Hackers [sic] Force Yahoo Shutdown
Group action suspected in attack
that closed Web site for 3 hours
Carrie Kirby, Chronicle Staff Writer
Tuesday, February 8, 2000
Yahoo.com was the victim of a hacker [sic] attack
yesterday that shut down the world's busiest Web
site for three hours.
``This is one of the most significant outages we've
seen,'' said Cormac Foster, an analyst with
e-commerce research firm Jupiter Communications.
``It doesn't get any higher profile than Yahoo.''
The company's main portal, Yahoo.com, and
several related services were unavailable worldwide
from 10:20 a.m. until about 1:20 p.m.
It appears that several people may have worked
together in a ``denial-of-service attack'' to shut
down Yahoo, which was accessed by more than 42
million unique users in December.
Such an attack uses several different computers to
simulate a huge increase in traffic -- in this case,
millions of phantom users -- that essentially freezes
a Web site. Picture a 20-car pileup on Highway
101 at rush-hour.
``Our routers were overwhelmed by this mock
traffic
that hit us,'' Mallett said. ``Up to 1 gigabyte of
requests per second were coming in. Some Web
sites don't get 1 gig in a year.''
The attack was focused on one of Yahoo's server
centers in Northern California, said Jeff Mallett,
Yahoo president and chief operating officer.
Steven Bellovin, an Internet security researcher for
AT&T Labs, said the attack on Yahoo could
undermine consumer confidence in the Internet if the
overall problem of denial-of-service hackers ``is not
dealt with.''
``It's a form of vandalism, and it's growing,''
Bellovin said.
No one immediately took credit for the attack, and
Mallett would not speculate on who or how many
people might be responsible. ``Someone thought
through this; it wasn't just on a whim,'' he said.
Yahoo stopped the problem by 1:20 and access to
its sites was soon up to 97 percent, according to
Keynote Systems, a firm that measures Web site
performance. Criminal authorities were not
investigating the attack last night, but Mallett didn't
rule out that possibility.
The attack was limited to the routers that connect
Yahoo's servers to the Internet. Yahoo's servers,
where its Web pages are stored, were not invaded,
and the attackers did not change any material on
Yahoo's pages.
Mallett said that some of Yahoo's services, such as
its calendar, e-mail and shopping sites, remained
available throughout the outage, and users who had
Yahoo.com open before the attack began were
able to perform Web searches and use the directory
intermittently. However, access to some of these
services might have been so slow that some users
were ``timed out'' and disconnected from the site
before successfully loading them, Mallett said.
In the past two years, denial-of-service attacks
crashed a number of well-known targets, including
the Web sites of the FBI, NASA, the Navy, and a
number of colleges, including MIT, Northwestern
University and University of California campuses in
Berkeley, Irvine and Los Angeles.
Ironically, Bellovin, of AT&T Labs, was in San
Jose yesterday to deliver a speech on
denial-of-service problems at a conference of North
American Internet service providers. The Yahoo
attack, which became the talk of the North
American Network Operators Group meeting,
occurred shortly after he finished his speech.
Bellovin expects more distributed denial-of-service
attacks now that Yahoo has been hit.
``This is the first time a very prominent site has been
hit,'' Bellovin. ``The problem is, we don't have many
good defenses for this at the moment.''
``They are all too common in our experience,'' said
Stephen Hansen, security officer at Stanford
University. ``At present, there is no foolproof way
to stop them.''
Hansen said Stanford itself was hit with a similar
attack Sunday afternoon. Apparently, a hacker
broke into one of Stanford's computers, logged
onto a chat room and did something to irritate some
of the other chatters. In retaliation, someone tried to
flood several Stanford computers, where the hacker
appeared to be operating from, and shut the
machines down. The attack lasted about an hour.
In this case, Hansen said it didn't create a serious
problem because Sundays are slow, and Stanford's
network can handle a large amount of traffic. But
had the attack occurred during business hours, it
could have cut off other users. He said other attacks
have occurred during busier times in the past.
``Why Yahoo today? I don't know,'' Hansen said.
``Why someone might do this to the FBI? That's
fairly obvious.''
One problem with these attacks, he said, is that
hackers often disguise their location by forging fake
Internet addresses to make it appear as though the
attack is coming from everywhere. That makes it
hard to spot a denial-of-service attack, and even
harder to track the hacker down.
Jim Magdych, director of Network Associates'
security research division, feared that Yahoo's
attack probably was a new type known as a
``distributed denial-of-service attack,'' in which a
single person can use several different computers
simultaneously to launch an attack. The hacker can
even use people's computers without their
knowledge.
If this was the case, it's conceivable that Yahoo was
brought down yesterday by a single hacker,
Magdych said.
``Before, there would have been a person on each
machine launching the attack. . . . Now one hacker,
if he had enough time and energy, can launch huge
attacks,'' he said.
