Malicious Trend Exploits Open Nature of Web
SAN FRANCISCO — The sabotage this week of four of the most popular Internet sites in the nation is part of a malicious trend: Software that can disrupt Web sites has become so easy to obtain and use--yet so difficult to trace--that attackers can invade public Web sites and usually escape without a trace.
On Monday such an attack on Yahoo blocked millions of Internet users for three hours from the most popular site on the World Wide Web.
Similar attacks Tuesday struck three other major Web sites. Online retailer Buy.com in Aliso Viejo was inaccessible for about three hours--embarrassingly, the same day of the company’s initial public stock offering. EBay, the leading Internet auctioneer, suffered an attack that disabled some of the background information areas of its site and blocked access for some users. EBay’s shutdown began around 3 p.m. and had not ended by press time. And Amazon.com, the No. 1 online bookseller, suffered a one-hour attack that degraded the site’s service Tuesday afternoon.
As e-commerce based on the public Internet becomes more central to the economy, such attacks could grow from a major inconvenience to a potentially crippling risk, experts say.
These problems are in sharp contrast to other major technologies such as those used in air traffic control, public-power grids and the old Bell phone system, which were based on fail-safe, closed systems designed to be impervious to outside attacks. But the very openness that makes the Internet so broadly useful also represents its Achilles heel.
“The tools [for such attacks] are widely available for free on the Web. Anyone can download them,” said Richard Power, editorial director of the Computer Security Institute in San Francisco.
Shutting down even a major Web site “is a lot less demanding than it used to be,” he added. “When somebody really bright figures out how to do something really nasty, they [post it], and the next person doesn’t need a similar level of expertise.”
Yahoo, Buy.com and EBay were struck by a well-known tactic called “distributed denial of service attack,” or an avalanche of simultaneous bogus requests for service. In Yahoo’s case, the saboteurs instructed at least 50 different Internet sources--each of which could be connected to vast computer networks--and turned them into the computer equivalent of zombies.
Unlike a computer virus, which can invade computer files, or a hacker seeking corporate secrets, in this case the attack bombarded Yahoo’s Web site and blocked out legitimate users.
Of 520 large corporations and government agencies surveyed by Power’s group last year, 129 reported experiencing such attacks. And that number is sharply rising, according to preliminary data in the current year’s survey. Institutions experiencing severe attacks on their Web sites in the last two years include major universities, NASA and the U.S. Navy.
But the successful attack on Yahoo, which experiences several such episodes on a far smaller scale every year, holds symbolic significance.
“It’s a shame for the industry because we think our service is the best or one of the best for taking all precautions,” said Jeff Mallett, Yahoo’s president and chief operating officer. “Can we guarantee that this isn’t going to happen again? Unfortunately not.”
Hackers can sometimes be caught because they operate from one specific point on a network. In contrast, attacks such the one that shut down Yahoo are nearly impossible to prevent and difficult to trace because they are coming from disparate locations.
Yahoo is working with the FBI to discover who mounted the attack.
“We’re not going to be a wallflower on this,” Mallett said. “We need to send a message on behalf of the entire industry that his kind of behavior won’t be tolerated.”
But the prospects of finding the perpetrator are slim, experts say, because it would require cooperation and detailed research by dozens of service providers whose systems may have been exploited by the attacker.
Some computer experts believe Yahoo-like attacks will become more common as high-speed Internet connections, such as those provided over cable TV lines, become prevalent. When computers using such high-speed networks are switched on they are always connected to the network, and, therefore, are subject to being hijacked by hackers, especially if they are not protected by security software.
And while individual PCs would never be overwhelmed in a Yahoo-style attack, they can be made into unwitting tools of the attackers.
“We’ve made a lot of progress in computer security in the last few years, but these problems . . . remain incredibly frustrating,” said Doug Tygar, a professor of computer science at UC Berkeley.
Part of the difficulty, he said, derives from the rapidly changing nature of the threat. Unlike, say, a home security alarm system that remains reliable one year to the next, new invasion schemes crop up regularly, meaning that security software requires continual improvement.
And new software to invade Web sites proliferates rapidly because hackers write software and can then post it online.
“Most dangers in society are controlled because they require skill--you need skill to be an counterfeiter, to burglarize a warehouse or to be a pickpocket,” said Bruce Schneier, chief technical officer for Counterpane Internet Security Inc. in San Jose. For a Yahoo-style attack, “you don’t need skill, all you need is software. Suddenly that skill is infinitely replicable.”
Eventually, these attacks could become less common if businesses and individuals with high-speed Internet links install fire walls--software or hardware that prevents unauthorized access to slow Yahoo-style attacks. Such measures are not foolproof, but just as a home-alarm system can scare off burglars, they prompt most hackers to move on to an easier target.
“These attacks really point out that your security on the Internet depends on other people’s security,” said Jed Pickel, a security expert with the Computer Emergency Response Team at Carnegie Mellon University. “This points out the need for collaboration between sites to solve these problems.”
The degree of inconvenience suffered by Yahoo users may be relatively minimal because many other Web sites offer similar services. And in the age of free e-mail, a growing number of Web users employ a back-up account in case their primary e-mail provider goes down.
The problem would be more severe for e-commerce giants such as the stock-trading site ETrade and the online auctioneer EBay, which risk losing clients and sales if they cannot provide reliable service.
Tygar recalled an episode in 1998 when a similar attack--known as “the ping of death” because it caused computers to freeze--partly shut down many university networks, including those at UC Berkeley, and required thousands of computers to be updated with security software.
“Open systems are more vulnerable. Just like a gated community is more secure than a typical neighborhood,” Schneier said.
Such attacks could impact noncommercial uses of the Web with even more serious consequences.
“People talk about receiving emergency medical information and advice over the Web, such as in remote locations,” Tygar said. “There, a denial of service attack becomes quite scary.”
But the Internet’s openness is also its strength, he added: “It gives people defending against attacks ways to communicate and share resources that can also be quite powerful.”