[ISN] Akamai Attack Reveals Increased Sophistication

From: InfoSec News (isn@private)
Date: Tue Jun 22 2004 - 03:58:07 PDT

  • Next message: InfoSec News: "[ISN] Report shows holes in cybersecurity plan"

    By Jaikumar Vijayan 
    JUNE 21, 2004
    An attack last week against Akamai Technologies Inc. demonstrated the
    disruption of key Web site activity that a well-placed assault on the
    Internet's Domain Name System can cause.
    The incident also revealed a troubling capability on the part of
    hackers to target core Internet infrastructure technologies, security
    experts said.
    Several major customers of Akamai's DNS hosting services, including
    Microsoft Corp., Yahoo Inc. and Google Inc., suffered brief but severe
    Web performance slowdowns on June 15 as a result of a large-scale
    attack on Akamai's DNS servers. Keynote Systems Inc., a San Mateo,
    Calif.-based third-party Web site performance measurement firm, said
    that in some cases, availability of affected sites dropped to nearly
    zero for a brief period.
    Microsoft, Yahoo and Google confirmed that their Web sites suffered
    performance problems but deferred further comment to Akamai.
    Cambridge, Mass.-based Akamai initially blamed a widespread Internet
    attack. But Chief Scientist Tom Leighton subsequently said that the
    company appeared to have been the victim of a targeted distributed
    denial-of-service attack (DDoS) that affected about 50 of its roughly
    1,100 customers.
    "Our assumption was this was an attack against Akamai and it was
    perpetrated by attacking our customer name service infrastructure,"  
    Leighton said, referring to the DNS.
    The question of what went wrong at Akamai is important because of the
    nature of the attack, security experts said. The DNS is a critical
    component of the Internet because it maps Web names to IP addresses.
    The fact that the attackers were successful in finding these systems
    and then compromising them at a company that specializes in protecting
    the DNS infrastructure is another key concern. Also important is that
    the attack simultaneously disrupted service - however briefly - at
    some of the largest Web sites in the world.
    Alternative Scenarios
    Some security experts, however, said a DDoS attack is unlikely to have
    been the cause of the problem simply because of the amount of
    bandwidth an attacker would have needed to overwhelm an operation such
    as Akamai's.
    "Akamai is not a two-bit operation. These guys are designed to stay
    up. They are huge and well distributed, so it doesn't add up," said
    Bruce Schneier, chief technology officer at Counterpane Internet
    Security Inc. in Mountain View, Calif. "My guess is that it [was] some
    kind of an internal failure within Akamai or maybe a targeted attack
    against them by someone with insider knowledge and access."
    Moreover, there was no suspicious Internet traffic or DNS patterns to
    suggest that such a massive and distributed attack had taken place,
    said Craig Labovitz, director of network architecture at Arbor
    Networks Inc., a Lexington, Mass., provider of DoS mitigation
    technologies. Arbor's network monitoring tools are installed on
    several carrier networks around the world.
    In any case, the event was marked by being a step beyond "simple
    bandwidth attacks" on individual Web sites to more sophisticated
    targeting of core upstream Internet routers, DNS servers and bandwidth
    bottlenecks, according to Labovitz.
    "It's a fairly scary escalation," Labovitz said. "What we are seeing
    is a shift away from completely brain-dead attackers to folks who know
    a little bit about the network topology, trace routes and about where
    the DNS might live" on a network, he said.
    "DNS is an attractive target because so many things rely on it, from
    the Web to e-mail to VoIP call routing," said Paul Mockapetris,
    inventor of the DNS and chairman of IP address management vendor
    Nominum Inc. in Redwood City, Calif.
    The growing load is taxing the infrastructure and making it more
    vulnerable to the type of DDoS attack that hit all 13 of the
    Internet's root DNS servers in October 2002, experts warned.
    "We are afraid that even if we make DNS servers run four times faster,
    we are on a treadmill," Mockapetris said. "Attackers will eventually
    just recruit five times as many zombies" to launch DoS attacks, he
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Tue Jun 22 2004 - 06:11:33 PDT