Officials at the University of California, Santa Barbara (UCSB) said Friday that a desktop computer located in a university research lab was used to help launch a distributed denial of service attack against CNN.com last week. The machine appeared to have been hijacked by one or more remote attackers who apparently built a network of machines used to invade at least eight Web sites last week.
UCSB network programmer Kevin Schmidt noticed the malicious code when he remotely checked university network computer traffic from home last Tuesday. He ran an overnight check and on Wednesday morning contacted Cable News Network (CNN) to inform the company that a university machine was involved in the attack. "There is no indication that the attack came from anyone in the university," said Schmidt in a statement.
CNN contacted the FBI, and Schmidt has been working with the FBI in its investigation. The FBI wouldn't comment on whether computers at UCSB were used in the attacks, but no search warrants have been issued for computers there. UCSB has long conducted computer science research and 30 years ago was one of the first four nodes of Arpanet, the precursor to the Internet.
Robert Sugar, professor of physics and chairman of the university's Information Technologies Board, said the attack is damaging to the university's tradition of free information exchange because it could lead to more restrictions on computer use. He said devoting resources to plugging all known security holes could also drain university resources. "We work hard to plug the known holes," said Sugar. "But this is an extraordinarily difficult job. We can never make the network 100% secure. To attempt that would interfere with the university's research and instruction."
Initial alerts on distributed denial-of-service attacks posted by security groups in December noted that university computer systems are prime targets for crackers who take over machines to carry out such exploits. Distributed denial-of-service attacks rely on a network of compromised machines with known vulnerabilities that allow attackers to insert malicious code. These machines are then used to attack targeted sites with floods of packets that disrupt legitimate traffic. Many university computer systems have high-speed connections to the Internet that could help spew high volumes of packets and have relatively weaker security policies and procedures compared with large corporations.
Last Friday, MyCIO.com, a division of Network Associates Inc. in Santa Clara, Calif, which offers a Web-based vulnerability assessment service called CyberCop Zombie Scan, said a user detected the presence of a version of Tribe Flood Network, a distributed denial-of-service attack tool, on a single server at a university computer system in Germany. The program was detected in the early hours of Friday morning PST, said MyCIO.com President Zach Nelson, and the user has removed the system from the Internet.
While university networks are often lightly defended, they frequently keep extensive traffic logs, which could help investigators trace the intrusion back to the attacker.
As investigators try to trace spoofed packets used in the attacks, more details of additional attacks continue to emerge. Web portal Excite.com reported that it was hit with a denial-of-service attack last Wednesday from about 7 p.m. to 8 p.m. PST. About 50% of visitors to the site couldn't access the portal during the attack.
Related stories:
FBI issues software to help detect Web attacks, Feb. 11, 2000
Denial-of-service aftermath, Feb. 11, 2000
Cyberassaults hit Buy.com, eBay, CNN and Amazon, Feb. 9, 2000
'Immense' network assault takes down Yahoo, Feb. 8, 2000
CERT warns of networked denial-of-service attacks, Dec. 23, 1999
- The Hacker in All of Us, Oct. 11, 1999