Europe South Asia Asia Pacific Americas Middle East Africa BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Business
Front Page 
UK Politics 
Market Data 
Your Money 
Business Basics 
Talking Point 
In Depth 

Internet Security Systems' Mark Sokol
"It's hard to implement adequate securities and controls"
 real 28k

Thursday, 10 February, 2000, 05:38 GMT
How the web was wounded

Yahoo: Hit with a year's worth of data per second

The spate of electronic assaults on high-profile websites has illustrated just how vulnerable to attack even the internet's biggest names are.

In each case the online saboteurs have bombarded their victims' sites with vast amounts of data making it impossible for legitimate users to get through.

Yahoo's site ground to a halt after it was pounded with one gigabit - or one billion bits of information - per second.

"Most sites don't get that in a year," said the company's spokeswoman Diane Hunt. "That's an incredible amount." Targeted for attack
This technique, known as a "denial of service attack", could be likened to repeatedly auto-dialling a phone number so that all that other callers get is an engaged tone.

In the past few days it has been successfully used to temporarily cripple several of the world's most popular commercial websites.

As well as Yahoo the victims have included - the company that has probably done more than any other to overcome public mistrust of online transactions, paving the way for the explosion in e-commerce.

All of the targeted firms have been keen to stress that none of their customers' details, such as credit card numbers, have been accessed by their faceless foes.

But downloading such information does not appear to have been the plan.

By making it impossible for online transactions to take place, a successful attack deprives a company of revenue.

A site's credibility with the public and investors is also likely to be damaged if it is so easily brought to its knees by an unseen assailant.

Zombies beware

Perpetrators of such attacks usually force unsuspecting third parties to be their accomplices in this, the very 21st Century version of industrial sabotage.

The junk data is sent through "zombie" machines, innocent computer systems which have been "cracked" by a single person or group of people from a remote location.

mouse The attackers can tap into dozens of innocent computer systems to launch an attack
In the case of the attack on Yahoo it is believed that about 50 powerful computers were hacked across the United States.

These "zombies" were then simultaneously instructed to send falsified data to "routers" on the internet that, in turn, were fooled into flooding the Yahoo site.

The saboteurs can avoid detection by jumping from one computer network to another to cover their tracks, and by immediately erasing any data that might identify them.

Christopher Klaus, chief technology officer of Internet Security Systems Inc a company which tries to combat such online thuggery says this makes it difficult to identify who is really behind a denial of service attack.

"The problem is to find the command centre that's controlling all of the machines," he said.

"This is a non-trivial problem."

Best defence?

So what can websites do to defend themselves against such tactics.

In the extreme short term the answer may be not very much.

The whole industry is moving so fast it's hard to implement adequate securities and controls.
Internet Security Systems' Mark Sokol
It can take several hours for technicians to identify an attack and put filters into action to block the junk messages.

By then damage has already been done

Mark Sokol of Internet Security Systems says that to an extent such problems go with the territory.

"The whole industry is moving so fast it's hard to implement adequate securities and controls.

"Which is one of the reasons in order to circumvent these type of risks it is essential for an organisation to implement best practices and controls as well as a have a process in place, of preparedness, for an incident."

Search BBC News Online

Advanced search options
Launch console

See also:
09 Feb 00 |  Business
FBI targets net saboteurs
08 Feb 00 |  Sci/Tech
Yahoo brought to standstill
08 Feb 00 |  Sci/Tech
Yahoo attack exposes web weakness

Internet links:

The BBC is not responsible for the content of external internet sites
Links to other Business stories are at the foot of the page.

E-mail this story to a friend

Links to more Business stories