Home & Office

It's war: The Web under attack!

Some of the Web's largest sites have been targeted by Denial of Service attacks. Expert: They 'had to be' connected.

Online brokerages E*Trade and Datek, as well as tech news site ZDNet, on Wednesday joined eBay, Buy.com, Amazon.com, CNN.com and Yahoo! on the hit list of high-profile Web sites to suffer Denial of Service attacks in the past two days.

The Federal Bureau of Investigation said it will hold a news conference to discuss the attacks in Washington, at 11 a.m. PST.

As the incidents mounted, security experts declared that the outages were almost certainly the result of a coordinated effort.

"I don't see how they couldn't be," said Stuart McClure, the president and chief technology officer at Ramparts Security Group LLC in Irvine, California. "The symptoms are all the same, the effects are all the same -- every time I talk to people [at the afflicted sites] they all say the same things."

Elias Levy, chief technology officer of Securityfocus.com, a computer security information service, concurred, noting that the rapid succession of disruptions suggests a connection among the attacks. "It would be very difficult to assemble this level of attack so quickly if it were a copycat," Levy said.

On Wednesday morning, online brokerage E*Trade told CNBC that it was the subject of an attack, but only a small percentage of customers were impacted. The company said it had successfully redirected the attack.

Datek said it was knocked off the Web from 6:30 to 7:05 a.m. PST due to an apparent attack.

In addition ZDNet was offline for two hours starting at 4:30 a.m. PT. The company said it appeared to have been the target of a Denial of Service attack.

Users have reported sporadic problems accessing America Online and Microsoft sites, but those companies have not verified attacks.

Web traffic to both eBay, the Web's largest online auctioneer, and Buy.com, an online retailer in the midst of its IPO, were blocked by the cyber attacks Tuesday. Yahoo!, one of the world's biggest and most reliable sites was knocked offline for three hours Monday.

The FBI met with Yahoo! executives Tuesday to discuss opening an investigation into its denial of service attack.

Meanwhile, Internet monitoring firm Keynote Systems reported late Tuesday that Amazon.com's Web site was virtually shut down at about 5 p.m. PST Tuesday. According to Keynote, it was able to enter Amazon about 1.5 percent of the times it tried, and the online store's "inaccessibility looks very similar to what we saw with Yahoo and eBay and Buy.com." Amazon was not available for comment Tuesday night.

CNN.com was hit later Tuesday. "At 7 p.m. EST we were attacked by hackers. A Denial of Service attack occurred until 8:45 p.m. We were seriously affected. We were serving content but it was very inconsistent and very little," said PR director Edna Johnson, in a statement.

"By 8:45 p.m. our upstream providers had put blocks in place that are shielding us and we are now serving content."

eBay, Buy.com and Yahoo! all were targeted by coordinated, distributed Denial of Service attacks -- a technique in which attackers use a great number of compromised servers to flood a target with data. This type of attack takes only limited technical expertise and can be difficult to stop.

"Denial of Service is becoming more sophisticated," according to a "white-hat" hacker working for security firm @Stake who identifies himself as Weld Pond. "The problem is not going away."

Target No. 1: Yahoo!

The spate of Web attacks began AT 10:30 a.m. PST Monday, when traffic to Yahoo! -- the second most popular site on the Web after America Online -- took a nosedive. Engineers at GlobalCenter, the hosting service for Yahoo!, initially thought a critical piece of network equipment had failed. However, GlobalCenter soon realised that malicious attackers were responsible for blocking the key transfer points, known as routers, between Yahoo! and the Internet.

"About half of the entry points in our network were affected," said Laurie Priddy, executive vice president for GlobalCenter, a subsidiary of telecommunications giant Global Crossing.

A flood of data sent by the attackers, seemingly coming from 50 different IP addresses, overwhelmed the routers managed by GlobalCenter. The flood peaked at 1Gbps, but for the most part the hosting service's other customers were not affected.

"We have a very large network that carries a huge amount of traffic," said Priddy, adding that the capacity allowed its other customers to remain up and running. "We had a small number of customers that called, but no more than any other day." Yahoo! didn't get back up until 1:30 p.m. PST Monday.

Target No. 2: Buy.com

The next target, Buy.com, was hit just over 24 hours later. Mitch Hill, chief financial officer for Buy.com, said the Denial of Service attack originated from such disparate points as Chicago, Boston and New York -- overwhelming Buy.com's servers.

Buy.com said 800 megabits of data per second hit the site -- about eight times the site's capacity. According to Hill, Buy.com normally runs at only 30 percent of its capacity.

Although the timing of the attack with the company's IPO (initial public offering) appears to be suspect, Hill said there is no evidence it was timed to hurt the company's stock offering. "It is unfortunate that whoever did this chose to attack us on this day," he said.

Prior to the outage Buy.com was experiencing higher than normal traffic because of publicity related to its IPO.

Target No. 3: eBay

The third target, eBay, was hit five-and-a-half hours after Buy.com. The attack occurred just before 3:20 p.m. PST and lasted throughout Tuesday afternoon and into the evening while eBay worked to filter out the unwanted traffic.

In a statement eBay said: "We are taking multiple measures to fight this, including working with local and federal authorities, ISPs including Sprint, UUNet and AboveNet, our vendors, including Cisco, our partners, and other Internet sites that have recently been attacked in the same way."

Members of the eBay community have been notified that they are eligible to receive a credit if they believe their auctions have been "materially affected" because of the outage. eBay said no internal data related to auction listings or bidding were compromised during the attack.

Can the Web's biggest sites protect themselves from these attacks? In the Yahoo! case, GlobalCenter's engineers put restrictions on the type of data -- known as Internet control messaging protocol (ICMP) packets -- that had flooded it for those few hours. Instead of letting an unlimited amount of data through, GlobalCenter scaled back.

That tactic is something the company should have done before the attack, said @Stake's Weld Pond. "We installed (such) filters a long time ago because of such attacks," he said.

While in Yahoo!'s case the attack seemed to come from 50 different Internet addresses, more likely hundreds or thousands of servers were used and the data forged to make it look like it came from only 50 addresses, Weld Pond said.

SecurityFocus.com's Levy described a case where 10,000 servers had apparently been used to conduct a similar attack. "In essence, these attacks are harnessing the power of hundreds of computers on the Internet to amplify and focus an attack," Levy said. "The only way to stop this misuse of the Internet is for everyone to check their own network and fix any misconfigured systems."

That's only a stopgap solution, said Steve Bellovin, network and security research fellow at AT&T Labs. "The best we can do today is put in anti-spoof filters that makes the attacks harder and the attackers easier to track down."

Coincidence or not, a half-hour after Bellovin gave a talk on Denial of Service attacks at a conference for the North American Network Operator's Group, the attack on Yahoo! began.

The future looks a whole lot darker, however. While filtering packets can be a defence against most of today's tools designed to conduct a distributed Denial of Service attack, new techniques could bypass such defenses.

Once such tool for attackers, known as Stream.c, sends forged TCP/IP packets, which a typical router will pass to the destination server. The packets can be designed to take up precious computing cycles before the data is determined to be bad.

The bad new is that such packets are hard to detect and filter out. The good news, perhaps, is that -- so far -- only vandals seem interested in using the attacks.

"These sorts of attacks make (the attacker) feel powerful," said AT&T's Bellovin. "It's the equivalent of kids snapping antennas on the street."

ZDNet's Patrick Houston and Reuters contributed to this report

What do you think? Tell the Mailroom. And read what others have said.

Take me to the Special: Denial of Service round-up

Editorial standards