ISP - AboveNet Victim of DoS Attack : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

[Fair use for education and research purpose only]

April 26, 2000 InternetNews Services Title: AboveNet Victim of DoS Attack

By Brian McWilliams

Attackers found a way to knock AboveNet's routers senseless for several hours Tuesday morning. But the company downplayed fears that similar attacks could spread to other providers.

AboveNet spokesperson Carol Nash Wednesday confirmed that the bandwidth and hosting company experienced a "direct malicious attack" on its infrastructure, but she declined to provide specifics on the attack, citing an ongoing FBI investigation.

According to a notice at the company's network status page, the outage was due to failures in its Cisco switches. The notice said the failures resulted in loss of configuration information.

The result was widespread connectivity problems for AboveNet customers nationwide Tuesday. AboveNet provides Internet services to hundreds of ISPs and other companies, including HP, CNET Inc., Akamai and American International Group (AIG).

Nash, however, said the Cisco gear was not specifically at fault in the outage. "It has absolutely no reflection on their equipment," she said.

The attack has raised fears of another bout of denial of service attacks like those that rocked the Web in February. But Nash said those fears are unjustified.

"It is a unique attack directly specifically at us. It doesn't mean others are vulnerable to this type of attack," said Nash, who declined to say whether the company suspected an employee or someone with an inside knowledge of its network was responsible for the attack.

In a posting early Wednesday morning to the NANOG message board frequented by network operators, Paul Vixie, senior VP for Internet Services for Metromedia Fiber Network, AboveNet's parent company, also suggested the attackers exploited a vulnerability unique to AboveNet. Vixie wrote, "If (we) suspected a way in which other providers were vulnerable, we'd have shared that information with you (privately) by now."

AboveNet has plugged the hole that allowed the attack to occur and has restored service to most of its affected customers.

For some AboveNet customers, the outage was merely an inconvenience. Mark Kent of Internet Mainstreet Inc. in San Jose, said traffic switched over to an alternate connection through Genuity, Inc. during the outage.

In an email to, Kent said, "I believe that once you get to a certain size, these kind of failures are inevitable and so a suitable backup is essential."

The attack on AboveNet's equipment follows a security alert last week from Cisco. The big router maker issued a bulletin notifying users that a defect in its IOS software could enable outsiders to force its routers to reboot by issuing a simple TELNET command. Cisco said the defect could be exploited repeatedly to produce a denial of service attack. The vulnerability was reported to the company by several different customers who found it while conducting security scans of their networks. Cisco has corrected the defect in updates to IOS.

Another vulnerability in IOS was publiciz ed last year on the Bugtraq security mailing list. In that instance, attackers are able to crash or reboot Cisco routers by sending malformed packets to the router's port 514. The company issued workaround instructions and patched later versions of IOS to prevent the attack.

Earlier this month, AboveNet said it plans to deploy new routers from Juniper Networks that are specifically designed to filter packets and thwart denial of service attacks.,2171,8_348291,00.html


-- (, April 26, 2000

Moderation questions? read the FAQ