U.S. still hunts cyberattack culprit

By MICHAEL KIRKLAND, UPI Legal Affairs Correspondent  |  Oct. 23, 2002 at 1:46 PM
share with facebook
share with twitter

WASHINGTON, Oct. 23 (UPI) -- U.S. investigators Wednesday were still trying to determine who launched the massive and potentially crippling cyberattack against the Internet earlier this week.

The Monday evening attack knocked out most of the "root servers" -- the main superhighways of the Internet -- but backup servers kept most users from noticing the shutdowns.

"The Cyber Division of the FBI and the National Infrastructure Protection Center were aware of the attacks while they were in progress, and we have opened an investigation," bureau spokesman Paul Bresson said Wednesday.

NIPC also issued a statement Wednesday downplaying the impact of the attack.

"While the attack Monday night was unique in that it targeted domain name servers," the statement said, "the method was nothing new. There was some degradation of service. However, nothing failed, and servers were able to mitigate the attack quickly."

The SANS Institute issued a bulletin Wednesday detailing the attack. "SANS," which stands for "SysAdmin, Audit, Network and Security," is a cooperative research and education organization consisting of 156,000 security professionals, auditors, system administrators and network administrators.

"The 13 root name servers, effectively the master directory for the Internet, were subjected to a large-scale distributed denial of service (DDoS) attack on Monday evening," the bulletin said. "According to Internet Software Consortium Inc. Chairman Paul Vixie, only four withstood the attack. Redundancy designed into the Internet in the system allowed most traffic to get to its intended destination without delay."

In an interview with United Press International in 2000, presidential adviser Dick Clarke warned that the National Security Council believes "tens of thousands" of personal computers may have been turned into "zombies" to launch DDoS attacks.

The instigator of a DDoS attack secretly uses the Internet to place "packets" or "demons" in unsuspecting third-party computers. Theoretically, the invasion could involve thousands of machines, and computers with continuous access to the Internet are believed to be particularly vulnerable.

The computers perform as usual while containing the hidden "demons."

But at a pre-arranged time or at a signal from the instigator, the "zombies" launch cyberattacks against the target system. The attacks consist of requests containing "spoofed" -- fictitious -- return addresses, and tie up the target in an endless attempt to answer unanswerable e-mail.

In a separate statement, SANS Institute Research Director Alan Paller said the "only way to stop such attacks is to fix the vulnerabilities on the machines that would ultimately get taken over and used to launch the attacks. There's no defense once the machines are under the attacker's control. If organizations have not established vulnerability identification and remediation programs for all their systems -- even the 'unimportant' ones -- it won't be long before their foot dragging will subject them to economic liability and community contempt for their negligence."

The nation's worst DDoS attacks occurred in February 2000, when Yahoo! and many of the most high-profile commercial sites on the Internet were struck down, sometimes for days.

The FBI, in cooperation with Canadian police, eventually charged a 14-year-old Canadian youth with instigating at least some of the attacks.

The proceedings against the youth, who used the nickname "mafiaboy" online, were closed to the public.

Related UPI Stories
Topics: Alan Paller
Trending Stories