FBI Investigates Cyberattack Against AboveNet

FRAMINGHAM (04/27/2000) - As investigators continue to search for attackers who temporarily shut down eight e-commerce sites in February, another company was hit by a different type of denial-of-service attack Tuesday.

The U.S. Federal Bureau of Investigation is investigating a denial-of-service attack launched against San Jose-based AboveNet Communications Inc. that blocked traffic to almost a thousand content and service providers.

Unlike the earlier distributed denial-of-service attacks that flooded e-commerce sites with false data traffic, this attack was directed against a switch in AboveNet's network. AboveNet's Internet Service Exchange (ISX) network provides co-location services and Internet connectivity to companies such as NetZero Inc., CNet Inc. and America Online Inc., which wasn't affected by the outage.

"This wasn't just a teen-ager with a $300 Linux machine. This was someone who had time to learn the trade," said Paul Vixie, senior vice president of Internet services at Metromedia Fiber Network Inc. in White Plains, N.Y., AboveNet's parent company. "It was certainly severe; most of our customers were impacted for a period of hours."

According to Vixie, the attack was directed at a network device called a customer aggregation switch. The switch bundles co-location customers at the company's ISX facilities and links them to an Internet backbone as one high-speed connection. Vixie said the attack hit three switches at the company's ISX facilities in New York, Vienna, Va., and San Jose.

The switch is made by Cisco Systems Inc., but Vixie said the exploit had nothing to do with a defect in the switch. He said the attacker exploited a flaw in the switch's configuration management process that the company has since changed.

"There are certainly good and bad ways to do that. We thought we were using a good way, and (this week) we found out that we weren't," said Vixie. "The hole closed was in the process, not in the product."

Vixie said he believes there is little opportunity for copycat attacks because of the unique methods AboveNet used to manage its network. The company suffered rolling outages from mid-morning Pacific time on Tuesday to mid-afternoon.

According to Vixie, many customers had alternative carriers that ensured their network traffic got through - a common fail-over strategy for high-end customers. Very large customers, such as AOL, whose traffic wasn't funneled through the aggregation switch, weren't impacted.

Vixie advised other information technology mangers who may be concerned with the management of their switches to consult with their vendors on proper switch management and configuration. He said swift action is also needed to deflect such attacks. Close network monitoring revealed the connectivity loss to customers, and AboveNet launched an investigation immediately. "We used brute force," said Vixie. "We called everyone in on the shift and went through the network with a fine-tooth comb, not only to get everyone back up online, but to make sure there were no time bombs." He added that no backdoors or other delayed exploits were detected.

Vixie says the company has speculated widely as to the motive for the attack and concluded that it could have emerged from one of two "completely useless categories." One category includes competitors that the company took a customer away from, disgruntled former employees or customers who had been disconnected because they were spamming. The other category, said Vixie, includes "someone who has something to prove and wants to bring our network down and wants to brag about it."

The denial-of-service attacks launched in February have proved difficult to trace because of the sheer volume of the attacks and the fact that targeted sites weren't able to capture attack data during the incident. But Vixie said the FBI has a reasonable chance of catching his company's attacker, partly because AboveNet has put resources into filtering, logging and traffic analysis. "We did not come away from (Tuesday's) experience completely ignorant," said Vixie.

The February attacks against eight large e-commerce sites appeared to involve known attack tools such as Tribe Flood Network and Trinoo, which use co-opted machines to send a storm of packets against targeted sites. Vixie said that because of the ongoing investigation, he couldn't say whether known exploits were used in the AboveNet attack.

A 15-year-old Canadian, who allegedly calls himself Mafiaboy, was arrested April 15 by the Royal Canadian Mounted Police and charged in connection with a February denial-of-service attack against the CNN Web site. He was charged with two counts of mischief to data, but security analysts believe he likely wasn't responsible for the other attacks. An investigation is ongoing, but no other suspects have yet been named.

Join the newsletter!

Error: Please check your email address.

More about AboveNetAmerica OnlineAOLCiscoCNET NetworksCNNFBIFederal Bureau of InvestigationMetromedia Fiber NetworkNetZeroTribe

Show Comments