RealTime IT News

Yahoo!: Attackers Knew Our Weaknesses

New information released by Yahoo! suggests some of the denial of service attacks on Web sites over the past week may have come from sophisticated attackers with knowledge of each site's network.

In a message sent Thursday to other Internet service providers and to the Computer Emergency Response Team (CERT), Yahoo! (YHOO) network engineer Jan B. Koum concluded that the attackers were "above your average script kiddie" and "knew about our topology and planned this large scale attack in advance."

According to Koum, the 1-gigabits-per-second flood of requests directed at one of its routers Monday appeared to originate from attackers who were expert not only in Unix and networking, but also the unique vulnerabilities in Yahoo!'s and other victim's networks.

"In talking to other companies it seems they also were hit `where it hurts" the most,'" said Koum, who also apologized for not disclosing the firm's findings sooner, but explained that "we needed to be sure we are well protected first."

Yahoo!'s analysis appears to refute recent comments by some security experts that the attacks could have been launched by teenage pranksters. Even Ronald Dick, chief of the computer investigation and operations section of the FBI's National Infrastructure Protection Center, said Wednesday that the availability of denial of service utilities means "any 15-year-old" could have marshaled the attacks, which brought outages or crippled performance to a half dozen sites.

Elias Levy, chief technology officer for security information firm SecurityFocus.com, praised Yahoo! for sharing its analysis and defense strategies with the Internet community. But he cautioned against concluding that the attacks were perpetrated by professional computer criminals -- or even worse, by someone with inside information about the victim's networks.

"Whoever did it had the presence of mind to learn about Yahoo! and its points of failure. That doesn't make the attack sophisticated, but it does tells us that whoever did it was very premeditated," said Levy.

Michael Monson, a security engineer with InterSec Communications, a computer security instruction and auditing firm, said targeting a vulnerable router rather than an entire Web site requires no more technical sophistication than being able to use traceroute, a basic networking tool.

"I definitely think a script kiddie could have pulled it off. It doesn't take a tremendous amount of expertise to do this," said Monson.

Yahoo! officials were not immediately available to confirm whether they were treating the attacks as an inside job.

Yahoo!'s report also suggests that a variety of DoS attacks have been aimed at victims. While Yahoo! said it experienced a distributed denial of service attack, the company said other sites had reported being hit by single-source DoS attacks. "One would assume there has been a fair amount of copycat activity," wrote Yahoo!'s Koum.

A total of four DoS attacks were directed at Yahoo! over the course of the week, according to the company. But subsequent attacks had little effect because of measures taken by its upstream Internet service provider, GlobalCenter, to limit damage. Those actions included throttling all forms of ICMP at GlobalCenter's border routers.