Behind The Hack Attack

By Chris Taylor

While the biggest hacker attack in Web history loomed like a tsunami on the virtual horizon last Monday, Alan Hannan was looking for nothing more dangerous than soda and cookies in a San Jose, Calif., hotel lobby. Like hundreds of techies who help keep the backbone of the Internet properly aligned, Hannan had spent the morning at the North American Network Operators' Group conference listening to a talk on something called denial-of-service (DOS) attacks. "I thought I knew about them well enough," says Hannan. "I didn't pay much attention. I wish I had."

Before he could finish his Coke, Hannan's cell phone buzzed. It was David Filo, co-founder of Yahoo and one of Hannan's clients. "It looks like we're having some problems with the site," Filo said. Could Hannan take a look?

Although neither man knew it yet, the Web's most popular portal was being bombarded with enough confusing information to cause the digital equivalent of a nervous breakdown. Normally, Yahoo absorbs a couple hundred million bits of data each second, meaning it can handle millions of Yahoo users asking simultaneously for, say, the lowdown on Ricky Martin without breaking much of a sweat. But now Yahoo's Internet service provider, Global Crossing--Hannan's company--was clogging up with as many as 1 billion bits a second.

But it was the type of information that did the most damage. This was no Ricky Martin request. It was millions of phantom users suddenly screaming "Yes, I heard you!"--which was very unusual since Yahoo hadn't said anything. Worse, the phantoms had all given Yahoo fake return addresses. Yahoo got so hung up trying to get back to them all, it couldn't get around to dishing up those Ricky links to regular users. Service, in other words, was denied. Visitors to Yahoo saw an empty screen.

Hannan and his team zipped back to Global Crossing's HQ. In an hour they figured out they were under a DOS attack. It took another couple hours of monitoring their $500,000 routing machines to figure out which one was being attacked and to install the kind of filters that would scare the phantoms away. It wasn't brain surgery. Kids make DOS attacks all the time. But when the engineers saw the size of the barrage--10 times as large as anything ever recorded--they gasped. "We all agreed," says Hannan, "that we had a very formidable opponent."

The next three days were marked by serial slowdowns at some of the biggest sites on the Web: Amazon.com eBay, CNN.com (owned by Time Warner, parent company of TIME), ZDNet, ETrade, Excite. Like so many virtual vandals before him, the phantom foe clearly craved attention. He got it in the shape of a front-page media frenzy, a full-scale FBI investigation and a hastily convened White House conference on Web hacking. And yet he stubbornly refused to show up at his own party, prompting PC paranoia and all manner of conspiracy theories.

So why do it if you're not going to brag about it? Some saw an economic motive or a Quixotic tilt at the commercialization of the Internet. After all, our phantom had managed to interrupt one of Wall Street's sacred rituals: the dotcom IPO of Buy.com which was hit by a DOS attack on Tuesday afternoon, before the end of its first day as a publicly traded company. The stock had reached a peak of $30.25, then closed at an unspectacular $25.12. Just when Buy.com chief executive Gregory Hawkins should have been popping champagne corks, he was hunkering down in an emergency session with his techies. "I'm not going to kid you," says Hawkins. "My stomach did drop." That sinking-stock feeling spread the next day as the hack attack contributed to a market-wide sell-off.

Even more surprising than Wall Street's reaction was how much the hackers had done with so little. The kind of software used for the attack is practically public property. You can download it in the form of programs, or scripts, like Trin00, Tribal Flood Network or the nightmarish-sounding Stacheldraht (German for barbed wire). Each program can accept a kind of plug-in to make it even more adaptable, with names like Stream, Spank or Raped. "These tools have been out there for years," says Emmanuel Goldstein, editor of the hacker journal 2600. "Hackers have known about these for years. They haven't done anything about it. To me, that shows great respect and restraint."

It was hard to find a hacker last week who wasn't in full sneer about the so-called script kiddies--newcomers who would dare commit such ignoble attacks with prefab software. "A lot of us hackers feel insulted, because it's a no-brainer," says Val Koseroski, 32, a self-confessed "old-school" hacker with a wife, a child and a mortgage. "When I was growing up, hacking was about learning how a computer operates. You always tried to push it to the edge. Kids these days, they just want to do any damage they can."

