Daily News Yahoo Attack Maybe "Tribal Flood" By Kevin Featherly, Newsbytes. February 09, 2000

There is plenty of blame to go around for the online attack Monday that knocked out the portal giant Yahoo, according to an Atlanta, Ga.-based computer-security expert.

Monday, Yahoo, the world's most frequently visited Internet Web site, was knocked out of service for a number of hours by the equivalent of a phone prank. The site was hit by a so-called denial-of-service attack, which is roughly the equivalent of having a group of faxes set to dial up someone's voice phone while set on re-dial.

The company released a statement Monday drawing a distinction between what happened to its site and a hacker attack. Speaking anonymously, a company spokesperson said, "It does appear, given the nature of what happened (Monday), that it was a coordinated incident from multiple locations on the Internet. This was not a hack."

Patrick Taylor, vice president of risk assessment business unit of Atlanta-based Internet Security Systems, does not make that distinction. He said that the difference between an annoyance attack by fax and what happened to Yahoo is that it would not take a group of people to set it up. "It's one person using automation," he said. "And computers (dialing in) are as persistent as a fax machine is."

Taylor said he suspects that Monday's outage was caused by a relatively new version of denial-of-service known as "tribe flood," or "tribal flood," which has popped onto the scene in just the last six months. He said that tribe flood involves someone building a virus program that automatically goes out and infects many computers at once - typically computers at a university or government installation that have broadband Internet access and are constantly powered up. "They call that turning the machine into a 'zombie,'" he said.

Once a group of computers is infected, the hacker can then direct them all to simultaneously begin dialing up a particular computer or group of computers - such as the servers that handle Yahoo site requests - and seek out weaknesses in those computers' defenses. Once the weaknesses are identified, the attacked computers can be tied up until their administrators find a way to halt the onslaught.

"Tribe flood's very innovative," Taylor said. "That's sort of the art of being a hacker - thinking not so much about how things work, but how they break."

The irony is that tribe flood, if that's what the attack was, takes advantage of a set of computer weaknesses that have been known for years, Taylor said. The flaw centers on what are known as "remote procedure calls," networking functions designed to allow one computer to leverage resources on another computer. It is possible for a virus to invade a targeted computer's remote procedure calls with "goofy" input that the computer doesn't expect, allowing a hacker to gain access, simply because the affected computer doesn't have a way of dealing with the oddball request, he said.

"People have known that their computers can be affected by this problem, and that there are ways to fix this problem," he said. "If you took some basic steps and got rid of the problems that are readily identifiable, you could do a whole lot to improve your own security."

Taylor said the case illustrates the degree to which the entire Internet is a community - and a community vulnerable to attack. He said that Yahoo was not at fault; there is nothing the site could have done to stop it. It was poor security activity on other computers on the Net - the ones used by hackers to host the attack - that are to blame, he said.

Where Yahoo can be faulted, Taylor said, is in its response. It took a number of hours for the attack to be warded off, a fact that drew the ire of one security expert who told the Associated Press the entire incident should have been resolved within 15 or 20 minutes.

"There are some things you can do to thwart (attacks)," Taylor said. "Figure out where it's coming from, call those peoples' ISPs (Internet service providers) and say, 'Hey, would you block this type of traffic from these folks, because they're attacking me.' Then you can actually kill it at the source."

Taylor said 20 minutes would be the minimum time it might have taken to ward off the assault. "If you were a well-orchestrated machine with mechanisms and relationships set up to do that, you could do it that fast," Taylor said. "It does seem to indicate that Yahoo might not have rehearsed this a lot. They're frankly probably too busy. This hasn't made it on its priority list yet. I suspect that has changed now."

But Taylor indicated it is not likely that arrogance or over-confidence is what led Yahoo to neglect its fire drills. The site, being perhaps the most visited on earth, has the best professionals available among its administrators, and is probably subjected routinely to attacks it manages to thwart without incident. "It's pretty admirable to take Yahoo down," he said. "They're already used to handling millions of hits a day, anyway."

There is an obvious lesson to be learned by anyone with a Web site, whether it is a kid with an online shrine to Spiderman, or the biggest e-commerce site in New York City, Taylor indicated. Security has got to be placed at a premium.

"If it can happen to Yahoo," he said, "it can happen to you. It's a little bit of a brush-your-teeth thing, but if everybody would make some efforts to remove their basic problems we'd be better off, preventing things like

http://currents.net/newstoday/00/02/09/news1.html

-- Martin Thompson (mthom1927@aol.com), February 09, 2000

Answers

* If you find that your Yahoo email is messed up, here's why.....

Yahoo News, Technology Headlines ht tp://dailynews.yahoo.com/h/cn/20000209/tc/20000209018.html

Wednesday February 09 09:00 AM EST

Yahoo introduces email bug after attack

Paul Festa, CNET News.com

In its haste to recover from yesterday's "denial of service" attack, Yahoo inadvertently introduced a bug into its Web-based email system that is causing some messages received through the service to be delivered empty and unlabeled. Some messages appeared stripped of their headers, showing up in the in-box with the subject "(none)" and lacking any information about sender, recipient or subject when the message was opened. Those messages, however, did contain the body of the email text.

Other messages weren't as lucky, showing up devoid of any content or labeling.

Yahoo said the problem arose out of efforts to restore the flow of information between its various services and applications following the denial of service attack.

~snip~

A bug accidentally introduced during Yahoo's denial of service cleanup caused some Yahoo Mail messages to become garbled, according to the company.

But a company representative said no information was actually lost, and Yahoo engineers are at work restoring headers and bodies to those email messages. Users who deleted those mysterious messages should retrieve them from the Trash folder pending the restoration of data, the representative said.

Users who have deleted blank messages and subsequently emptied their trash appear to have lost their email for good.

Yahoo would not estimate when the fix would be complete.

-- Lee Maloney (leemaloney@hotmail.com), February 09, 2000.

(Conspiracy or coincidence?)

Hackers Attack Top Web Sites For Third Day

Government Launches Probe

By John Schwartz, Ariana Eunjung Cha and David A. Vise, Washington Post Staff Writers

Thursday, February 10, 2000; Page A01

~snip~ ... Although culprits and motive were nowhere to be found, some longtime observers of hackers suggested that the timing might not been exactly random. Many of the country's top security experts were at the the North American Network Operators' Group conference in San Jose when the attacks began.

The assault on Yahoo began just minutes after one of the Internet's most respected security graybeards, Steve Bellovin of AT&T Labs, finished a speech on denial-of-service attacks and how to secure sites against them.

"Whether or not it was a conspiracy or a coincidence I don't know, but people are certainly asking," said Mark Gebert, one of the organizers of the conference.... ~snip~

Staff writer Ianthe Jeanne Dugan contributed to this report.

Source: The Washington Post

http://www.washingtonpost.com/wp-srv/WPlate/2000- 02/10/266l-021000-idx.html

-- Lee Maloney (leemaloney@hotmail.com), February 11, 2000.