<H5>Subject: Re: Hacker Attack??? From: Rex Ballard <rballard@cnj.digex.net> Date: Tue, 5 Nov 1996 00:57:41 -0500 (EST)</H5>
<A HREF=index.php><H5>How the Web Was Won</H5></A>
<A NAME=db/010044.html>Subject: Re: Hacker Attack???</A>
From: Rex Ballard <rballard@cnj.digex.net>
Date: Tue, 5 Nov 1996 00:57:41 -0500 (EST)
<HR><PRE>

	Rex Ballard - Director of Electronic Distribution
	http://cnj.digex.net/~rballard

On Thu, 24 Oct 1996, Jeff Perlman wrote:

> Alert:  Hacker attack?
> 
> Caution: the foregoing is unconfirmed and should be treated as speculation
> at this point.
> 
> This morning (PDT) the www.latimes.com  discovered that  people were not
> able to access the site or were experiencing a severe degradation in
> service. Investigation by our technical staff seems to point to some sort of
> hacker attack on our host, BBN. Evidence seems to point to a bunch of TCP/IP
> connections to our server there  being left open and multiplying
> simultaneously, never timing out, according to one of our systems people. I
> don't understand the technical side of this, so please don't bombard me with
> systems-oriented questions. I repeat that this is not yet confirmed
> officially, and I'm only posting this information to put others on guard.
> BBN is rebooting our server to try to clear the problem.

This is a rather interesting type of attack.  It resembles one where a
host was simulating different hosts in the return address and delivering
the impression that several hosts were involved.  It was ultimately traced
back to a Sprintlink connection.  No word on who the customer was, but
they had sufficient resources to have a Sprint Frame-relay connection, to
generate a substantial amount of traffic, and to override protections
normally enabled in routers such as Cisco and Wellfleet.

> Has this happened to you?
> --Jeff
> 
> 
>  We do know that somehow our server up at BBN needed to be rebooted this
> morning, apparently because of this incident.  

The nature of the attack is to create so many processes that the process
table fills up completely.  Ironically, the BBN host would have had to
return the TCP/IP handshake directly back to where it came from.
Otherwise the TCP/Connect would time out in a few seconds.  If the IP
address were faked, and the response was sent back to the faked address,
the host at the faked address would choke on the unsolicited response.

There is a possibility that someone posted a trojan horse as a Microsoft
Word web page.  It is possible to imbed an EXE file within a word
document.  This document, when viewed by Explorer will load the word
document, execute the exe file, and display the "result" to the user.

If the result is no message, or a nonsense message, the EXE file can sleep
until an opportune time and then start spontaneously attacking the
selected site.

This attack ia effective with Microsoft Mail as well.

> >> Story at http://www.news.com/News/Item/0,4,4748,00.html
> 

+---------------------------------------------------------------------------+
Posted to ONLINE-NEWS. Made possible by Nando.net - http://www.nando.net

------------------------------

</PRE>