'Zombie' PCs caused Web outage, Akamai says

The attack that blacked out Google, Yahoo and other major Web sites earlier this week involved the use of a "botnet"--a large network of zombified home PCs--Internet infrastructure provider Akamai Technologies said Wednesday.

The attack, which blocked nearly all access to Apple Computer, Google, Microsoft and Yahoo's Web sites for two hours on Tuesday, took aim at the key domain name system (DNS) servers run by Akamai. These servers translate word-based URLs, such as www.microsoft.com, into

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

the numerical addresses used by the Internet. Using compromised home computers, the attackers sent a flood of data to the DNS servers, preventing them from providing that translation and effectively shutting surfers out of the four companies' pages, according to Akamai.

The deluge of data that hit the infrastructure provider was "so large that it (couldn't have) come from a couple of servers," said Tom Leighton, chief scientist and co-founder of Akamai. "Working with our network partners, we were able to identify a bot network that appeared to be operating and managed to shut it down, which resulted in stopping the attack."

Bot networks are collections of computers that have been compromised by software specifically designed to create a network of systems for attack. A bot--also known as remote-access Trojan horse program, or RAT--seeks out and places itself on vulnerable PCs. It then runs silently in the background, letting an attacker send commands to the system while its owner works, oblivious. The computers are essentially turned into zombies, controllable from afar.

Are security companies ahead of hackers?

The latest versions of bot software enable attackers to control and steal information from compromised computers via chat servers and peer-to-peer networks. These PCs can then be commanded to infect or attack other computers. Security experts have identified bot networks as a critical threat to the Internet.

A common use of a bot network is to order a compromised PC to send seemingly legitimate network information to a single destination, resulting in a torrent of data that overloads the target servers. Such a distributed denial-of-service, or DDoS, attack can block access to a Web site for several hours or even days.

A security professional who participated in investigating the attack confirmed that the DDoS attack apparently came from an extremely large botnet.

"If it was (a) bot, it was very well written and it was very large," the security expert said on condition of anonymity. "As far as we could tell...it all looked like real and legitimate traffic."

While Tuesday's attack was aimed at bringing down the four major Web sites, Akamai's Leighton said his company was the true target.

"At the high level, it was clear that this attack was focused on a subset of our customers," he said. "We assumed they were attacked as a way to get at Akamai."

What remains unclear is how the DDoS attack could be so selective as to focus on the main Yahoo, Google, Microsoft and Apple sites. Distributed attacks are typically blunt instruments rather than scalpels, as evidenced by the mass outages caused by this method in 2000.

Keynote Systems and other Internet performance companies said Web traffic actually dipped during the attack, raising questions about the volume of data sent to Akamai's servers. Typically, a large-scale DDoS would be observed as an increase in network traffic.

Nonetheless, DDoS attacks are getting sophisticated, especially in the variants of computer viruses that have recently surfaced. The Netsky virus used such a technique to target Kazaa and other file-sharing networks, disrupting service at some. Earlier this year, the main Web site of the SCO Group was crippled after attacks from computers infected by the MyDoom virus.

Akamai refused to provide greater detail about Tuesday's attacks, citing a need to keep mum on the details of the company's architecture and to avoid giving more publicity to the attackers.

"There was an extraordinary amount of traffic," Akamai's Leighton said.

[johndoe445566]

The only way to solve the problem

This will continue until the lusers who allow their PC's to become zombies are held accountable for their poor security practices. Having an Internet connection isn't a right -- it's a privilege. Akamia should pick few hundred Zombie owners and sue them for negligence. That would make headlines, raise awareness, and maybe force something to finally be done about the DDoS problem.

[bjbrock]

After the users are sued...

they should turn around and sue Microsofrt for selling a dangerous product which has caused billions in damages for countless users. Microsoft has the largest part in all of the IT woes around today. Making a Microsoft product safe is way beyond the scope of what the average user should have to deal with. Make Microsoft financialy responsible for the carnage enabled by their dangerous software and then we will see a decrease in the massive trash out on the Internet.

