How a basic attack crippled Yahoo

The assault highlights a simple technique that can cripple a large, relatively well-prepared Internet company.

4 min read
Lesson of the day: If they can shut down Yahoo, they can shut down anybody.

An apparently coordinated attack today overwhelmed one of the Web's most popular destinations, once again calling into question the vulnerability of Internet companies.

"Our engineers had just not seen anything like this before," said Laurie Priddy, executive vice president of systems and applications for GlobalCenter, Yahoo's Web hosting service, which bore the brunt of the attack. "It would take a concerted effort, a group of people or some sophisticated software to generate that level of traffic."

Other high-profile Internet companies, such as eBay, have been hit by major outages, but today's attack on Yahoo highlights a simple technique that can cripple a large, relatively well-prepared Internet company.

Yahoo executives today said their system was knocked out by a "distributed denial of service attack"--a vulnerability well-known to security experts. The National Institute of Standards and Technology, Carnegie Mellon's Computer Emergency Response Team Center and the FBI all have issued alerts on the subject during the past few months.

In a warning issued in late December and updated in mid-January, the FBI said it found the tools needed to launch these attacks secretly installed on many computer systems across the Net, without owners' permission or knowledge. This has created "large networks of hosts capable of launching significant coordinated...attacks," the FBI said.

A denial of service outage occurs when attackers bombard a Web site's servers with fake packets of information requests. When the targeted server responds, the attackers' system steps up the barrage by sending more requests. The affected Web site struggles to keep up with the mounting number of requests, slowing performance for users or ultimately crashing the system.

How a denial of service attack works Internet executives and industry experts said certain security measures can be implemented to curb mischief and that consumers should not have concerns about the Net's reliability.

"This shouldn't lead to wide-scale (negativity) about the Internet," Priddy said. "Was it a bad day? Sure. It's not the first one, and I doubt it will be the last...That's not to say there are not defenses."

In today's attack, however, those defenses proved inadequate.

Yahoo had implemented "rate filters," which are intended to guard against attempted denial of service attacks. But the company said this particular attack was too large to ward off.

Executives at GlobalCenter, the Web-hosting unit of international communications carrier Global Crossing, said the level of traffic sent to Yahoo's equipment was unprecedented.

For example, GlobalCenter's entire network handles an average of 4.5 gigabits per second, Priddy said.

At the peak of the outage, which lasted from about 10:30 a.m. PST until shortly after 1 p.m., the Yahoo-directed requests totaled roughly 1 gigabit per second, more information than some Web sites receive in a year, Yahoo spokeswoman Diane Hunt said.

"This was a highly unusual event," Hunt said. "It happened very quickly and with great intensity.

"The Internet is still in its infancy," she added. "A lot of the things that happen on the Web are new. This isn't the last time this will happen on the Internet."

Midway through the day, Yahoo's core Web address switched from the GlobalCenter facility to a backup East Coast system, easing much of the problem, said Gene Shklar, vice president of public services for Net traffic monitor Keynote Systems. That action by Yahoo probably was responsible for bringing the site back online, he said.

Yahoo was hardly unprepared for such an attack, which indicates that it was a coordinated effort, experts say.

"Yahoo is a company that's prepared to handle really high levels of traffic," said Elias Levy, chief technical officer for Internet consulting firm Security Focus. "To be able to take down that network would require a lot of hosts coordinating their actions."

Brute-force denial of service attacks have a long history in the computer underground, largely because they are a relatively easy way to wreak havoc with outside computers or Web sites, security analysts say.

In one of the most common forms, an attacker will effectively take over another machine, or a group of machines connected to the Web, and then program these "slave" machines to send streams of information at the target site.

Commonly, these streams will take the form of a "ping" command--a basic, low-bandwidth way for one machine to query whether another machine on the network exists.

One ping at a time Shutdown
special report is that toolsis almost indistinguishable from the flow of traffic around it. But send enough of them, all at the same time, and the resulting traffic can clog networks or bring servers and router systems to their knees.

Attackers commonly insert fake addresses into these tiny streams of information, making them virtually untraceable.

For all the sophisticated work on firewalls and security, analysts say there is little that can be done against a concerted denial of service attack.

Compounding the risk used to launch denial of service attacks are easily available online. Where an attack once might have required sophisticated programming knowledge and computing resources, these downloadable tools now have brought the ability to wreak havoc on unprepared Web sites within the range of relatively casual computer users.

Experts say that similar attacks are likely to happen, taking advantage of inherent weaknesses in the Internet's system of open, interconnected networks. No security system will guard against every attack, they say.

"The Internet is very much an environment where networks and computers participate by playing by rules," Keynote's Shklar said. "It just takes somebody breaking those rules to cause problems."