The Toronto Sun
Monday, December 16, 1996

Attack on large Web service provider comes from Canada

by Elizabeth Weise

SAN FRANCISCO (AP) -- A computer attack against WebCom, one of the nation's larger World Wide Web service providers, knocked out more than 3,000 Web sites for 40 hours this weekend during the busiest shopping season of the year.

The attack began Saturday morning at 12:20 a.m., said Web Communications' chief operating officer Chris Schefler from the company's offices in Santa Cruz, Calif. Service resumed at 4 p.m. Sunday.

WebCom helps companies and individuals set up Web sites and provides storage space on its computer from which the sites run. The outage was particularly hard on retailers who promote and sell products on WebCom-based home pages.

The attack, launched by an unknown individual or party, blocked service by sending as many as 200 messages a second to the WebCom server, or host computer. This specific "denial of service" attack, known as a SYN-flood, leaves the computer unable to respond to the flood of messages, which queue up and eventually render it unable to function at all.

This is the same type of attack which took down a popular New York Internet service provider, Public Access Networks Corp., or Panix, for more than a week in September.

When WebCom first went down, it triggered a message to company technicians who were automatically paged by one of the company's computers monitoring the network.

The technicians immediately began searching for the origin of the problem.

WebCom engineers contacted PSINet, the Internet service provider that supplies WebCom's connection to the Internet. Ten hours later, PSINet traced the attack's route to Internet communications lines owned by MCI Communications Corp., the nation's second-largest telecommunications company.

MCI traced the offending messages to an Internet service provider based in Ontario called CANet. From there, they traced them to a small network provider in Vancouver, British Columbia called BC.Net.

WebCom believes the attack was launched from a BC.Net account that had been broken into by an unknown party. Engineers were unable to stop the flood of messages, so MCI blocked all traffic from CANet to WebCom, finally allowing WebCom customers' sites to come back online Sunday afternoon.

The outage was a huge blow to the customers who use WebCom as the site of their Web-based businesses.

"The timing was horrendous. In my situation, it's basically the largest mail order weekend for my business," said Tina Koenig of Hollywood, Fla., who runs Cybercalifragilistic, which sells computer-themed gift products and holiday greeting cards that can be sent via the Internet.

"It might be akin to placing a bomb in a retail store, preventing eople from making their purchases," she said.

WebCom had actually experienced a similar, though shorter, attack the weekend before, said Thomas Leavitt, WebCom's lead network engineer. That assault had left it somewhat prepared for the weekend's breakdown.

That's been the story throughout the Internet, said a Dale Drew, a senior security engineer with MCI who helped WebCom trace the attack.

SYN-flood attacks are very technically sophisticated and formerly only a few hackers had the necessary tchnical skills to attempt them. But a few months ago two hacker magazines published the source code for this type of attack and since then at least four networks have been hit, Drew said.

"As soon as the code was published, anyone, whether or not they had the talent, could basically take down a network. We're seeing lots of really young kids, 14- and 15-year-olds, who really don't have the ability to hack into the systems themselves, but they're using this code to do it," he said.

WebCom intends to find the person responsible, Leavitt said.

"This was a completely irresponsible act by whoever did it that inflicted major damage upon hundreds and thousands of individuals and businesses," he said.

"If we can find out who it was, we will seek legal redress."

Copyright © 1996 by Assocatied Press. All Rights Reserved. Reprinted with permission.