of attack hosts, the problem will continue. "I am basically chasing my tail if I put in filtering to identify the spoofed addresses but not (to) identify the culprit," said Remnitz.

Remnitz said government and private-sector cyberwarfare experts have known about distributed denial-of-service attack tools for almost a year (see story). "We had 12 to 14 months for the tools to get out there and (be) built up," said Remnitz. "There could be a very large number of attacking hosts waiting to launch instructions."

According to a White House spokesman, a meeting will be held Tuesday with high-tech executives to discuss Internet security on the heels of recent hack attacks. White House Chief of Staff John Podesta will chair the meeting, and Attorney General Janet Reno is expected to attend.

Computerworld reporter Kathleen Ohlson contributed to this report.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon