Hunting The Hackers

Hell week for e-commerce began at just about latte time last Monday morning. At around 10:20 a.m. Pacific, the brisk pace of the Yahoo portal--a Gladstone bag of digital services including e-mail, news, fantasy sports leagues and a renowned Web directory--slowed precipitously. Net surfers accustomed to an average page-loading time of 1.7 seconds were confronted by an annoying six-second World Wide Wait. Then it got really bad. By 10:30 almost half of those attempting to jack into the Web's second most-popular site were finding nothing but error messages.

Yahoo's operations team, four engineers led by cofounder David Filo (with an $8 billion stake in the company, surely the richest repairman in the world), got on the horn with GlobalCenter, the Sunnyvale, Calif.-based service that hosts Yahoo's machines. At first the nerd squad figured that a router had failed. But analyzing the flow of bits, they discovered what Global's exec VP Laurie Priddy called "a huge tidal wave of data." Millions of meaningless digital packets--short, anonymous "pings" that ranged from simple diagnostic messages to requests for page views--were descending on the once pastoral setting of the Yahoo server farm like a plague of bit-locusts. "The volume was massive," says Priddy. "It was coming, seemingly, from everywhere." By 11 a.m. less than 10 percent of Yahoo's customers could access a page, according to Keynote Systems, which monitors Web traffic, and even for them it took more than 20 seconds to load it up, no matter how fast the connection.

Yahoo was under attack, the first of several last week that would dramatically expose cyberspace's dirty secret: though the Internet is an amazing creation that has boosted our economy and provided lots of cheeky Super Bowl ads, it is still a work in progress that can be knocked silly with surprising ease. Even the e-commerce giants are no sturdier than the respective houses of Little Pigs No. 1 and 2. Instead of a stiff huff from a wolf's lungs, all it takes is a well-directed "denial of service" attack to blow away the edifices, at least on a temporary basis. And when you try to track the culprit, it turns out that all you can find is sheep's clothing--the dummy computers through which the cybervandal laundered his poisonous computer code.

So by 10:30, when Yahoo president Jeff Mallett was alerted, the engineers had concluded they were indeed victims of a denial of service. This is a deliberate attempt to shut down a network operation by overloading it--like shooting a fire hose of bits into a virtual glass of water. What's more, as the team began tracing the traffic, they discovered that the attack was launched through at least 50 locations, a sure sign that their nemesis was using someone else's machines to launch a distributed attack. This is done by first planting software "slaves" in innocent third-party computers, or "zombies." At a given time, those rogue slave programs use the processing power of their hosts to send a flood of destructive messages to the actual target servers.

Filo and the team started redirecting Yahoo's traffic to an unaffected server on the (ugh) East Coast. By 1:15 in the afternoon, at least half of its customers could answer positively to the "Do you Yahoo?" question, and by 3 p.m. the service was running normally. Just around then, the bad data stopped flowing. "Pretty much once we blocked it, it appeared they figured it out and stopped," says Priddy.

Actually, they just moved. On Tuesday, the Yahoo folks got a panic call from the popular auction site eBay, asking for advice. They're baa-aack. Not only eBay, but CNN.com and the flagship of e-commerce, Amazon.com, got DOSed on Tuesday. Perhaps the cruelest twist was the attack on the cyberstore Buy.com. When CEO Gregory Hawkins heard that his site was buried in bits, he was standing on the Nasdaq trading floor, celebrating his IPO and waiting to tape a cable-television segment. (Despite the attack, Buy.com stock rose from an opening $13 to $25. Love that bubble.) On Wednesday, the hit list spread to computer-journalism site ZDNet and stock brokerages E*Trade and Datek.

By the time Attorney General Janet Reno held a press conference vowing an all-out FBI dragnet to stop the technoperps, the message had sunk in: Toto, we're not in Wal-Mart anymore. An hour after Reno pounded the lectern, the portal Excite At Home became the ninth DOS victim of the week. "Massive amounts of data overloaded our connections," says Excite's Joe Minarik. "It's as if you've got a phone line that can handle 100 calls, and they drive 1,000 to it."

The shame of it is that more than two years ago, the Computer Emergency Response Team began warning the Net community about DOS incursions--obviously rarely heeded warnings. To be fair, it's devilishly difficult to prevent such an attack. On the day of the Yahoo blitz, Steve Bellovin, an AT&T security guru, was coincidentally giving a speech at an Internet service provider. One of his Powerpoint slides read, What are the strong defenses? The next slide: There aren't any. Indeed, eBay spokesperson Kevin Pursglove admits that there's no assurance that tomorrow's bidding wars on Pokemon holofoils won't be muddied by pinging tsunamis. "We can't promise our users that this will go away in the short term," he says. The key appears to be protecting all of cyberspace from predatory programs that recruit dozens, even hundreds, of unsuspecting machines in a DOS attack. Internet service providers could install filters on the data they ship, to sift out evil pings. Several security firms hope to introduce "zombie agents" that sniff out unwanted scripts. Another company, RSA Security, claims it has created a method that, when an attack is sensed, requires visiting computers to solve cryptographic "puzzles"--a task that will overwhelm the attacking machines.