But this was not mere vandalism either; too much planning had gone into it. Phase 1 took place as early as last year. The culprit first scanned the Internet for vulnerable networks to use as unwitting allies in the final attack. Small businesses and universities, where security is often more lax, are prime targets. Both Stanford and the University of California at Santa Barbara had been co-opted. A UCSB computer participated in the CNN website attack. Even the Navy's computers may have been enlisted as unwilling dupes.

Choosing the right networks took time. About 50 were used for the Yahoo attack; more were employed in later hits. But once they were selected, activation was simply a matter of uploading bits of code called daemons, similar to viruses, which bided their time in dark corners of these remote networks until the hacker decided it was DOS Day. The attacks appeared to come from them, not him (attacks from multiple sites are hard to pin down in any case). When the "master" activates his daemons, his hands remain unseen. Technically, "the Amazons and Yahoos were not hacked into," notes Simon Perry of security software firm Computer Associates. But there are "hundreds, thousands of machines out there whose security was compromised and remains compromised." Translation: it can happen again.

There were warning signs. Back in December the FBI and a number of private security firms began detecting countless dormant daemons cropping up on servers across the country. Scan yourselves with detection software, urged the hacker trackers. Evidently not enough sites did. That changed after the attack; downloads of the Feds' scanning tool shot up from 170 on Monday to 4,223 on Thursday.

Still, the FBI is trying to solve what it calls the biggest, most complex cybercrime it's encountered. Investigators in Santa Barbara and the Bay Area are zeroing in on how the UCSB computers were manipulated. On Saturday, federal sources confirmed that they had found some telling clues along the e-trail; one of the culprits "was a little sloppy." Following up on those clues may take some time, particularly since authorities have to figure out constitutional search-and-seizure issues before they begin grabbing electronic evidence. Meanwhile, agents trawled chat rooms looking for the slightest hint of a pseudonymous braggart. Old-fashioned detective work on the cyberbeat is "probably the best we're going to do in this case," says Shawn Hernan of Carnegie Mellon University's computer emergency response team.

So it's not surprising that the Feds are happy to have amateur sleuths help out, even if those sleuths happen to be hackers themselves. After all, plenty of old-school hackers are now high-salaried heads of security; others are employed as "white-hat" hackers who do their damnedest to crack a system in order to make it unbreakable. Why not turn them into cyber-Pinkertons? "They see themselves in this battle to protect the technology they love," says professor Philip Bobbitt, former National Security Council senior director for infrastructure protection. "No one will be as effective as someone who's fighting for what they love."

Case in point: John Vranesevich, founder of hacker-watch website AntiOnline.com seen by many hackers as something of a Benedict Arnold. So loathed is he that AntiOnline is an almost constant target for DOS attacks (in one of its more entertaining features, the site lets you see who's attacking it, and how, in real time). While the Feds were still holding press conferences, AntiOnline had already compiled a perp-profile sheet. The attacks, it says, were committed by a cell of three to six hackers--most likely teenagers, most likely male. "All DOS attacks have been perpetrated by more than one individual," notes Vranesevich. "They're not looking for recognition from the national public but from a small peer group." And that peer group, he believes, always leaks in the end.

They'd better do so soon. Newsgroups are starting to buzz with conspiracy theories. Netizens are natural civil libertarians, and they sense a government crackdown waiting in the wings. The government is getting jittery too, fearful of some future electronic Pearl Harbor. "We're entering a period when a very small number of persons can do greater damage to our American infrastructure than all our previous wars combined," frets Bobbitt.

That may sound a little alarmist, on the basis of three days of DOS attacks on a handful of commercial websites. The danger is real. But as with many terrorist strikes, the fear caused by a faceless attacker has, so far, turned out to be more potent than the attack itself.

--With reporting by Massimo Calabresi/Washington, Michael Krantz/San Francisco, Aixa M. Pascual/New York and Jeffrey Ressner/Los Angeles

With reporting by Massimo Calabresi/Washington, Michael Krantz/San Francisco, Aixa M. Pascual/New York and Jeffrey Ressner/Los Angeles