Cyberassaults hit Buy.com, eBay, CNN and Amazon

The cyberassault that caused outages on Yahoo Inc.'s heavily trafficked Web portal Monday appears to have been just the start of a wave of denial-of-service attacks on large e-commerce and news sites.

Yesterday, Buy.com Inc. and eBay Inc. experienced shutdowns prompted by attacks similar to the one directed against Yahoo's California data center. The attack on Buy.com came within an hour of the online retailer's initial public stock offering and lasted about three hours. Both companies are clients of service provider Exodus Communications Inc. in Santa Clara, Calif., which reportedly issued a denial-of-service alert yesterday.

Other sites have also apparently been targeted. Internet monitoring firm Keynote Systems Inc. in San Mateo, Calif., reported yesterday that it observed a sharp drop in access speed and availability of a Web site run by Amazon.com Inc. and CNN.com, a unit of Time Warner Inc. Both sites appeared back to normal an hour later.

"On most sites, availability is 95 to 98%. What we have been seeing during these attacks are availability averages as low as 0% — in other words, it's next to impossible to get through," said a Keynote spokeswoman. Officials at both CNN and Amazon were not available for comment.

The spokeswoman for Keynote, which was among the first outside observers to detect the attacks, said the company had corresponded with a conference in San Jose yesterday sponsored by the North American Network Operators Group. She pointed out that the topic of the first session on the conference's agenda was denial-of-service attacks, and that session took place at the same time as the Yahoo attack.

Russ Cooper, editor of the popular security mailing list NTBugtraq, said the attackers are likely people trying to illustrate weaknesses in the Internet infrastructure. "They are attacking things that the media will notice. It is obviously an attempt to draw attention to some fact," Cooper said.

The attacks on Yahoo, eBay, Buy.com, CNN and Amazon have followed a pattern that suggests a denial-of-service attack. In each case, sites have been targeted with a massive volume of mock traffic that overwhelms servers and blocks routine traffic. Security analysts said the sheer amount of packet traffic in these attacks suggests a coordinated effort that uses many linked machines, which could have been hijacked by attackers from a remote location.

A spokeswoman for Yahoo, which was shut down for three hours Monday, said the source of the attack has been narrowed to 50 IP addresses. She said it was halted when filters were installed on routers that were able to block the mock traffic. The company is now working with authorities, including the FBI, to review electronic traces and data that could point to the source of the attacks.

"At no point was any user information or data compromised," the Yahoo spokeswoman said. "It is secure and remains secure. The attack came from the outside and no one entered into the site."

While none of the targeted companies has released packet traces that would help pin down the exact attack strategy and source, some analysts have suggested that it is a distributed denial-of-service attack (DDOS). The National Infrastructure Protection Center (NIPC), the computer security wing of the FBI, and the Computer Emergency Response Team (CERT) released an alert in December warning of a type of DDOS attack called Tribe Flood Network or Trinoo (see story).

In these types of attacks, crackers conceal malicious programs on large computers around the Internet. Those systems are then used to coordinate a preplanned, automated attack on a targeted system. The NIPC and CERT cautioned that many of the compromised machines, which unknowingly contain these Trojan horse programs, have high-bandwidth Internet connections that could swamp servers at targeted sites.

But Cooper said he suspects another type of attack called stream.c, which uses vulnerabilities in the FreeBSD operating system to cause server disruptions. He noted that DDOS attacks depend on Trojan programs embedded in high-profile hosts that are usually directed to attack on weekends when they are less likely to be detected and taken offline. Cooper noted that the Yahoo attack began at 11 a.m. on a business day.

"I think this is people in front of machines telling them to do something," said Cooper. "Stream.c acts like mock traffic but it is not bandwidth-related, and does not rely on mock packets. It consumes cable space and has the same effect."

Jim Ransome is director of security architecture and operations at Pilot Network Services Inc., which provides hosting, Internet access and extranet and virtual private network services for 250 high-profile clients, including Peoplesoft Inc., CommerceOne Inc. and Newsweek. He says Pilot halts nine or 10 denial-of-service attacks per week. "This is about business as usual," said Ransome.

Pilot uses a distributed security architecture and its Heuristic Defense Infrastructure to repel distributed coordinated attacks that often topple conventional firewalls, Ransome said. He suggested that companies defending against such attacks conduct code reviews of their extranet environments to detect weak links created by common gateway interface code written in Perl, VBS, Java or C scripts.

Ransome added that distributed coordinated attacks often use a number of different attack methodologies. Site operators should be on the lookout for distinctive patterns indicating certain types of attacks, such as those launched by the Back Orifice hacking software, he said. Attack scripts often forge IP addresses to conceal their source, but entire address groups can be blocked when a specific pattern is detected, he noted. "You need to harden your OS, review third-party packages that provide weak links, read your logs and find good security engineers," Ransome advised.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon