NATO web site holds off cyberattacks

An online assault against the primary NATO Web site (www.nato.int) last week signaled a cyberwar that, in some ways, mirrored the alliance's air assault against the Serbs.

A group of international crackers deployed conventional weapons against an enemy from a variety of locations, managing to impede access to the site but not shut it down.

NATO webmaster Chris Scheurweghs stressed that the online assault hadn't compromised classified NATO networks, which are kept separate from those supporting the public Web site.

"This is first time I have seen [a] cyberwar since the operation started," Scheurweghs said. "There has been a systematic effort to attack us, and whether it is part of military planning from potential enemies or individuals by themselves, I don't know."

Dozens of computer viruses, sent by crackers in Yugoslavia and other worldwide locations, have targeted NATO networks. Some are Microsoft Word macro viruses such as the Melissa virus that hit corporate networks this week. So far, NATO has successfully repelled the viruses with help from commercial antivirus tools.

Scheurweghs heads the alliance's Integrated Data Service in Brussels and is one of the webmasters responsible for posting NATO's latest press releases, maps, video clips and transcripts of press conferences on NATO operations. The site is heavily used by journalists and others seeking information on the military campaign against Yugoslavia.

"By offering information from our sources and from the enemy side, they can compare sources and make their own judgments," Scheurweghs said. "By blocking our sources, you really come into a propaganda war."

After NATO's daily afternoon press conferences, traffic to the Web site is particularly heavy. Last Thursday, about 74Gigabytes of data were downloaded from the site over three hours after that day's press conference.

The unsophisticated crackers are using tried-and-true tactics. They have saturated the site's 1.6Megabyte line with pings, which are requests for the machine to identify itself and confirm its status. Each ping contains only 32 bits of information, and Scheurweghs said he was astonished that massive pinging could eat up so much bandwidth.

The webmaster said the ping attack significantly slowed access to the NATO site for a few hours on March 30. Network administrators finally blocked all commands to the servers except those that send mail and download Web pages.

Other amateur attackers are spamming the site with thousands of e-mail messages, Scheurweghs said.

Richard Power, editorial director of the Computer Security Institute in San Francisco, said these are unsophisticated nuisance attacks that are difficult to prevent. Whereas stealthy crackers typically target classified networks, he said, this is more like the cyberspace equivalent of a protest march.

But he noted that 400 people in cyberspace can do much more than 400 people with placards in front of NATO headquarters. "All they have to do is stay on their keyboards and send the same message," Power said.

In fact, Scheurweghs said last week's announcement about the attack on the site may have made the NATO webmaster's job more difficult by giving other crackers ideas.

NATO authorities are trying to trace the spammers through their domain name server (DNS) numbers, some of which appear to be coming from universities.

"If we can trace the DNS back to a university or NATO country, we will certainly try to take legal steps," Scheurweghs said. But there may not be international laws in place to prosecute, he added.

Join the newsletter!

Error: Please check your email address.

More about Computer Security InstituteMicrosoftNATO

Show Comments

Market Place