New information released by Yahoo! suggests some of the denial of
service attacks on Web sites over the past week may have come from
sophisticated attackers with knowledge of each site’s network.
In a message sent Thursday to other Internet service providers and to the Computer
Emergency Response Team (CERT), Yahoo! (YHOO) network engineer Jan B. Koum concluded that the attackers were “above your average script
kiddie” and “knew about our topology and planned this large scale attack in
advance.”
According to Koum, the 1-gigabits-per-second flood of requests directed at
one of its routers Monday appeared to originate from attackers who were
expert not only in Unix and networking, but also the unique vulnerabilities
in Yahoo!’s and other victim’s networks.
“In talking to other companies it seems they also were hit `where it hurts”
the most,'” said Koum, who also apologized for not disclosing the firm’s
findings sooner, but explained that “we needed to be sure we are well
protected first.”
Yahoo!’s analysis appears to refute recent comments by some security experts
that the attacks could have been launched by teenage pranksters. Even Ronald
Dick, chief of the computer investigation and operations section of the FBI’s
National Infrastructure Protection Center, said
Wednesday that the availability of denial of service utilities means “any
15-year-old” could have marshaled the attacks, which brought outages or
crippled performance to a half dozen sites.
Elias Levy, chief technology officer for security information firm
SecurityFocus.com, praised Yahoo! for sharing its analysis and defense
strategies with the Internet community. But he cautioned against concluding
that the attacks were perpetrated by professional computer criminals — or
even worse, by someone with inside information about the victim’s networks.
“Whoever did it had the presence of mind to learn about Yahoo! and its points
of failure. That doesn’t make the attack sophisticated, but it does tells us
that whoever did it was very premeditated,” said Levy.
Michael Monson, a security engineer with InterSec Communications,
a computer security instruction and auditing firm, said targeting a vulnerable router rather than an entire Web site
requires no more technical sophistication than being able to use traceroute,
a basic networking tool.
“I definitely think a script kiddie could have pulled it off. It doesn’t
take a tremendous amount of expertise to do this,” said Monson.
Yahoo! officials were not immediately available to confirm whether they were
treating the attacks as an inside job.
Yahoo!’s report also suggests that a variety of DoS attacks have been aimed
at victims. While Yahoo! said it experienced a distributed denial of service
attack, the company said other sites had reported being hit by single-source
DoS attacks. “One would assume there has been a fair amount of copycat
activity,” wrote Yahoo!’s Koum.
A total of four DoS attacks were directed at Yahoo! over the course of the
week, according to the company. But subsequent attacks had little effect
because of measures taken by its upstream Internet service provider,
GlobalCenter, to limit damage. Those actions included throttling all forms
of ICMP at GlobalCenter’s border routers.
