Web Communications LLC, one of America's largest Web hosting services, was blacked out for more than 40 hours this weekend when it became the latest victim of a so-called "denial of service" hacker attack.
The attack was traced back through a string of networks and Internet service providers to a college in British Columbia, although officials are unsure now if the attack originated even there.
Denial of service, or SYN flood, attacks occur when a network server is bombarded with packets of information that have bogus return addresses. When the server tries to reply to the packets, it finds no legitimate address and stacks them up in its pending connection queue, eventually causing the server to crash or malfunction, says Chris Schefler, president of Web Communications (WebCom).
All servers that use the Internet's TCP/IP protocol are susceptible to such attacks.
The incident cost WebCom and the online storefronts it supports "tens of thousands of dollars," Schefler says. "The SYN flood attack exposes a gaping hole in Internet security which must be fixed rapidly."
The sabotage technique is not new, but has become more prevalent since two online hacker magazines published the code that initiates the attack last summer. Prominent victims have included Panix (Public Access Networks Inc.), a New York Internet access provider, and The New York Times.
The issue is being examined by, among others, the U.S. Department of Energy's Computer Incident Advisory Capability team (CIAC), and the U.S. Computer Emergency Response Team (CERT). The FBI also is investigating at least three cases of SYN flooding, and is determining if the WebCom case falls under its jurisdiction, says George Gotz, a special agent at the bureau's San Francisco division.
The present attack, which knocked out all 3,000 Web sites hosted by WebCom, began shortly after midnight Saturday. Fourteen hours later, the company's service provider, PSI, traced the attack to the MCI network, which traced it in turn through a Canadian ISP, CA-Net, to a college in British Columbia.
From there the trail ends - for the moment at least.
"The college says someone hacked into their system, probably from the outside, and has deleted the accounting files to cover their footsteps. We're working with them to explain how to undelete those files," Schefler says.
CIAC and CERT officials have found no way to prevent the attacks, but recommend that ISPs reconfigure their routers so they will not send out messages with IP addresses that don't originate from within their own network.
"It won't prevent the attack, but it will prevent it from originating in that network," a CIAC spokeswoman said. "If enough ISPs take those steps, the hacker will have trouble finding a place to start from."
Servers can be reconfigured to have larger connection queues, and to discard pending connections more quickly. That, too, is only a stopgap measure, but may enable the server to survive an attack.
WebCom's current server software, from Netscape Communication Corp., does not have such returning capabilities, but an upgrade version does, Schefler says.
"We're accelerating our upgrade, hopefully to the end of the week," he said. "Meantime, we'll keep our fingers crossed."
WebCom, in Santa Cruz, California, can be contacted at http://www.webcom.com/.