May 4, 2001 5:40 PM PDT
Hackers cripple White House site
Two Internet service providers told CNET News.com midday Friday that they found evidence of a coordinated strike on government information servers that support the site. Several hours later, a White House spokesman acknowledged that the site had indeed been attacked.
Between 5 a.m. and 8 a.m. PDT, page requests to the Whitehouse.gov address went unanswered, said Dan Todd, chief technologist for public services for Internet performance service Keynote Systems.
"The type of errors we were seeing was indicative of extremely heavy traffic to the Web site or a denial of service," he said. The attack continued, but with less success, until about 10 a.m.
The attack continued, however, later in the day with page requests to the site failing half the time between 1 p.m. and 2 p.m. PDT. After 2 p.m., the site was occassionally inaccessible, said Todd.
So-called denial-of-service attacks overload a site's servers with a flood of data, effectively blocking surfers from accessing any files on the targeted computer. Distributed versions of such attacks--where the online vandals use tens, hundreds or even thousands of compromised servers to automate the flood of data--are harder to stop.
In February 2000, such distributed denial-of-service, or DDoS, attacks downed Yahoo, CNN.com, ZDNet and five other major sites for several hours at a time. In January, Microsoft fell prey to such attacks after the software giant's sites were taken offline by several technical glitches.
The White House confirmed that the outage was a denial-of-service attack late Friday afternoon.
"The connection between the Whitehouse.gov servers and our ISP was clogged due to an enormous amount of data," White House spokesman Jimmy Orr said. He added that officials are looking into the incident, but he would not speculate who had targeted the Web site.
According to Orr, the attack lasted a little over two hours and ended by 8:15 a.m. PDT. He could not explain the outage that Keynote Systems noted later in the day.
The FBI declined to comment.
Michael Cheek, the director of intelligence production at security firm iDefense, noted that pro-China hackers on Friday had been planning an attack on Whitehouse.gov, according to information gathered by the company.
Federal authorities warned last week of a planned "Labor Day Strike" from Chinese hackers upset over the recent U.S. spy plane incident.
According to the National Infrastructure Protection Center, a unit of the FBI, "Chinese hackers have publicly discussed increasing their activity" between two major holidays this week in China. May 1 is International Workers Day, and May 4 is Youth Day. Also coming up May 7 is the two-year anniversary of the accidental U.S. bombing of the Chinese embassy in Belgrade.
While the number of defaced Web pages has risen during the week, little real damage has been done.
"There's no way of knowing for sure, but that was the attack plan," Cheek said.
But an Internet service provider based in Albuquerque, N.M., did find six compromised servers that appeared to be used to hit the site.
Mark Costlow, co-owner of ISP Southwest Cyberport, said the company's technicians identified six customers' servers that were loaded with tools that could be used for such a DDoS attack. The servers were sending data to Whitehouse.gov early Friday morning.
"From these servers--and some of them have already been shut off--we were seeing 3 megabits per second of traffic," he said. "Not that much for a denial-of-service attack, but enough for us to notice and to saturate certain links."
The attack began around 6 a.m., Costlow said. He said that the data sent to the Whitehouse.gov servers, known as ICMP (Internet control message protocol) data, is generally used to report errors and test connections.
"All six servers were aimed at the same White House IP address," Costlow said. The IP address corresponds to one of the Whitehouse.gov Web servers, CNET News.com confirmed.
Costlow added that the data flood could easily be traced back to the company's site, because the attack tools did not camouflage the source of the attack. However, Costlow could not immediately identify who was controlling the compromised servers.
Within two hours, the company had identified the hacked servers and shut them down, Costlow added.
The attack matched another that hit the CIA on May 1, said Keynote's Todd. Between 10 a.m. and 11 a.m. on that day, 92 percent of requests to the CIA.gov Web site were unfulfilled.
"The symptoms are the same, so we can assume the disease is as well," he said.
News.com's John Borland and Jim Hu, and CNET Radio's Chuck Fishman contributed to this report.