AboveNet Victim of DoS Attack

Attackers found a way to knock AboveNet’s routers senseless for several
hours Tuesday morning. But the company downplayed fears that similar attacks
could spread to other providers.


AboveNet spokesperson Carol Nash
Wednesday confirmed that the bandwidth and hosting company experienced a
“direct malicious attack” on its infrastructure, but she declined to provide
specifics on the attack, citing an ongoing FBI investigation.


According to a notice at
the company’s network status page, the outage was due to failures in its
Cisco switches. The notice said the failures resulted in loss of
configuration information.


The result was widespread connectivity problems for AboveNet customers
nationwide Tuesday. AboveNet provides Internet services to hundreds of ISPs
and other companies, including HP, CNET Inc., Akamai and American International
Group (AIG).


Nash, however, said the Cisco gear was not specifically at fault in the
outage. “It has absolutely no reflection on their equipment,” she said.


The attack has raised fears of another bout of denial of service attacks
like those that rocked the Web in February. But Nash said those fears are
unjustified.


“It is a unique attack directly specifically at us. It doesn’t mean others
are vulnerable to this type of attack,” said Nash, who declined to say
whether the company suspected an employee or someone with an inside
knowledge of its network was responsible for the attack.


In a posting early Wednesday morning to the NANOG message board frequented
by network operators, Paul Vixie, senior VP for Internet Services for
Metromedia Fiber Network,
AboveNet’s parent company, also
suggested
the attackers exploited a vulnerability unique to AboveNet. Vixie wrote, “If (we) suspected a way in which other providers were vulnerable, we’d have shared that information with you (privately) by now.”


AboveNet has plugged the hole that allowed the attack to occur and
has restored service to most of its affected customers.


For some AboveNet customers, the outage was merely an inconvenience. Mark
Kent of Internet Mainstreet Inc. in
San Jose, said traffic switched over to an alternate connection through
Genuity, Inc. during the outage.


In an email to InternetNews.com, Kent said, “I believe that once you get to
a certain size, these kind of failures are inevitable and so a suitable
backup is essential.”


The attack on AboveNet’s equipment follows a security alert last week from
Cisco. The big router maker issued a bulletin
notifying users that a defect in its IOS software could enable
outsiders to force its routers to reboot by issuing a simple TELNET command.
Cisco said the defect could be exploited repeatedly to produce a denial of
service attack. The vulnerability was reported to the company by several
different customers who found it while conducting security scans of their
networks. Cisco has corrected the defect in updates to IOS.


Another vulnerability in IOS was publiciz
ed
last year on the Bugtraq security mailing list. In that instance,
attackers are able to crash or reboot Cisco routers by sending malformed
packets to the router’s port 514. The company issued workaround instructions
and patched later versions of IOS to prevent the attack.


Earlier this month, AboveNet said it
plans to deploy new routers from Juniper Networks that are specifically
designed to filter packets and thwart denial of s

ervice attacks.

News Around the Web