RealTime IT News

Security Expert's Site Knocked Offline By Attack

Victims of distributed denial-of-service attacks are usually reluctant to admit they've been hit, let alone provide specific technical details about the attacks. But Gibson Research Corporation president Steve Gibson said Monday that he intends to turn some weekend lemons into lemonade.

After having his site knocked offline for 17 hours from a DDoS attack that began Friday night, Gibson plans to post a detailed report about the experience, including a list of the hundreds of compromised machines marshalled by an as-yet unknown attacker to launch the strike. A preliminary version of the report was online Monday.

According to Gibson, who has gained renown for his popular freeware security and privacy tools, GRC.com was forced off the Internet at around 8:00 Pacific Friday evening, as several hundred compromised computers located across the Internet began issuing millions of bogus ICMP and UDP requests. At it peak, the attack generated 25 megabits of bandwidth, overwhelming the site's 3.1-Mbit connection.

An initial review of the log files from the attacks did not reveal which of the numerous DDoS tools were used in the attacks. But Gibson said many of the "zombie" machines apparently were owned by Windows PC users with cable modem connections -- ironically the very sorts of people he tries to educate and serve with his free resources, which include a firewall testing tool and a Windows port security probe.

"I've got their IP addresses and the ability to make a loud noise about this. I know that @Home and Rogers and others are going to be unhappy about the attention I'm going to bring to them, but this is needed to bring about some change," said Gibson.

Because the IP addresses of the attacking computers were not disguised or "spoofed," the attack could have been quickly neutralized by the site's hosting company Verio, through the use of routing filters. But the ISP's most knowledgeable customer support personnel were gone for the weekend, and Gibson reports he was unable to contact key staff until early Saturday afternoon. At that point, a 10-minute fix by Verio shut down the attack.

"That's just wrong, if we're talking about the Internet being a national, core infrastructure. It's like the phone company turning off phone service because it's the weekend," said Gibson, adding that he has no plans to change ISPs however.

Gibson speculates that a dispute between some users of his discussion forums may have led to the attack, but no one has yet claimed responsibility or responded to his invitation to discuss the attacks.