While the Net tries to get its act together--and waits for the zombies to rise again--the action is shifting to the FBI geek hunt. The first clue: part of the attack on CNN was funneled through a computer at the University of California, Santa Barbara. Stanford and UCLA also confirmed that their computers were used in the attacks. By the end of the week the FBI was seeking subpoenas to search computers in California and Oregon. But that probably won't get the authorities significantly closer to the real culprits, who certainly didn't leave valid return addresses. The best hope is that by painstakingly examining the logs of the routers that direct Internet traffic, investigators might discover clues to the actual origin of the attack. Another approach is to examine the "magic packets" directed toward the target computers, in hopes that they contain snippets of text or code that will implicate the perpetrators. "It's a snowball rolling down a hill," says a law-enforcement official. "These investigations are time-consuming, tedious and immense." The FBI isn't exactly overloaded with Internet infrastructure gurus (a situation made worse by defections to the lucrative private sector), so it is relying heavily on outside consultants, some of whom have moved operations to the bureau's Pennsylvania Avenue headquarters for the investigation. The consultants have written specialized software to speed the excruciating high-tech search.

If the attackers were extremely careful, that "digital forensics" approach won't work. Then the FBI would have to rely on more traditional detective work to nab the service deniers. "They are probably using their numerous informants through the computer underground to try to gain intelligence on who might be behind these attacks," guesses former hacker Kevin Mitnick, who was recently released from prison. "If their motive is bragging rights, eventually their tale will be told to an informant--that's the FBI's best chance at finding out who's behind this."

Who will be found at the end of the digital trail? (If caught and convicted, the perps face up to 10 years in the pokey, with fines that could reach a quarter-million bucks each.) Janet Reno admitted that the FBI not only doesn't know who they are, but is unsure of their motives. Some investigators, techies and digital rubberneckers, though, have ventured several theories on who might be behind it:

Malicious hackers. Launching an assault on someone's computer or Web site without an apparent financial gain is a hallmark of "black hat" hackers, who get their chips off by using a crummy laptop machine to ruin the days of e-commerce moguls like Jeff Bezos. (These are not to be confused with the "white hat" hackers, who cross over to work for security firms--for the money.) These could be garden-variety teenage geeks ("Aaron, come to dinner!" "Not now, Mom, I'm bringing E*Trade to its knees!") or a more exotic form of technovandal, the noirish Euro-thug who fires digital missiles from a cybercafe in Sofia or Amsterdam. Since the software programs, or scripts, necessary to launch a denial-of-service attack are readily available for download, even a relatively dim "packet monkey" or "script bunny" could be behind one or more of last week's Web meltdowns. "Sometimes kids walk down the street snapping car antennas and tires," says AT&T's Bellovin, "and sometimes they take out Yahoo and CNN."

Profiteers. On the other hand, maybe there is a financial component to all this. NEWSWEEK has learned that the FBI has been alerted to the possibility that the attacks might have been an effort to goose the price of computer-security stocks--which leapt skyward this week in the wake of a near panic about the future of e-commerce. "You don't do this without money involved," says one source involved in the investigation. "One attack is cute, but seven times?" But so far there's no evidence that the security companies are the 21st-century equivalent of hook-and-ladder arsonists. In fact, they're paranoid about getting hit themselves. "We were worried all week and we're still worried," says Zach Nelson of the Network Associates division MyCIO.com.

Net purists. Not too long ago, the Internet was the last, best hope for an altruistic renaissance of personal expression and political speech, embracing the extremes of the human experience. Now it's largely viewed as a mega shopping mall, with virtual Bal Harbours, Brimfields and banks--all to the benefit of instant billionaires. "This was in some ways comparable to what happened in Seattle at the WTO [anti-globalism protests]," says Kalle Lasn, editor of the Vancouver-based magazine Adbusters. Could it be that the DOS was launched as a culture jam to rouse the credit-card crowd from what Lasn calls "a consumer trance"? Ray Thomas, who has helped organize DOS attacks with the Web-activist group RTmark, doubts it. "These DOS attacks could fit in with some of our tactics, but we always attach a clear message," he says. Still, it's interesting to note that while Yahoo's commercial ventures were snuffed, the company's Geocities sites, which host just-plain-folks home pages, were left alone.

In a strange way, whoever was behind last week's invasion was doing us all a favor. The damage was relatively minor. "What's the economic impact here?" asks terrorism expert Gary Richter of Sandia National Labs. "For an hour or two people couldn't do their day trades, or buy some books. Well, five years ago, you couldn't do those things anyway." (As for the revenues lost by the e-commerce sites, figure it this way: since dot-coms typically lose money on every sale they make, they might have come out ahead.) But of course the day is approaching when Net access will be a lifeblood, and denial of service will be less like having a lollipop confiscated and more like having the lights doused and the pantry cleaned out. If the lessons learned last week result in a collective effort to seriously address the wimpy security of the Internet infrastructure--with everyone from government to Web sites to service providers to institutions and plain-vanilla users with cable modems working together--then the minor setbacks will be the best investment since Yahoo stock on the day it went public.

What doesn't kill the Net will make it stronger.