Tracking Web site attacker requires persistence, technology and luck

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

(CNN) -- Both FBI investigators and private tech gumshoes continue to seek out the perpetrator of most of the recent Web site denial of service attacks.

Stanford University network security administrator David Brumley and Joel de la Garza of Securify, an Internet security firm, spoke to a Stanford graduate class Wednesday afternoon, explaining the methods and details of the attacks that blocked users from reaching popular sites such as Yahoo!, Amazon and Buy.com. The two men focused on the Yahoo! attack of February 7, the first strike of the suspect. They believe that the same person is responsible for most of the attacks, followed by a copycat who assaulted CNN Interactive and E*Trade's sites later in the week.

Brumley and de la Garza described the Yahoo! assault as a "distributed smurf attack," a method in which many computers target ICMP traffic, commonly known as "pings," toward a target in order to overwhelm it with data. The attack is called "distributed" because it came from many sources.

The evidence so far An e-mail message from a Yahoo! network technician stated that the site received data at the rate of 1 gigabit per second, far more than it could handle.

The attack was targeted not at the actual Yahoo! Web servers, de la Garza said, but instead at a router. This is significant because if the attack was pointed at a Web server, Yahoo! could have merely diverted it away. By sending it toward the single access point into Yahoo!, the site couldn't redirect the attack. The router, a computer used as a traffic signal for a network, forwarded the data onto the victim automatically.

So far, investigators have identified computers at Stanford University, UCLA, the University of California at Santa Barbara, and home business computers in Oregon as "daemons." These are compromised systems used by the assailant for their computing brawn to carry out the actual attack. Once they're given a target and remotely triggered, they will begin sending a flood of messages to the target.

All of the compromised computers were entered using an exploit, or hole, in a networking protocol called "bind." De la Garza found a Web site belonging to RSA Security, a noted e-commerce network security firm, that was entered and defaced using the same exploit.

The defaced version of the Web page linked to a real press release announcing a countermeasure to the DoS attacks.

"RSA Laboratories Unveils Innovative countermeasure to recent 'Denial of Service' Hacker Attacks," the link says. "Keep your data safe with us! Our security is the best."

De la Garza believes that this link was left as an intentional taunt against RSA Security, and the defaced page also refers to a nickname of one of the DoS investigators. De la Garza then points to a set of chat logs from the IRC channel "#Goonies," where a person going by the name "Coolio" takes credit for both the Yahoo! attack and an attack on a computer in Russia belonging to tour operator Trek Travel International.

A spokesman for the tour company, Alexander Gorbatouk, confirmed that the computer was compromised but could not provide specific technical information.

According to de la Garza, Trek Travel's computer was entered using the same bind exploit used at the universities, and several "back doors" were left on the system.

He also believes the same person is responsible for the Amazon.com attack later in the week, thanks to another IRC log. In that conversation, he knows the exact time the site was attacked before the press began to report it.

In November, a hacker calling himself Coolio took credit for defacing the Web sites of DARE, an anti-drug program, and the Chemical Weapons Convention site maintained by the U.S. Commerce Department.

FBI receives many tips Tracking down Coolio, however, is not so easy. The name is a popular one among hackers, according to B.K. DeLong, a staff member at hacker site Attrition.org. FBI officials have investigated one Coolio in California associated with the well-known hacker group "Global Hell," and another in the Midwest. Web searches identified yet another Coolio, this one associated with an IRC channel called #Goonies.

The FBI has gotten plenty of tips, including some from the victim Web sites and the hacker community, and is busy checking all of them. No arrests are imminent, the FBI told CNN, but every FBI field office across the nation is running down leads.

The bureau is better equipped now to handle the investigation than it has been in the past. In this search, investigators are using specialized filtering software to isolate suspicious computer traffic.

By systematically removing normal message traffic, the FBI can focus on the far fewer strands of unusual traffic, which often have odd signatures, according to Steven Schmidt, one of the FBI's top computer crime investigators.

Hot on the trail But once the sinister traffic is located, the game of connect-the-dots has just begun.

While the FBI has located some of the computers used in the attack, they are still trying to find those computers directing them. The trigger computer has been directed through dozens of others, masking the origin.

In a tedious process, investigators work backward, going to each site and looking for logs that provide directions to the previous site, each time getting one step closer to the original attacker.

"A typical attack, for example from the agent to the end victim, may take as many as 20 or 30 hops," according to Jim Jones of security firm Global Integrity.

Many times these "hops" lead to computers in other countries, which requires the assistance of overseas authorities. Within the United States, court orders and search warrants are often required each step of the way.

To get to the suspect's keyboard, investigators admit they need persistence, technology and sometimes just plain luck.

http://www.cnn.com/2000/TECH/computing/02/25/dos.hunt/index.html

-- Martin Thompson (mthom1927@aol.com), February 26, 2000


Moderation questions? read the FAQ