Who is guilty?

I understand the frustration, but attempting to make co-victims into co-conspirators is insane. That's like saying the victim in identity theft is guilty of not protecting themselves from identity theft. Personally, I'd rather see the real culprits caught, at any price, and as many as can be found and convicted sentenced to life without parole in the most inhumane prison known to man, followed by a reality show about what that really means, 24/7/365. That puts the blame squarely where it belongs, and might even make these cockroaches change their behavior. Actually, what I really like to do with them can't be published, but this would do for starters.

Reason why traffic dropped

My theory for why traffic dropped is because although the big 4 sites listed were targeted, I think that people sort of got off the Internet for a little bit until things worked again. Where I work, Google was most people's main concern, although we did see the DNS issue effect some e-mail servers and some websites (including a few public government databases) seemed much slower because of the DNS outage.

[mbula]

How can we find/remove the RAT?

Does anyone know if this RAT can be removed by Spy-Bot, Norton's, etc.? When these articles are written, it is rare that the author discusses what remedy or web-site we can go to to remove the RAT. Maybe they don't know enough about it. I think the govt should sponsor a web site to help detecting these problems.

[bjbrock]

If the world would quit using MS's...

software, this and other malicious activity would all but cease. Microsoft id the basis for these attacks. It is the Winows OS which has allowed this to proliferate.

My thoughts

This problem isn?t going to go away by a previous suggestion ?sue them for negligence?. That?s not going to help anyone. If we want this to stop then we must educate people, tossing them in jail or making them pay a fine isn?t helping anyone. I can see the headlines ?grandma receives fine for pc virus?. How about teaching grandma how to scan her pc instead? How about some understanding that not everyone is a pc expert, some might not know how to clean their machine.

Most RAT?s can be detected by virus scanners, you have to make sure the scanner checks to Trojan?s, backdoors, etc and not just viruses and e-mail. Some versions of Norton don?t.

If we want this to be fixed then things need to change, we need the ISP?s to take some of the responsibility in that when things are reported don?t take a week to check on it. A week of an infected pc running is WAY to long. We need people to be understanding, not stubborn.

If everyone worked at the problem then it would be easier to battle, I don?t think we will win outright, but we can make a difference, if we try.

[johndoe445566]

Yes, sue Grandma

"Education" alone isn't the answer. The information is already out there, yet people don't choose to be educated. Sue a few grandmas and people will start taking the time to learn about security, or decide that the Internet isn't for them. As I'm fond of saying, using the Internet is a privilege, not a right. If Grandma can't use it without being a danger to others, she should shouldn't be using it. If grandma had an incontinence problem, they'd make her get out of the public swimming pool too. It doesn't matter that it isn't her fault -- what matters is that she's polluting a common resource.

[johndoe445566]

And sue the broadband ISP's too

And while assigning responsibility, let's not forget the broadband ISP's. Any ISP who doesn't have anti-spoofing filters on their border routers is grossly negligent. I think they could even be held criminally responsible under the "attractive nuisance" laws. If all ISP's had filters in place, DDoS victims could trace packets back to their origin and get them stopped.

[Raife]

The REAL Issues...

Here's my response to this discussion...

First...

1. Using currently available 'communications-mediums', ...IS A RIGHT. This HAS been ruled to be true by the Supreme Court of the United States (yes, they mentioned the 'Internet' specifically). If you don't like this fact, too bad...

Second...

2a. The REAL responsibility for such an incident falls FIRST upon the Virus-Writers themselves, ...if they even exist.

2b. The responsibility then falls squarely on "Microsoft", for producing a SERIOUSLY-FLAWED, and DANGEROUS, product which they sold to an unsuspecting public.

2c. "Granny" can no more be held accountable for the actions of criminals, or criminally-negligent companies, than "John Doe" could be if, for example, someone broke into his house, stole a flashlight, and then used the 'stolen' flashlight during the commission of another crime.

Such an assertion of culpability is simply ASININE.

Furthermore...

3. "Akamai's" claims are themselves currently quite suspect, since the actual evidence makes their assertions look like little more than a pathetic excuse from a company which has, in fact, had a string of embarrassing technical-problems.

4. The actual impact of this, "astonishing" event, was nothing more than yet another, all too common, 'website-access slowdown' (hardly the end of the Internet as we know it, or, a major threat to business).

And frankly...

5. The "threat" of, so-called, "Zombie-PCs" (along with the scourge of SPAM) currently seems to be a couple of the most popular "Cyber Boogie-men".

Of late, these "threats" are being used, mercilessly, as an excuse to limit all sorts of 'Freedoms' (by creating the technical-ability to monitor and control virtually all 'Internet access' and 'computer end-use').

[johndoe445566]

Liability

Lets say I had a gun collection, but "locks are just too complicated for me". So I didn't keep the guns secure, and every [script] kiddie in the neighborhood knew about it. I would indeed be liable if some criminal walked into my house, took one of my guns, and then went off and held up a liquor store with it.

Lets say I'm doing construction on my house. During the process, a pile of scap lumber has accumulated in my front yard. Under the legal doctrine of "attractive nuisance", I am responsible if a kid tresspasses onto my property, steals a 2x4, and then goes and whacks another kid upside the head.

[johndoe445566]

The right to use the Internet

Please cite the case where the Supreme Court held that using the Internet was a right. Having free speech rights ON the Internet is quite different from having a right to Internet access.

You think net access is a right? Try not paying your ISP bill and see how long it takes for them turn off your connection. Have your rights been violated? How about sending spam? Is that a right too?

Freedom of the press is a right, but it only extends to those who own a printing press. You have no right to walk into your local newspaper and demand they print something for you. Newspaper have broad immunity from liability for what they print, but that immunity is not absolute. Papers are successfully sued to libel and slander.

[chish]

Watch the RAT come back

If this attack was thru remote controlled pers. computers and Akamai won't tell what it is, then how can home users remove the threat and the person controlling their computers?

It seems awfully selfish for a big corp. co. to w/hold info that helps the little man and I wouldn't be surprised if/when the starter of this DDoS see's the paragrapgh where they won't tell what it was (to not give them notariety) that the creators don't slam them once again.

And I have to say, as one of the little guys who just helped 3 friends computers go down after Tues attack, it would serve them right.

In order to protect all - you must share the info!

[cpudrewfl]

ITS outsourced programming

Simple english if we didnt outsource and had programming done her by the smartest people in the world maybe this wouldn't happen.

It's a crime to stop the crime

Say what, you ask?

Yes, MS, Linux and other major OS's have security holes. Naive users are a major part of the problem, but the whole point of much of the modern internet is to make it available to naive users. Unfortunately we all will have a long wait for those security holes to be plugged, if they ever are completely plugged.

Yes, in many cases taking advantage of those security holes to form RAT packs is illegal. It should be illegal in all cases... but wait a minute! How do you bring the RAT commanders to justice?

The problem is, the internet is international! There will ALWAYS be places where this behavior is either legal or not prosecuted. So the RAT commanders send their commands to their zombies through other zombies in those jurisdictions.
The only way I can think of to get around the jurisdiction problems is to reverse RAT the RAT's, so that I could trace them back to their source.

But wait, that's illegal too!! So even if I penetrate all their layers of zombies commanding other zombies to find out who they are, I can't use any of that evidence against them because it was illegally obtained! At the very least, the law has to wink at those who do the very same thing to computers as the RAT commanders in order to find them.

So as long as the RAT commanders can send their commands through jurisdictions that can't, won't or don't care to persue them, they keep on happily messing up the internet for the rest of us. I and I imagine others like me won't persue them, even though we might know how, because it's illegal.

Thus my subject line: It's a crime to stop the crime.