From...

by Ann Harrison

(IDG) -- Attorney General Janet Reno announced earlier this week that the FBI has launched an investigation into the source of the denial-of-service attacks. Reno said the U.S. Department of Justice still doesn't know who instigated the attacks, where they originated, how many computers were involved or the motives of the perpetrators.

But they were effective. "We experienced 1GB/sec., and we can handle 100M bit/sec. on a typical strong day operating at 30% capacity. During the attack, we had eight to 10 times regular capacity, and no one can sustain that," said Greg Hawkins, CEO of Buy.com Inc. in Aliso Viejo, Calif.

RESOURCES Check here to see how a denial of service attack works.     ALSO Paranoia strikes deep at Web's top spots Consulting firm says its server was used to attack AOL Transcript: A chat with Avi Rubin about Internet Security and Denial of Service attacks Denial of service hackers take on new targets Justice Department wants more funds to fight cyber crime TIME: Classic Hackers Decry Heavy-Handed Upstarts Net execs to meet with Clinton     MESSAGE BOARD  Insurgency

Hawkins said the attack, which came from multiple locations, overwhelmed the site's monitoring software, which scans for unusual traffic loads and blocks invasions from one IP address.

U.S. Department of Commerce Secretary William M. Daley warned that sites remain vulnerable. "There is no surefire defense," said Daley, who appealed to the computer industry to improve security monitoring and intrusion response to detect malicious code before it can do damage.

"It points to vulnerabilities that need to be addressed in the new world we are going to," said Daley. "The private sector has a greater stake in making sure there are protections than we do."

The online assaults began Monday on Santa Clara, Calif.-based Yahoo Inc.'s Yahoo.com, which was blasted with packet traffic at 1GB/sec. -- more than some Web sites receive in a year. The site was down for three hours. On Tuesday, San Jose-based eBay Inc., Seattle-based Amazon.com Inc., Buy.com and Atlanta-based CNN.com were hit with the same type of attack. Palo Alto, Calif.-based ETrade Group Inc. and ZDNet Group in San Francisco were the victims on Wednesday.

In addition, Excite@Home suffered a brief denial-of-service attack this week, according to a company spokeswoman. The attack began around 7 p.m. PST and lasted less than an hour.

The Department of Defense is also investigating this week's hack attacks. Navy Rear Admiral Craig Quigley said all elements of the DOD have been ordered to examine their computers worldwide to ensure they weren't used as hosts for the denial-of-service attacks.

"But so far, we have not seen anything. We certainly continue to watch," Quigley said during a DOD briefing.

Despite Daley's insistence that the attacks came without warning, the incidents followed a pattern of well-documented, distributed denial-of-service attacks. In each case, sites have been targeted with a high volume of packets using falsified Internet addresses, which made the source of the attack hard to trace. Distributed denial-of-service attacks embed malicious code in weakly defended computers to create entire networks of master machines and subnetworks of slave machines.

MORE COMPUTING INTELLIGENCE

IDG.net home page

CERT warns of networked denial-of-service attacks

Cyberassaults hit Buy.com, eBay, CNN and Amazon

Keep hackers out of your Web site

A primer: How the hackers attack

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for IT leaders

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

Many of the attacks have targeted large Internet service providers and the hosts of the high-profile sites. Gary Grossman, director of security research and development at Santa Clara, Calif.-based Exodus Communications Inc., said this isn't the first denial-of-service attack directed toward his customers. Buy.com is an Exodus client.

"We host 40% of the major sites on the Internet, and so statistically, we are going to see a good fraction of those," said Grossman. "It's not infrequent. It just means that we have to do more sophisticated analysis and have a wider range of addresses that we filter for."

But David Remnitz, CEO of Ifsec LLC, a New York-based information security firm, noted that this strategy only works up to a point. If the attackers shut off the original master hosts that are used in the attacks and assign false IP addresses to another set of attack hosts, the problem will continue. "I am basically chasing my tail if I put in filtering to identify the spoofed addresses but not (to) identify the culprit," said Remnitz.

Remnitz said government and private-sector cyberwarfare experts have known about distributed denial-of-service attack tools for almost a year (see "CERT warns of networked denial of service attacks," link below). "We had 12 to 14 months for the tools to get out there and (be) built up," said Remnitz. "There could be a very large number of attacking hosts waiting to launch instructions."

According to a White House spokesman, a meeting will be held Tuesday with high-tech executives to discuss Internet security on the heels of recent hack attacks. White House Chief of Staff John Podesta will chair the meeting, and Attorney General Janet Reno is expected to attend.