The attack that blacked out Google, Yahoo and other major Web sites earlier this week involved the use of a "bot net" -- a large network of zombified home PCs -- Internet infrastructure provider Akamai Technologies said Wednesday.
The attack, which blocked nearly all access to Apple Computer, Google, Microsoft and Yahoo's Web sites for two hours on Tuesday, took aim at the key domain name system (DNS) servers run by Akamai. These servers translate word-based URLs, such as www.microsoft.com, into the numerical addresses used by the Internet. Using compromised home computers, the attackers sent a flood of data to the DNS servers, preventing them from providing that translation and effectively shutting surfers out of the four companies' pages, according to Akamai.
The deluge of data that hit the infrastructure provider was "so large that it [couldn't have] come from a couple of servers," said Tom Leighton, chief scientist and co-founder of Akamai. "Working with our network partners, we were able to identify a bot network that appeared to be operating and managed to shut it down, which resulted in stopping the attack."
Bot networks are collections of computers that have been compromised by software specifically designed to create a network of systems for attack. A bot -- also known as remote-access Trojan program (RAT) -- seeks out and places itself on vulnerable PCs. It then runs silently in the background, letting an attacker send commands to the system while its owner works, oblivious. The computers are essentially turned into zombies, controllable from afar.
The latest versions of bot software enable attackers to control and steal information from compromised computers via chat servers and peer-to-peer networks. These PCs can then be commanded to infect or attack other computers. Security experts have identified bot networks as a critical threat to the Internet.
A common use of a bot network is to order a compromised PC to send seemingly legitimate network information to a single destination, resulting in a torrent of data that overloads the target servers. Such a distributed denial-of-service, or DDoS, attack can block access to a Web site for several hours or even days.
A security professional who participated in investigating the attack confirmed that the DDoS attack apparently came from an extremely large bot net.
"If it was [a] bot, it was very well written and it was very large," the security expert said on condition of anonymity. "As far as we could tell...it all looked like real and legitimate traffic."
While Tuesday's attack was aimed at bringing down the four major Web sites, Akamai's Leighton said his company was the true target.
"At the high level, it was clear that this attack was focused on a subset of our customers," he said. "We assumed they were attacked as a way to get at Akamai."
What remains unclear is how the DDoS attack could be so selective as to focus on the main Yahoo, Google, Microsoft and Apple sites. Distributed attacks are typically blunt instruments rather than scalpels, as evidenced by the mass outages caused by this method in 2000.
Keynote Systems and other Internet performance companies said Web traffic actually dipped during the attack, raising questions about the volume of data sent to Akamai's servers. Typically, a large-scale DDoS would be observed as an increase in network traffic.
Nonetheless, DDoS attacks are getting sophisticated, especially in the variants of computer viruses that have recently surfaced. The Netsky virus used such a technique to target Kazaa and other file-sharing networks, disrupting service at some. Earlier this year, the main Web site of the SCO Group was crippled after attacks from computers infected by the MyDoom virus.
Akamai refused to provide greater detail about Tuesday's attacks, citing a need to keep mum on the details of the company's architecture and to avoid giving more publicity to the attackers.
"There was an extraordinary amount of traffic," Akamai's Leighton said.
Talkback
On Monday I had a major influx of e-mails resulting in my mail server overloading and crashing due to the excessive reporting of the attack of the zombies. Two attacks, one from email inet@microsoft.com and another from mgrant@caveshepherd.com. It took four days for the attack to end despite measures to keep it at bay and not cause further problems. I suspect having looked at my data we were an intended victim of this zombie attack, although by ISP (Easynet email team, not the ADSL team) treated it as if it was a normal situation. More vigilance by support and lateral thinking is needed, esp for us small business users; oh yes and me organising an effective system so that the reporting of viruses doesn't cause a system overload - (doh!).
Clearly if users are unable to acces a root domain server, then the amount of traffic on the internet will drop. The amount of DNS bandwidth is very small compared with the amount of domain-name specified data bandwidth (HTTP(S),SMTP,FTP for a start).
Currently under viscious attack from inet@microsoft.com some of which contain virus Erkez.B@mm.
Efforts to prevent them arriving on the server have failed and even by utilising the Outlook Express blockers the onslaught still arrives in the thousands preventing normal use of system.
Can someone please advise how I can kep them out of the system and yet still receive my proper e-mails to my desktop.
Please let me know if you get an answer to this. I am blocking these thougsands of emails but they still keep coming. The email address is inet@microsoft.com
I have had this problem now three times, the most recent occurance is October 26th and still continues today.
Can anyone tell me how I can prevent this from happening??
Help,
Karen
I have had this problem now three times, the most recent occurance is October 26th and still continues today.
Can anyone tell me how I can prevent this from happening??
Help,
Karen