Web Communications Suffers Interruption of Services Due to Malicious Network Attack.SANTA CRUZ Santa Cruz, city, United States Santa Cruz (săn`tə kr  z), city (1990 pop. 49,040), seat of Santa Cruz co., W Calif., on the north shore of Monterey Bay; inc. 1866. , Calif.--(BUSINESS WIRE)--Dec. 16, 1996--Web Communications (WebCom) (http://www.webcom.com), one of the world's largest Web site hosting services, 3,000 Websites receiving 2,000,000 hits per day, reported today that it had become the latest victim of the form of Internet sabotage known as a "denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. " or "SYN flood" attack. This type of attack became well-known when PANIX Networks of New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of and the New York Times suffered similar attacks in September 1996. It is particularly problematic because it can be perpetrated by almost anybody with access to the Internet and only a modest level of technical sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. , is difficult to trace back to the perpetrator A term commonly used by law enforcement officers to designate a person who actually commits a crime. , is nearly impossible to defend against regardless of the type of computer or operating system being attacked, and results immediately in complete disabling of the targeted server. For 40 hours beginning on Saturday, Dec. 14, 1996 at 12:20 am PST PST Paroxysmal supraventricular tachycardia, see there , the company's Web server, and thus all 3,000 Web sites hosted by the company, were rendered virtually inaccessible by the attack. Customer email was not affected by the attack, however. By Sunday, Dec. 15 at 3 pm the company, by working in concert with network engineers at 3 different major Internet Service Providers Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISPs), succeeded in pinpointing and blocking the source of the attack, and the attack itself ceased at 7 pm Sunday. Within moments of the onset of the attack, WebCom network engineers were automatically alerted that the Web server had ceased responding to requests. WebCom engineers quickly determined that the server was suffering a network attack, and immediately contacted PSI, the Internet Service Provider which services the WebCom network, and worked throughout the duration of the attack with PSI network engineers to develop and implement a strategy for determining its source. Approximately 14 hours into the incident, PSI was able to determine that the attack was entering the PSI network from the MCI (1) (Media Control Interface) A high-level programming interface from Microsoft and IBM for controlling multimedia devices. It provides commands and functions to open, play and close the device. (2) (Microwave Communications Inc. network. MCI was immediately notified, and was eventually able to determine that the attack was entering their network from CA-Net, a Canadian ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. . CA Net in turn traced the attack to BC-Net, who traced it to a network at a college in British Columbia. MCI then blocked all traffic to WebCom originating from CA-Net as a temporary measure and lifted the block after the attack ceased. The "SYN flood" or "denial of service" attack succeeds by taking advantage of the fact the Internet currently does not prevent the sending of phony network packets with falsified return address information. Network saboteurs exploit this vulnerability by sending hundreds of phony network packets requesting a connection with a server. The server dutifully du·ti·ful adj. 1. Careful to fulfill obligations. 2. Expressing or filled with a sense of obligation. du sends an acknowledgement to each connection request, but since it has been provided with a phony return address, it never receives a response to its acknowledgement. Because vendors of Internet protocol software never anticipated a server having so many simultaneous pending requests waiting for an acknowledgement, the system's pending connection queue quickly reaches capacity and the system stops responding to legitimate connection requests. The most powerful servers on the Internet can be effectively disabled with this method using only a Pentium class computer, a 9600 baud baud (bôd, bōd), measure of the rate at which signals are transmitted over a telecommunications link. It is equivalent to the number of elements or pulses transmitted in one second, e.g. modem, and readily available software designed to execute the attack. In a bulletin dated Dec. 10, 1996, the U.S. Department of Energy's Computer Incident Advisory Capability See CIAC. (CIAC (Computer Incident Advisory Capability) A group within the U.S. Department of Energy (DoE) that serves as the department's CERT and makes its bulletins and documents available to the public. For more information, visit www.ciac.org/ciac. -- http://www.ciac.llnl.gov/), an organization dedicated to educating the public about computer and network security vulnerabilities and solutions reported: Any system that is connected to a TCP/IP-based network (Internet or intranet) and offers TCP-based services is vulnerable to the SYN flood attack An assault on a network that prevents a TCP/IP server from servicing other users. It is accomplished by not sending the final acknowledgment to the server's SYN-ACK response (SYNchronize-ACKnowledge) in the handshaking sequence, which causes the server to keep signaling until it . The attack does not distinguish between operating systems, software version levels, or hardware platforms; all systems are vulnerable. Because this attack takes advantage of the TCP protocol itself, it cannot be eliminated without changing the protocol. However, it is possible to make changes to the implementation of the connection establishment procedure that can mitigate the problems caused by the attack, and several vendors have either made such changes or are in the process of making them. "The SYN flood attack exposes a gaping hold in Internet security which must be fixed rapidly," said Chris Schefler, president and co-founder of WebCom. "We now join PANIX Networks of New York and the CIAC in calling on Internet Service Providers and infrastructure vendors to implement as rapidly as feasible mechanisms which will both ameliorate server vulnerability to SYN flood and related attacks as well as block network users from sending forged network packets in the first place. "In the meantime Adv. 1. in the meantime - during the intervening time; "meanwhile I will not think about the problem"; "meantime he was attentive to his other interests"; "in the meantime the police were notified" meantime, meanwhile , we urge all ISPs to educate themselves about this problem and develop contingency plans for tracing the source of such attacks so that they can be rapidly blocked as soon as they occur," he added. "Although this attack represented by far the most serious interruption of our services in our two-year history of operations, we are confident that most ISPs will act quickly and responsibly in configuring their networks to disallow To exclude; reject; deny the force or validity of. The term disallow is applied to such things as an insurance company's refusal to pay a claim. forged packets, and that router and operating system vendors will shore up this vulnerability in the next release of their products," said Thomas Leavitt, executive vice president, co-founder and chief network administrator at WebCom. "We all learned a lot in this incident and as a result we will be able to respond and defend ourselves much more quickly and effectively in the event of a recurrence of such an attack," he added. "We owe a great deal of thanks to PSI, MCI and CA-Net for working closely with us day and night throughout the weekend to pinpoint and block the source of the attack, as well as to Thomas Leavitt, who really drove and coordinated the entire effort throughout the weekend," said Schefler. "The perpetrator of the attack may be objecting to something being published by one of our customers, may be a disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see customer, or may just be a bored hacker," he said. "We are attempting to contact the college from which the attack originated and identify the culprit positively, and are making progress in that regard. Both WebCom and thousands of our customers suffered substantial damages as a result of this attack, and we intend to do everything within our power to see that the culprit is held responsible," he concluded. Web Communications was founded in May 1994 by Chris Schefler and Thomas Leavitt to provide innovative, easy-to-use tools, resources and services designed to assist individuals and organizations publish and communicate effectively and affordable on the global Internet, and has since become one of the largest hosts of Web sites and email services in the world. CONTACT: Web Communications Chris Schefler, 408/457-9671 ext. 100 |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion