FBI Opens Investigation to Track Attacks
- — 10 February, 2000 16:09
Over the past two days, the Web sites of Yahoo Inc., Buy.com Inc., CNN.com, ZDnet, ETrade Group Inc. and eBay Inc. have been victimized by massive network-based denial-of-service attacks that made these sites unavailable to legitimate users for about three hours at a stretch. By carefully filtering out Web site traffic, the ISPs (Internet service providers) in each case managed to bring these sites back into normal use. The FBI, which has begun working with the victims to nab the perpetrators, claims the scale of the attacks is unprecedented.
"With the kinds of victims and the sequence of events, this makes it the most we have ever seen," said Ron Dick, chief of the computer investigations and operation section at the National Infrastructure Protection Center, which is housed at the FBI here.
The FBI, which is in close contact with all the victims, as yet has no motive or suspects in the series of attacks that appear to rely on the newer type of denial-of-service tools such as Trin00 or Tribal Flood Network.
Posted out on hacker Web sites for easy download, these tools work by allowing a single attacker to launch multiple SYN floods, pings or other network disruptions by coordinating the attack through hundreds of compromised machines. For the attacker, the trick is to secretly install the denial-of-service attack code on multiple servers. Then at his own desktop, the attacker can remotely command these multiple, compromised machines to attack the target.
The distributed denial-of-service attack code out on the Internet is so simple "a fifteen year-old could use it," Dick says.
The successful shootdowns of Yahoo and other high-profile targets have evoked a vow from U.S. Attorney General Janet Reno to track down the criminals.
"We're not aware of the motives behind these attacks, but they appear to disrupt legitimate e-commerce," said Reno at a press briefing here today. She said specially trained field prosecutors are working with the companies that were the victims.
"We're determined to track (the perpetrator) down and bring them to justice so that the law is enforced," Reno warned.
If convicted of the denial-of-service attacks, the perpetrator faces a five-year prison term for a first offense, a 10-year term if convicted of multiple attacks, and up to US$250,000 per count. The companies that were victimized could also press a civil case against the perpetrators.
Catching the criminals will probably take time, Dick said. "We're collecting all the logs of the victim's sites," he noted. "Historically, this has not just been a U.S. issue. We inevitably end up overseas where an unwitting ISP is involved."
Dick said the FBI will use its own network surveillance methods to track the crime back to its source on the Internet.
But he urged network managers at both enterprise networks and ISPs to check and make sure that their servers have not been compromised by secretly-installed denial-of-service attack code. Tools for making that check are available at the National Infrastructure Protection Center's Web site.
"Tools such as Tribal Flood Network and Trin00 we have seen being installed on various machines around the world," Dick said. "Most likely the origin of these attacks now are the networks of unwitting people. Intruders have placed tools there without their knowledge, and someone else is controlling them."