Yahoo Outage Raises Web Concerns

SAN MATEO (02/09/2000) - If an Internet giant like Yahoo can be crippled for a few hours from a denial of service attack, is any Web site or Web service truly safe from a similar type of directed assault?

That's the question IT managers were faced with on Tuesday, with the knowledge that Yahoo's Web site,,. was rendered completely inaccessible from approximately 10:15 a.m. to 1:15 p.m. PST on Monday. The site lay frozen because of a successful denial of service launch that overwhelmed a router on the path to the company's Web site with a bogus traffic jam.

While Yahoo officials maintain that it "appears" that content on the Yahoo site was not breached, vulnerability issues and concerns about the effectiveness of a company's contingency plan to recover in lieu of such an attack have become a focal point of interest.

Patrick McBride, executive vice president of security consultant, Meta Security Group, in Reston, Va., said the fallout from Monday's news will be hardest felt by small to midsize businesses that lack or cannot afford the technological resources and expertise to conduct efficient redundancy building.

"Yahoo has the wares to weather all this. Their reliability is so high," McBride said. "But a lot of smaller companies haven't built up that brand name and confidence in their clients. You don't want a yellow marker next to your name to make people ask, 'Are they really secure?' Lesser brands have a hard time fighting something like that."

Yahoo was able to minimize its downtime Monday by narrowing off and isolating the flooded area of its enterprise on the West Coast, and "switching", or taking advantage of its tremendous resource base in the East Coast to get back online, McBride said.

McBride said he believed the larger message hitting home about now could be a lack of attention being paid to contingency plan security measures addressed well before the launching of Web business applications.

The denial of service attack employs a relatively simple concept: sending bogus packets from a remote location to IP routers where they collect and eventually plug up a pipe and bandwidth to the point of an Internet gridlock.

Chris Klaus, founder and chief technology officer at Internet Security Systems, said denial of service attacks are not all that difficult to carry out due to the sheer numbers of desktops and computers linked to the Internet that lack standard security protocols in place.

Klaus said an issue that may evolve from these types of attacks in the coming year could be the liability of responsibility for lost dollars or Web site downtime through the remote machines being used to implement the flood.

"These attacks are not incredibly sophisticated, so who's responsible for the security? Is it the ISP that hosts the network? Is it the e-commerce solution that built the application? Is it the network administrator or systems administrator? It's a pretty complex question," Klaus said.

Ken Van Wick, chief technology officer at Para-Protect, in Alexandria, Va., said the explosion of e-commerce is putting pressure on companies to launch their site in place without what he calls "having a fire drill and not knowing where the exit signs are."

"If an attack happens, [companies] are blindly figuring out what to do," Van Wick said. "E-commerce sites are under such pressure to get their site up and get their products out there, something always gets put aside and never gets tended to. The first thing to go is usually security."

Van Wick said tools to carry out these types of attacks are easily found on the Internet, and as common IT technology grows, so does the expertise and firepower behind these pipe-disabling tools.

Rick Forno, security officer at Domain Name Registration provider Network Solutions, in Herndon, Va., said the first thing that came to mind after he heard about what had happened to Yahoo was an immediate "spot check" and run- through of his own company's security features.

"It's a big concern. Not just for us but any Internet company," Forno said. "If it happened to them, it could happen to you. This is a real threat. I don't know if I'd call it a clear and present danger, but it's darn close."

Brian Fonseca is an InfoWorld reporter.