Security threats Toolkit

Web outage blamed on zombies

Tags:
DNS Servers,
Akamai,
DDos Attack

Robert Lemos and Jim Hu CNET News

Published: 17 Jun 2004 09:35 BST

The attack that blacked out Google, Yahoo and other major Web sites earlier this week involved the use of a "bot net" -- a large network of zombified home PCs -- Internet infrastructure provider Akamai Technologies said Wednesday.

The attack, which blocked nearly all access to Apple Computer, Google, Microsoft and Yahoo's Web sites for two hours on Tuesday, took aim at the key domain name system (DNS) servers run by Akamai. These servers translate word-based URLs, such as www.microsoft.com, into the numerical addresses used by the Internet. Using compromised home computers, the attackers sent a flood of data to the DNS servers, preventing them from providing that translation and effectively shutting surfers out of the four companies' pages, according to Akamai.

The deluge of data that hit the infrastructure provider was "so large that it [couldn't have] come from a couple of servers," said Tom Leighton, chief scientist and co-founder of Akamai. "Working with our network partners, we were able to identify a bot network that appeared to be operating and managed to shut it down, which resulted in stopping the attack."

Bot networks are collections of computers that have been compromised by software specifically designed to create a network of systems for attack. A bot -- also known as remote-access Trojan program (RAT) -- seeks out and places itself on vulnerable PCs. It then runs silently in the background, letting an attacker send commands to the system while its owner works, oblivious. The computers are essentially turned into zombies, controllable from afar.

The latest versions of bot software enable attackers to control and steal information from compromised computers via chat servers and peer-to-peer networks. These PCs can then be commanded to infect or attack other computers. Security experts have identified bot networks as a critical threat to the Internet.

A common use of a bot network is to order a compromised PC to send seemingly legitimate network information to a single destination, resulting in a torrent of data that overloads the target servers. Such a distributed denial-of-service, or DDoS, attack can block access to a Web site for several hours or even days.

A security professional who participated in investigating the attack confirmed that the DDoS attack apparently came from an extremely large bot net.

"If it was [a] bot, it was very well written and it was very large," the security expert said on condition of anonymity. "As far as we could tell...it all looked like real and legitimate traffic."

While Tuesday's attack was aimed at bringing down the four major Web sites, Akamai's Leighton said his company was the true target.

"At the high level, it was clear that this attack was focused on a subset of our customers," he said. "We assumed they were attacked as a way to get at Akamai."

What remains unclear is how the DDoS attack could be so selective as to focus on the main Yahoo, Google, Microsoft and Apple sites. Distributed attacks are typically blunt instruments rather than scalpels, as evidenced by the mass outages caused by this method in 2000.

Keynote Systems and other Internet performance companies said Web traffic actually dipped during the attack, raising questions about the volume of data sent to Akamai's servers. Typically, a large-scale DDoS would be observed as an increase in network traffic.

Nonetheless, DDoS attacks are getting sophisticated, especially in the variants of computer viruses that have recently surfaced. The Netsky virus used such a technique to target Kazaa and other file-sharing networks, disrupting service at some. Earlier this year, the main Web site of the SCO Group was crippled after attacks from computers infected by the MyDoom virus.

Akamai refused to provide greater detail about Tuesday's attacks, citing a need to keep mum on the details of the company's architecture and to avoid giving more publicity to the attackers.

"There was an extraordinary amount of traffic," Akamai's Leighton said.