________________________________________________________________________________ -- Sleuthing Out the DoS Attacks -- Hack Arrest 'A Matter of Time' -------------------------------------------------------------------------------- Wired News Sleuthing Out the DoS Attacks by Declan McCullagh 12:05 p.m. 14.Feb.2000 PST Alan Hannan had just heard a lecture about distributed denial of service attacks when his cell phone rang. The timing was eerie. On the other end of the call was a harried customer with an ominous warning: There were problems on the network connecting Yahoo's main Web site with the rest of the world. Hannan is a vice president at Global Crossing, which owns that network, and his brief cell phone conversation in the hallway of the North American Network Operators' Group convention provided few clues about the extent of the turmoil. It certainly didn't prepare him for the dizzying size of the attack that crippled the world's most popular Web site for about three hours last week, and foreshadowed a wave of similar assaults. The chief irony might be that the questions of the world's press were directed at the people least qualifed to respond. Reporters spent most of the week hounding the FBI, Justice Department, and President Clinton for details. During a press conference last week, all Attorney General Janet Reno could say was, "We are not aware of the motives behind these attacks." Instead, network engineers were the detectives who unearthed the most important clues. Administrators at Stanford University and the University of California at Santa Barbara reported that their systems were co-opted in the denial of service attacks, which lured a stampede of reporters to their campuses. "They went through our labs and the press has been asking the attendants stupid questions. We just smile and nod," said one amused UCSB student. There's a very good reason why the Internet's technicians have become not just guardians of their customers' Web sites, but amateur sleuths as well: They have more collective experience than anyone else in thwarting online mischief-making. "The FBI is basically relying on the providers to figure it out," says an executive at one network provider that was the target of an DoS attack last week. To veteran networking gurus, the attacks were more high-profile than usual, but hardly unprecedented. Internet relay chat servers have been the subject of smaller DoS attempts since at least 1996, and automated "smurf" tools like trinoo and TFN have been available since last summer. "We were concerned but not overly so," said Kelly Cooper, the Cambridge-based Internet security officer for GTE Internetworking. "Smurf attacks are something we're very familiar with and we're pretty good at handling them.... We see smurf attacks anywhere from once or twice a week to only a couple a month." GTE offers connectivity to ZDNet, eTrade, and CNN, and a GTE customer provides a link to Amazon. All four companies were victims of smurf attacks last week, but GTE said only one assault came close to clogging an OC-3 connection, a fiber optic link that carries data at 155 Mbps. "We had to get creative with our filters," Cooper said. Because U.S. system administrators have been patching security holes that permit DoS attacks, vandals are turning to overseas computers. "We did see a fair amount of the ZDNet traffic coming from Europe," said Cooper. "We stopped a lot of traffic in the D.C. area [where GTE's European links connect] to stop it from impacting the Eastern corridor." Cooper participates in a relatively new industry group called Internet Operators (IOPS), where some of the largest companies meet -- usually in private -- to share information that includes DoS-mitigation tips. Among the nine primary members are AT&T, Cable and Wireless, GTE Internetworking, Qwest, and Sprint. As word spread last week about the attacks on Yahoo and other prominent sites, IOPS members used a closed mailing list and private Web site to exchange details about their own experiences in battling the assaults. A broader group of network providers organized conference calls on Tuesday and Wednesday where they discussed "what kind of fingerprinting methodology people could use," according to a participant. All of the network administrators contacted by Wired News say they read the nanog mailing list, a high-traffic forum devoted to "Internet operational and technical issues." It's run by the North American Network Operators Group, which took its current name in 1994 and meets three times a year. Making their already-difficult job particularly intractable is the nature of such attacks. When network administrators see an unexpected deluge of traffic that threatens to swamp a Net connection, their first instinct is to stave off the flood and protect their customer's Web site. Keeping detailed records is a second priority. Even if administrators have some time to track the attack while it's happening, log files can be of little help. The broadside may not be able to be traced back beyond the remote computers the attacker is using as smurf originators, and other DoS tools forge their originating Internet address. Exact numbers are difficult to come by. Global Crossing's Hannan said Monday's attack on Yahoo seemed to be the work of between 100 and 2,000 unwitting computers enlisted in the assault by between probably five and 100 "control" hosts that orchestrated the event. "The attack we saw was kind of blended," Hannan said, with 80 percent of the traffic smurf packets and the remainder "syn" packets generated by a different and less-threatening DoS tool. At first, Global Crossing thought the network congestion was accidental. "We initially suspected a hardware incompatibility," said Hannan, but then an Internet service provider called during the second hour of the attack and complained that Yahoo was clogging its network. The converse, of course, was true -- that company's computers had been unwittingly enlisted in the anti-Yahoo campaign. "The person who accused us of attacking was the one innocently participating in the attack," said Hannan. By that time, Hannan and the six other people in his company's conference room had already filtered out all the type of network traffic generated by smurf tools. "What that did was allowed [us] enough breathing room on the circuit between us and our customer," he said. "At this time we decided to start logging things to get information now that we've got the situation stabilized." He said his company managed to collect just five seconds -- about 5 Mb -- worth of data. Yahoo was attacked again on Wednesday, Hannan said, to little effect. "[It was] being muted by the filters and thresholds," he said. That seems to be common. Attacks may not succeed, or -- unless it's a high-profile place like Yahoo -- crippled sites may not even be noticed by the media. Paul Vixie, a senior vice president for Internet services at Metromedia Fiber Network and Above.net, said some of his customers were attacked last week but have chosen not to go public. MFN provides connectivity to eBay, which was attacked last week. "We filtered the worst of it, the so-called smurf attack at our border," Vixie said. "Unfortunately it took [eBay] several hours to get UUNet and their other providers to do the same thing." "The person who was instigating this attack was amused by his ability to cause eBay to use all its CPU cycles... when it had no effect, they stopped launching it," he said. Vixie, who joined MFN when it bought his company in January, said the FBI has requested that he not release details to reporters. "There have been some things I've been asked not to say," he said. http://www.wired.com/news/politics/0,1283,34294,00.html -------------------------------------------------------------------------------- Wired News Hack Arrest 'A Matter of Time' by Lynn Burke 3:55 p.m. 14.Feb.2000 PST The FBI has identified the probable culprit behind last week's Internet attacks, security experts said Monday. While the FBI remains tight-lipped about its investigation, Stanford University system-software developer David Brumley -- who has taken an active role in the search -- said, "It's just a matter of time now." Brumley said the suspect is believed to live in the United States, and is not connected to the hacker known as "mafiaboy," who captured the attention of investigators and reporters early Monday when he appeared to boastfully take credit on IRC chats. "There are lots of people on IRC right now trying to take credit for the attacks," said Brumley. "We don't believe 'mafiaboy' was involved in the major attacks." Brumley declined to reveal the nickname of their chief suspect, but said he expects an arrest soon. "We've given the FBI five different pieces of evidence," he said. "We've had this guy in mind for awhile, probably since last Wednesday, but it never hurts to have another pair of eyes. They're being extra careful." Not everyone agrees that the Feds have found their man, however. "To the best of my knowledge, they're not close to an arrest," said Amit Yoran, president of RIPTech , an Internet security firm in Alexandria, Virginia, run by the former heads of the Department of Defense's Defense Information Systems Agency (DISA). Yoran says the person behind the attacks is sophisticated and skilled, and not likely to be a lone teenager sitting at a computer somewhere in the middle of America. "The tools are fairly simple, but an attack of this magnitude requires skill," he said. And while the speculation continues, Yoran says we haven't seen the worst yet. "What we saw last week was a minor tremor," he said. "This is just a small foreshadowing of the real dangers to come." http://www.wired.com/news/business/0,1367,34341,00.html ________________________________________________________________________________ no copyright 2000 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. more information: mail to: majordomo@rolux.org, subject line: , message body: info. further questions: mail to: rolux-owner@rolux.org. archive: http://www.rolux.org