How the cyber vandals zapped Yahoo!

The type of attack that took down Yahoo! has worried security experts for months. What's more, it's not that difficult to pull off
Written by Robert Lemos, Contributor

The National Institute of Standards and Technology warned four months ago that the form of computer attack that knocked Yahoo! offline Monday was gaining in popularity among cyber vandals.

Known as "distributed coordinated attacks" the tactic is designed to defeat current defenses against denial of service attacks. A denial of service attack is a form of cyber attack that blocks Internet traffic from reaching a particular company or Internet service.

A garden-variety denial of service attack uses a single server to attempt to tie up a network's connection, denying its users access to or from the Internet. Distributed coordinated attacks, however, use hundreds or thousands of servers co-opted by a malicious programmer to tag-team a single server.

Because so many servers are used in a distributed coordinated attack, each attack can be camouflaged as a legitimate connection attempt -- making it difficult for the victim's intrusion software to identify that it is under attack and impossible to identify just who is attacking.

Speaking on the topic of distributed coordinated attacks last October, Thomas Longstaff, senior technical researcher for Software Engineering Institute at Carnegie Mellon University, said: "It's possible to detect the attack, but it is very hard to block it (using current software).

"Typically, you block the single network address that is attacking you," said Longstaff, whose group works with the Computer Emergency Response Team Coordination Center at Carnegie Mellon. CERT/CC tracks and responds to network attacks.

"By spreading out the attack over a large number of addresses, it becomes much harder to deal with."

Yahoo! -- which is the Web's second-most popular site -- was knocked offline for three hours by a distributed coordinated attack Monday. It is believed, Yahoo! is be the biggest site ever to be knocked offline by a denial of service attack. One of Yahoo!'s investors, Softbank, is also a major investor in ZDNet.

"Given the nature of this, we believe it was a coordinated incident coming from multiple points on the Internet," Yahoo! said in a statement Monday. "We are continuing to remedy the situation by installing rate filters to prevent this attack from causing any further inconvenience."

Before Yahoo!, Longstaff and others had already locked horns with intruders using the distributed coordinated method of attack. Already CERT/CC has warned of software "tools" that allow any semi-knowledgeable vandal with a computer and Internet access to set up "agents" that flood the target servers with traffic, preventing legitimate users from accessing the server.

The three best-known programs are Trinoo, Tribe and Stacheldraht, which one CERT member reported had attacked using more than 100 servers.

Getting the access necessary to compromise hundreds of servers is not as difficult as it sounds, said Barbara Fraser, consulting engineer to the chief technology officer at Cisco Systems, in a previous interview with ZDNet News.

With "always-on" connections to the home becoming more and more common, the number of insecure computers connected to the Internet full time is increasing. "With the average home user knowing very little about security, this problem is going to get worse," she stressed.

In addition, network attackers are more frequently automating the software used to gain access to systems through known exploits. A whole host of programs exist to scan networks connected to the Internet for previously discovered security holes that system administrators have not patched.

"This method attacks the lowest common denominator in security," said CERT's Longstaff. "It will never be hard to find a thousand servers that don't have the most up-to-date patches."

In fact, prevention may rely more on protecting computers from being used by malicious programmers, rather than protecting the target, he said.

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards