Attorney General Janet Reno announced the investigation Wednesday as E*Trade and ZDNet joined the growing hit list of high-profile Web sites to suffer denial-of-service attacks in the past three days.
Reno said the government is "committed in every way possible to tracking those who are responsible."
Other Net targets have included eBay, Buy.com, Amazon.com, CNN.com and Yahoo!
As the incidents mounted, security experts declared that the outages were almost certainly the result of a coordinated effort.
"I don't see how they couldn't be," said Stuart McClure, the president and chief technology officer at Ramparts Security Group LLC in Irvine, Calif. "The symptoms are all the same, the effects are all the same -- every time I talk to people [at the afflicted sites] they all say the same things."
Coordinated effort suspected
Elias Levy, chief technology officer of Securityfocus.com, a computer security information service, concurred, noting that the rapid succession of disruptions suggests a connection among the attacks.
"It would be very difficult to assemble this level of attack so quickly if it were a copycat," Levy said.
On Wednesday morning, online brokerage E*Trade (Nasdaq: EGRP) told CNBC that it was the subject of an attack, but only a small percentage of customers were affected. The company said it had successfully redirected the attack.
Brokerage Datek denied reports that a 30-minute outage Wednesday morning was caused by an attack.
ZDNet (NYSE: ZDZ) was offline for two hours starting at 4:30 a.m. PST. The company said it appeared to have been the target of a denial-of-service attack.
Users have reported sporadic problems accessing America Online on Wednesday, but a spokeswoman said she did not believe they were attacked.
Service to some Microsoft sites was also spotty Tuesday, some users reported. Microsoft did not return telephone calls for comment.
Web traffic to both eBay (Nasdaq: EBAY), the Web's largest online auctioneer, and Buy.com (Nasdaq: BUYX), an online retailer in the midst of its IPO, were blocked by the cyber attacks Tuesday. Yahoo! (Nasdaq: YHOO), one of the world's biggest and most reliable sites, was knocked offline for three hours Monday.
FBI-Yahoo! meeting
The FBI met with Yahoo! executives Tuesday to discuss opening an investigation into its denial-of-service attack.
Meanwhile, Internet monitoring firm Keynote Systems Inc. reported late Tuesday that Amazon.com Inc.'s Web site was virtually shut down at about 5 p.m. PST Tuesday.
According to Keynote, it was able to enter Amazon (Nasdaq: AMZN) about 1.5 percent of the times it tried, and the online store's "inaccessibility looks very similar to what we saw with Yahoo and eBay and Buy.com." Amazon was not available for comment Tuesday night.
CNN.com was hit later Tuesday.
"At 7 p.m. EST we were attacked by hackers. A denial-of-service attack occurred until 8:45 p.m. We were seriously affected. We were serving content, but it was very inconsistent and very little," said PR director Edna Johnson, in a statement.
"By 8:45 p.m. our upstream providers had put blocks in place that are shielding us, and we are now serving content."
eBay, Buy.com and Yahoo! all were targeted by coordinated, distributed denial-of-service attacks -- a technique in which attackers use a great number of compromised servers to flood a target with data. This type of attack takes only limited technical expertise and can be difficult to stop.
"Denial of service is becoming more sophisticated," according to a "white-hat hacker" working for security firm @Stake Inc. who identifies himself as Weld Pond. "The problem is not going away."
Target No. 1: Yahoo!
The spate of Web attacks began AT 10:30 a.m. PST Monday, when traffic to Yahoo! -- the second most popular site on the Web after America Online (NYSE: AOL) -- took a nosedive. Engineers at GlobalCenter Inc., the hosting service for Yahoo!, initially thought a critical piece of network equipment had failed. However, GlobalCenter soon realized that malicious attackers were responsible for blocking the key transfer points, known as routers, between Yahoo! and the Internet.
"About half of the entry points in our network were affected," said Laurie Priddy, executive vice president for GlobalCenter, a subsidiary of telecommunications giant Global Crossing Ltd.
A flood of data sent by the attackers, seemingly coming from 50 different IP addresses, overwhelmed the routers managed by GlobalCenter. The flood peaked at 1Gbps, but for the most part the hosting service's other customers were not affected.
"We have a very large network that carries a huge amount of traffic," said Priddy, adding that the capacity allowed its other customers to remain up and running. "We had a small number of customers that called, but no more than any other day."
Yahoo! didn't get back up until 1:30 p.m. PST Monday.
Target No. 2: Buy.com
The next target, Buy.com, was hit just over 24 hours later. Mitch Hill, chief financial officer for Buy.com, said the denial-of-service attack originated from such disparate points as Chicago, Boston and New York -- overwhelming Buy.com's servers.
Buy.com said 800 megabits of data per second hit the site -- about eight times the site's capacity. According to Hill, Buy.com normally runs at only 30 percent of its capacity.
Although the timing of the attack with the company's IPO (initial public offering) appears to be suspect, Hill said there is no evidence it was timed to hurt the company's stock offering. "It is unfortunate that whoever did this chose to attack us on this day," he said.
Prior to the outage Buy.com was experiencing higher than normal traffic because of publicity related to its IPO.
Target No. 3: eBay
The third target, eBay, was hit five-and-a-half hours after Buy.com. The attack occurred just before 3:20 p.m. PST and lasted throughout Tuesday afternoon and into the evening while eBay worked to filter out the unwanted traffic.
In a statement eBay said: "We are taking multiple measures to fight this, including working with local and federal authorities, ISPs including Sprint, UUNet and AboveNet, our vendors, including Cisco, our partners, and other Internet sites that have recently been attacked in the same way."
Members of the eBay community have been notified that they are eligible to receive a credit if they believe their auctions have been "materially affected" because of the outage. eBay said no internal data related to auction listings or bidding were compromised during the attack.
The FBI has launched a probe into the string of attacks on the Internet's top Web sites.
Attorney General Janet Reno announced the investigation Wednesday as E*Trade and ZDNet joined the growing hit list of high-profile Web sites to suffer denial-of-service attacks in the past three days.
Reno said the government is "committed in every way possible to tracking those who are responsible."
Other Net targets have included eBay, Buy.com, Amazon.com, CNN.com and Yahoo!
As the incidents mounted, security experts declared that the outages were almost certainly the result of a coordinated effort.
"I don't see how they couldn't be," said Stuart McClure, the president and chief technology officer at Ramparts Security Group LLC in Irvine, Calif. "The symptoms are all the same, the effects are all the same -- every time I talk to people [at the afflicted sites] they all say the same things."
Coordinated effort suspected
Elias Levy, chief technology officer of Securityfocus.com, a computer security information service, concurred, noting that the rapid succession of disruptions suggests a connection among the attacks.
"It would be very difficult to assemble this level of attack so quickly if it were a copycat," Levy said.
On Wednesday morning, online brokerage E*Trade (Nasdaq: EGRP) told CNBC that it was the subject of an attack, but only a small percentage of customers were affected. The company said it had successfully redirected the attack.
Brokerage Datek denied reports that a 30-minute outage Wednesday morning was caused by an attack.
ZDNet (NYSE: ZDZ) was offline for two hours starting at 4:30 a.m. PST. The company said it appeared to have been the target of a denial-of-service attack.
Users have reported sporadic problems accessing America Online on Wednesday, but a spokeswoman said she did not believe they were attacked.
Service to some Microsoft sites was also spotty Tuesday, some users reported. Microsoft did not return telephone calls for comment.
Web traffic to both eBay (Nasdaq: EBAY), the Web's largest online auctioneer, and Buy.com (Nasdaq: BUYX), an online retailer in the midst of its IPO, were blocked by the cyber attacks Tuesday. Yahoo! (Nasdaq: YHOO), one of the world's biggest and most reliable sites, was knocked offline for three hours Monday.
FBI-Yahoo! meeting
The FBI met with Yahoo! executives Tuesday to discuss opening an investigation into its denial-of-service attack.
Meanwhile, Internet monitoring firm Keynote Systems Inc. reported late Tuesday that Amazon.com Inc.'s Web site was virtually shut down at about 5 p.m. PST Tuesday.
According to Keynote, it was able to enter Amazon (Nasdaq: AMZN) about 1.5 percent of the times it tried, and the online store's "inaccessibility looks very similar to what we saw with Yahoo and eBay and Buy.com." Amazon was not available for comment Tuesday night.
CNN.com was hit later Tuesday.
"At 7 p.m. EST we were attacked by hackers. A denial-of-service attack occurred until 8:45 p.m. We were seriously affected. We were serving content, but it was very inconsistent and very little," said PR director Edna Johnson, in a statement.
"By 8:45 p.m. our upstream providers had put blocks in place that are shielding us, and we are now serving content."
eBay, Buy.com and Yahoo! all were targeted by coordinated, distributed denial-of-service attacks -- a technique in which attackers use a great number of compromised servers to flood a target with data. This type of attack takes only limited technical expertise and can be difficult to stop.
"Denial of service is becoming more sophisticated," according to a "white-hat hacker" working for security firm @Stake Inc. who identifies himself as Weld Pond. "The problem is not going away."
Target No. 1: Yahoo!
The spate of Web attacks began AT 10:30 a.m. PST Monday, when traffic to Yahoo! -- the second most popular site on the Web after America Online (NYSE: AOL) -- took a nosedive. Engineers at GlobalCenter Inc., the hosting service for Yahoo!, initially thought a critical piece of network equipment had failed. However, GlobalCenter soon realized that malicious attackers were responsible for blocking the key transfer points, known as routers, between Yahoo! and the Internet.
"About half of the entry points in our network were affected," said Laurie Priddy, executive vice president for GlobalCenter, a subsidiary of telecommunications giant Global Crossing Ltd.
A flood of data sent by the attackers, seemingly coming from 50 different IP addresses, overwhelmed the routers managed by GlobalCenter. The flood peaked at 1Gbps, but for the most part the hosting service's other customers were not affected.
"We have a very large network that carries a huge amount of traffic," said Priddy, adding that the capacity allowed its other customers to remain up and running. "We had a small number of customers that called, but no more than any other day."
Yahoo! didn't get back up until 1:30 p.m. PST Monday.
Target No. 2: Buy.com
The next target, Buy.com, was hit just over 24 hours later. Mitch Hill, chief financial officer for Buy.com, said the denial-of-service attack originated from such disparate points as Chicago, Boston and New York -- overwhelming Buy.com's servers.
Buy.com said 800 megabits of data per second hit the site -- about eight times the site's capacity. According to Hill, Buy.com normally runs at only 30 percent of its capacity.
Although the timing of the attack with the company's IPO (initial public offering) appears to be suspect, Hill said there is no evidence it was timed to hurt the company's stock offering. "It is unfortunate that whoever did this chose to attack us on this day," he said.
Prior to the outage Buy.com was experiencing higher than normal traffic because of publicity related to its IPO.
Target No. 3: eBay
The third target, eBay, was hit five-and-a-half hours after Buy.com. The attack occurred just before 3:20 p.m. PST and lasted throughout Tuesday afternoon and into the evening while eBay worked to filter out the unwanted traffic.
In a statement eBay said: "We are taking multiple measures to fight this, including working with local and federal authorities, ISPs including Sprint, UUNet and AboveNet, our vendors, including Cisco, our partners, and other Internet sites that have recently been attacked in the same way."
Members of the eBay community have been notified that they are eligible to receive a credit if they believe their auctions have been "materially affected" because of the outage. eBay said no internal data related to auction listings or bidding were compromised during the attack.
Can the Web's biggest sites protect themselves from these attacks? In the Yahoo! case, GlobalCenter's engineers put restrictions on the type of data -- known as Internet control messaging protocol (ICMP) packets -- that had flooded it for those few hours. Instead of letting an unlimited amount of data through, GlobalCenter scaled back.
That tactic is something the company should have done before the attack, said @Stake's Weld Pond. "We installed (such) filters a long time ago because of such attacks," he said.
While in Yahoo!'s case the attack seemed to come from 50 different Internet addresses, more likely hundreds or thousands of servers were used and the data forged to make it look like it came from only 50 addresses, Weld Pond said.
SecurityFocus.com's Levy described a case where 10,000 servers had apparently been used to conduct a similar attack. "In essence, these attacks are harnessing the power of hundreds of computers on the Internet to amplify and focus an attack," Levy said. "The only way to stop this misuse of the Internet is for everyone to check their own network and fix any misconfigured systems."
That's only a stopgap solution, said Steve Bellovin, network and security research fellow at AT&T Labs. "The best we can do today is put in anti-spoof filters that makes the attacks harder and the attackers easier to track down."
Coincidence or not, a half-hour after Bellovin gave a talk on denial-of-service attacks at a conference for the North American Network Operator's Group, the attack on Yahoo! began.
Future looks dark
The future looks a whole lot darker, however.
While filtering packets can be a defense against most of today's tools designed to conduct a distributed denial-of-service attack, new techniques could bypass such defenses.
Once such tool for attackers, known as Stream.c, sends forged TCP/IP packets, which a typical router will pass to the destination server. The packets can be designed to take up precious computing cycles before the data is determined to be bad.
The bad new is that such packets are hard to detect and filter out. The good news, perhaps, is that -- so far -- only vandals seem interested in using the attacks.
"These sorts of attacks make (the attacker) feel powerful," said AT&T's Bellovin. "It's the equivalent of kids snapping antennas on the street."
ZDNet's Patrick Houston and Reuters contributed to this report.
Can the Web's biggest sites protect themselves from these attacks? In the Yahoo! case, GlobalCenter's engineers put restrictions on the type of data -- known as Internet control messaging protocol (ICMP) packets -- that had flooded it for those few hours. Instead of letting an unlimited amount of data through, GlobalCenter scaled back.
That tactic is something the company should have done before the attack, said @Stake's Weld Pond. "We installed (such) filters a long time ago because of such attacks," he said.
While in Yahoo!'s case the attack seemed to come from 50 different Internet addresses, more likely hundreds or thousands of servers were used and the data forged to make it look like it came from only 50 addresses, Weld Pond said.
SecurityFocus.com's Levy described a case where 10,000 servers had apparently been used to conduct a similar attack. "In essence, these attacks are harnessing the power of hundreds of computers on the Internet to amplify and focus an attack," Levy said. "The only way to stop this misuse of the Internet is for everyone to check their own network and fix any misconfigured systems."
That's only a stopgap solution, said Steve Bellovin, network and security research fellow at AT&T Labs. "The best we can do today is put in anti-spoof filters that makes the attacks harder and the attackers easier to track down."
Coincidence or not, a half-hour after Bellovin gave a talk on denial-of-service attacks at a conference for the North American Network Operator's Group, the attack on Yahoo! began.
Future looks dark
The future looks a whole lot darker, however.
While filtering packets can be a defense against most of today's tools designed to conduct a distributed denial-of-service attack, new techniques could bypass such defenses.
Once such tool for attackers, known as Stream.c, sends forged TCP/IP packets, which a typical router will pass to the destination server. The packets can be designed to take up precious computing cycles before the data is determined to be bad.
The bad new is that such packets are hard to detect and filter out. The good news, perhaps, is that -- so far -- only vandals seem interested in using the attacks.
"These sorts of attacks make (the attacker) feel powerful," said AT&T's Bellovin. "It's the equivalent of kids snapping antennas on the street."
ZDNet's Patrick Houston and Reuters contributed to this report.
