How the hack happened

ITworld.com –

Not long after the first service breakdown at popular Website Yahoo! last week, the security community reached a consensus that the assault was a denial of service (DoS) attack. This thesis remained intact as additional sites came under siege.

When the week of attacks came to an end, it was clear that assaults of this scale had not been seen before. Experts suggest that the ecommerce landscape will be changed by this event and that IT's relationships with outsourcers, particularly ISPs, will change as well.

The style of the attacks is not new, longtime industry hands note. DoS attacks, sometimes listed under the banner of smurfing, have been common for some time often targeting ISPs. These transmissions initiate bogus echo requests, but the major Internet router makers have spent the last few years educating their users on how to defend themselves against such challenges.

Also common are spoofing incidents, in which requests create half-open TCP connections in attempts to deny service. Elements of smurfing and spoofing were uncovered in the attacks on Yahoo! and others, according to the Computer Emergency Response Team (CERT) center at Carnegie Mellon University.

The goal of denial of service attacks is not to hack a database, for example, but to block other users from accessing a site. Individual attackers overwhelm a site with data that is hard for the Web host to resolve. More recently, distributed denial-of- service (DDoS) assaults have come into style among the community of programmer vandals that lurk about the Internet. Here, numerous machines are used, and the effect is like a flood on the banks of a levee.

Most onerous: the attackers make use of unsuspecting Internet nodes to enable their attacks. This requires traditional hacking skill. Haphazardly configured Web servers are discovered and infiltrated via the Internet, and nefarious code -- use the now use the term DDoS tools to describe this code -- is inserted on those machines. The machines are invoked en masse when an attack coordinator chooses to pounce upon a popular Website, restricting access.

"The way the distributed denial of service attacks work is that perpetrators will scan the Internet -- they have automated tools that identify an exposure. They crack a system, plant their tool on it, and configure it so that it is listening for instructions later on," said Mark Mellis, a consultant with SystemExperts of Sudbury, Mass., a firm specializing in electronic commerce security.

"They are looking for [intermediary agent machines] that have poor system administration practices -- people who, for example, don't apply the latest vendor patches and who are running services that are inappropriate to present to the Internet," said Mellis, who was at one of the sites hit in the attacks.

"One of the biggest mistakes is referring to this as an attack by hackers," said Morgan Wright, director of global reactive services at Global Integrity, a Reston, Va.-based SAIC subsidiary focused on ecommerce site protection. "These have not been intrusions. These have been denials of access. It's simply people blocking the Website," he said.

By most estimates, the sequence of site attacks during the week of February 7 started Monday with the almost total takedown of Yahoo! for three hours and ended Wednesday with a much briefer and less extensive assault on E*Trade.

"The later attacks got shorter," said Daniel Todd, director of public services at Keynote Systems, a San Mateo, Calif.-based lab specializing in Internet performance monitoring. "We don't have a real answer for that. Perhaps the defenses got better, or the attacks were perhaps less determined."

When attacks start, the sites under fire start identifying machines used in the assault. As a result, said Todd, the perpetrators may have fewer machines to employ in subsequent attacks.

Sites that were in the same topological neighborhood as Yahoo! also experienced performance loss. Todd estimates that overall Internet performance during business hours degraded by as much as 26.8 percent due to the attacks.

"In general, these sorts of attacks have to be handled by ISPs," said Todd. "Most of the defenses are infrastructure based."

For IT professionals who do not want to becoming unwitting accomplices to incursions, high-quality configuration management is the order of the day. Assigning staff to monitor patch reports from system software vendors or to watch for alerts from government security groups is an important first step.

In fact, while DDoS attacks, suspected in assaults on Yahoo!, eBay, and others, is still relatively new, it is not unknown. CERT itself issued warnings in late 1999 on Tribe Flood Network (TFN) and trinoo (aka trin00), two underground tools for enabling DDoS attacks. And when industry attention was focused on the final days of year 2000 code conversion, Sun Microsystems warned system administrators about patches needed to shield Solaris RPCs from trinoo and TFN.

What made the attacks most notable was their distribution and intensity of focus. "This is simply unprecedented," said Global Integrity's Wright.

This intensity of focus arises from concerted effort on the part of hackers. This is an effort that observers say the IT community will have to match.

A change likely to take place, said SystemExperts's Mellis, is in the relationship between the ISP and the customer. "These attacks are acting as a catalyst, and they are forcing a fundamental change in that relationship," he said.

"In the past, the ISP's only real product has been bandwidth. But now, they've got to provide filtering, both on the victim's end and at every other point where the packets can enter the network," Mellis said. ISPs have been reluctant to do this, he added, because it taxes the ISP's routers and requires more support personnel to administer.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies