Series of "Real-time" EmergencyNet News Reports Concerning Denial of Service Attacks on Leading Web Sites on the Internet - 08 Feb 2000 to 16 Feb 2000

16 Feb 2000: Statement for the Record of Louis J. Freeh, Director, Federal Bureau of Investigation, on Cybercrime

Before the Senate Committee on Appropriations Subcommittee for the Departments of Commerce, Justice,  State, the Judiciary, and Related Agencies, Washington, D.C.

Click here to access the statement from the FBI website

15 Feb 2000 - From: http://www.emergency.com/ennday.htm

CANADA:

Canadian Angle on DoS Investigation

Investigators in last weeks' wide-spread internet attacks believe that at least some of the traffic may have originated at an undisclosed Canadian Internet Service Provider (ISP). The Toronto Financial Post offers additional details in a bylined article today by David Akin.  A cracker, who allegedly used the Canadian ISP, goes by the online pseudonym of "mafiaboy" and who is believed to be a teenaged Canadian boy. 

The RCMP is also engaged in an investigation, acting on a complaint registered Friday by HMV Canada Inc. of  Toronto, according to the Financial Post article.  RCMP Cpl. Frank Koenig is quoted as saying that the HMV was not the only Canadian operator of a Web site to be hit with the distributed denial-of-service attacks.

*****

09:00CST - 15 Feb 2000

Investigation To Find Computer Hackers Continues

By Steve Macko

Chicago, IL (EmergencyNet News) -- Internet security experts and hacker sources said on Monday that U.S. investigators are focusing on a small group of potential suspects in last week's Web site attacks. As experts traced the electronic commerce blitzkrieg to a software program, Tribal Flood Network, used to break into computer networks, Internet security firms raced to offer updated programs to fend off new attacks. Other reports suggest that older "smurf" type attack programs may have been responsible for the assaults on popular commercial internet sites. 

U.S. law enforcement sources said the FBI was making progress in tracing the source of the attacks, but that officials did not expect any imminent breakthroughs or arrests. A computer security officer at Stanford University, David Brumley, however, is quoted today as saying, "We have four or five pieces of independent evidence that are leading toward one person." Brumley says that there are intercepted IRC (Internet Relay Chat) conversations that point to a possible suspect.

Sources close to the federal investigation said that officials have identified several "slave computers" that are believed to have acted as intermediary tools of the attackers. FBI, NIPC, and private security firms are pouring over computer access logs in an effort to better identify the ultimat3e source of the attacks. 

The FBI sought over the weekend to interview "Mixter," a 20-year-old programmer from Hanover, Germany and creator of "Stacheldraht" (Barbed Wire), a variant of the Tribal Flood software. However, "Mixter" is not thought to be a suspect himself. Earlier Monday, German authorities said they had received no request from U.S. officials related to Mixter. Der Spiegel magazine had reported over the weekend that he was being sought by German police, the FBI and Russian police.

The AntiOnline site (http:/www.antionline.org) included a statement on Saturday signed by Mixter, acknowledging his software may have been used to mount the attacks. But he claimed his intentions were motivated by a desire to improve Web security. "Mixter" wrote: "Of course, the recent malicious attacks against e-commerce sites are something different, something completely wrong and criminal."

In the Internet community, scores of anonymous participants in chat rooms have reportedly come forward claiming responsibility for the attacks. And in keeping with the fractious nature of the weird hacker subculture, some have fingered rivals. The Wall Street Journal reported Monday that authorities were also seeking a hacker with the screen name "mafiaboy." Although "insiders" say that "mafiaboy," who is believed to come from Canada, may have engaged in a "copy-cat" style attack after the initial assault on the Yahoo system.

Some experts believe the attacks are the work of a small group of three to six hackers in their late teens to early 20s. Authorities have identified several "zombie" computers used in attacks on Yahoo Inc, eBay Inc, E-Trade Group Inc and other major sites last  week. Zombies refer to computers taken over by hackers to launch coordinated attacks on major Web sites. Experts said computers located on networks at two California universities, a midwestern U.S. academic institution and a Berlin university, as well as a non-university site in southern California had been "virtually" hijacked to mount the attacks.

10:00CST - 14 Feb 2000

Computer Attack Investigation Become International Issue

Chicago, IL (EmergencyNet News) -- Last week's Denial of Service (DoS) attacks have truly become a matter of international concern after it was learned that a music retailer, HMV Canada, had also suffered a similar assault to that experienced by eBay, Yahoo, and others in the United States. Frank Koblun, director of consumer e-commerce at HMV, confirmed that the Royal Canadian Mounted Police had been called in to investigate the Canadian incident, which occurred on 07 Feb 2000.

In a related matter, a forensics examination of net traffic is said to be focusing on university computers in California, Oregon, and Germany. Investigators said that it appears, so far, that the school computers were used as "client" or "zombie" sites, being remotely controlled by the actual attackers. Routers at several sites were probably used to "amplify" the traffic that was being transmitted to disrupt the target/victim systems.

There continues to be a divergence of opinion about the sophistication of last week's attacks. The FBI's Ronald Dick said on Friday, "This is not something that it takes a great deal of sophistication to do."  Convicted hacker Kevin Mitnick agreed with Dick in a Sunday interview with Time magazine, saying, "...these attacks aren't impressive. They require no sophistication...."

Yahoo's executive vice president seemed to disagree, "About an hour into the initial attack, they [computer engineers] were already commenting about what appeared to be some level of sophistication."  ERRI security analysts said that while the attackers probably used "out of the box" attack tools, that they worked for some time to plant remote controlled "client" systems and to identify routers that were vulnerable and useful for their purposes. 

The entire matter remains under investigation by several U.S. agencies. Tomorrow, a major White House summit of computer industry leaders is scheduled to take in Washington, DC . EmergencyNet News continues to monitor events surrounding the attacks, and possible perpetrators, and will provide additional reports as circumstances warrant...

09:30CST - 12 Feb 2000

International Connections?, Intermediate Computers Found in California

By C. L. Staten

Computer forensic experts from the National Infrastructure Protection Center (NIPC) and several independent companies say today that the multiple attacks on internet e-commerce systems may have come from Europe and that they moved through unwitting "client" computers at the University of California-Santa Barbara. A second similar report comes from  Stanford University, suggesting that it may have been used as an intermediary in this weeks attacks. 

According to the Die Welt newspaper in Germany, FBI investigators from the NIPC are interested in a German cracker named "Mixter," who Die Welt says used a program called "Stacheldraht," which is designed to carry out denial of service attacks. Another report received by EmergencyNet News suggests that at least one computer in Sweden may have also been involved in the attacks. 

ERRI computer security analysts say that it is likely that several other computers will be discovered, all of which may have participated in the attacks this week (See Distributed Denial of Service diagram below).  Particularly if the attackers did not take the time to delete computer logs that record actions taken on an individual computer, as has been reported,  it may be possible for system administrators or law enforcement officers to track the flood of packets that caused the problems this week. 

The problem is that the packets and computers involved may have also been "spoofed," or impersonating another computer...and then routed through a number of other uninvolved computer networks. That is a frequent "cracker tactic", used to confuse investigators and to disguise the real identity of the attacker and his/her computer. 

20:00CST - 10 Feb 2000

Consultant Firm Says Internet Attacks Cost $1.2B Dollars

According to the IDG news service, the wave of hacker attacks that this week temporarily disabled popular Web sites like Yahoo and eBay may have cost the computer industry in excess of $1.2 billion, according to an estimate released Thursday by one market research firm. The Yankee Group arrived at the $1.2 billion figure by estimating revenue losses at the affected Web sites, losses in market capitalization, and the amount that will be spent upgrading security infrastructures as a result of the attacks, according to the research firm.

Excerpt from: ERRI DAILY INTELLIGENCE REPORT-Thursday, February 10, 2000-Vol. 6 - 041-09:30CST

FBI Investigation Underway

By C. L. Staten

WASHINGTON, DC (EmergencyNet News) -- U.S. Attorney General Janet Reno announced a criminal investigation Wednesday into the latest wave of hacker attacks on major Internet sites, as law enforcement officials conceded they had scant idea of who or what they were up against. One or more computer vandals disrupted several popular Web sites for a third straight day on Wednesday. The latest targets were the online brokerages E-Trade Group Inc., and Datek, Inc.

ERRI analysts said this morning that the "Denial of Service" attacks stopped as quickly as they began, with no new attacks being reported to EmergencyNet News in the past 12 hours. Additional facts discovered during the overnight examination of the attacks would suggest  "Smurf" attacks as well as "Trinoo/TFN-type" packet flood techniques. Investigators continue to attempt to ascertain a motive for the attacks, which all appeared to target commercial sites. 

Several possible hypothesis concerning motive have been brought forward:

1> "Anti-capitalist" or "Hacktivist" activity -- Seattle WTO/J-18-type protests against globalization of trade and commercialization of the internet (supporters of the ideology that everything in the "net" should be free)

2> Manipulation of the stock market -- causing stock drop, selling short -- then buying low and riding the subsequent rebound of tech stocks 

3> "Set-up" for future extortion attempts -- threaten to do DoS, demand blackmail not to attack 

4> "Power Trip" on the part of the perpetrators -- bragging rights to "Look what I did" (another form of graffiti) 

EmergencyNet News continues to monitor this situation very closely and will provide additional details if/when they become available...

10:00CST - 09 Feb 2000

Attacks Continue; ZDNET Latest Victim

Chicago, IL (EmergencyNet News) -- Denial of service attacks apparently struck Ziff-Davis this morning with ZDNet.com coming under attack by the same "swarm method" described in previous reports.  "All signs point to this being the same type of denial of service problem that's being experienced by other sites," Martha Papalia, Ziff-Davis spokesperson, told CNN.  The ZDnet attack reportedly continued for about two hours.

Computer security personnel from several organizations told EmergencyNet News that "it was a long night," and that several concurrent investigations are currently underway to find the perpetrators involved in this three day string of attacks.  At least company told EmergencyNet News that they had notified the Federal Bureau of Investigation and its National Infrastructure Protection Center (NIPC), and they are said to be looking into the attacks. Concerns have also been raised of the possibility that the attacks may be associated with future extortion attempts. 

Clark Staten, ERRI Sr. National Security Analyst, said early this morning, "This is the sort of situation we expected to occur around New Years eve...I guess the 'perps' decided on a different timetable."  

23:00CST - 08 Feb 2000

Computer Attacks More Prevalent Than First Feared

Chicago, IL (EmergencyNet News) -- Add CNN.com and Amazon.com to the list of major internet addresses that have suffered distributed "denial of service" attacks within the past 12 hours. According to security personnel from at least one major company, they have contacted the FBI in regard to thge on-going attacks.  ERRI's computer security analysts are saying at this hour that the attacks appear more pervasive and wide-spread than was first thought. None of the attacks appear to involve actual "cracking" into web or data sites, but rather the use of  "trin00" and "Tribe Flood Network" ("TFN" or TFN2K) type programs to "swarm" and overload servers. 

The Computer Emergency Response Center at  Carnegie Mellon University first issued an advisory about the potential for this kind of problems (IN-99-OT) on November 18, 1999, and then an update on December 28, 1999  (see http://www.cert.org/incident_notes/IN-99-07.html)

According to the FBI's NIPC and CERT, these DoS tools are capable of generating sufficient network traffic to render the targeted network or computer system inoperable. ERRI national security analysts are currently exploring the hypothesis that the attacks are being undertaken by "hacktivist" or "anti-capitalist" sympathizers, although no specific information is presently available about who the perpetrators might be. At the time of this report, no one has claimed responsibility for the attacks. 

20:00CST - 08 Feb 2000

New Denial of Service Attacks Reported; eBay and Buy.com Suffer Outages

Chicago, IL (EmergencyNet News) -- In what appears to be an escalation of attacks on commercial sites on the internet, both eBay.com and Buy.com are reporting coordinated, distributed attacks on their computer systems this afternoon.  Today's interruptions follow a similar attack that was reported on the Yahoo.com site on Monday. 

All of the attacks are thought to be similar in nature, and all utilized multiple computers and IP addresses to "flood" the victim computers with packet requests. The National Infrastructure Protestion Center had previously issued an advisory concerning this type of attack. Click here to read the advisory

EmergencyNet News and ERRI computer security analysts also warned of what we call a "swarm attack" on 20 Oct 1999. Click here to review our Computer/Technical operations page.

• "Handling A Distributed Denial of Service Trojan Infection: Step-by-Step." by John Green of the Naval Surface Warfare Center and Laurie Zirkle of Virginia Tech University

• 18 Jan 2000 - NATIONAL INFRASTRUCTURE PROTECTION CENTER; TRINOO/Tribal Flood Net/tfn2k (includes download to detect TFN programs)

• 19 Oct 1999 -- ZDNN: Cyber-Attacks - Both Old and New, by Robert Lemos

• 06 Apr 1999 -- Insurgency On the Internet, Series of CNN Reports on Hackers and CyberTerrroism

• 06 Feb 1999 -- ERRI Report, Netwar: F0rpaxe Claims Credit For Government/Corporate Computer Attacks

• 26 Mar 1998 -- FBI SAYS CYBERCRIME IS BECOMING AN "EPIDEMIC"

• 1995 -- RAND Corp.: Cyberwar and Netwar: New Modes, Old Concepts, of Conflict, by John J. Arquilla and David F. Ronfeldt (Excerpted from Cyber War Is Coming, by John J. Arquilla and David F. Ronfeldt, in Comparative Strategy, Vol. 12, pp. 141-165, 1993.)

• ERRI Computer/Technical Operations page

Return to the Computer/Technical Operations page