UNITED24 - Make a charitable donation in support of Ukraine!

Homeland Security

Testimony of:

Dan Rosensweig, President and CEO, ZDNet

before the

Subcommittee on Crime of the House Committee on the Judiciary

and the

Subcommittee on Criminal Justice Oversight

of the Senate Committee on the Judiciary

February 29, 2000

ZDNet is the leading Web destination for people who want to buy, use and learn about technology. In January, it ranked 15th among all Web properties, with 10.7 million unique monthly visitors.

In February 2000, ZDNet experienced two Denial of Service (DoS) attacks, both lasting between two and three hours. The first one occurred on February 9, from 7:11 a.m. to 9:43 a.m EST. The second one occurred on February 20, from 7:05 a.m. to 9:12 a.m. EST. Both the symptoms of the two attacks, and the measures taken by ZDNet and GTEI/BBN, the hosting company that manages its systems and connectivity, were identical. Following is an overview of the first attack:

7:11 a.m. ZDNet's Web servers became inaccessible, affecting approximately 75 percent of its Web sites.

7:20 a.m. ZDNet's engineering team assembled and DoS was established as the most likely cause.

7:40 a.m. GTEI/BBN's engineering team began working in concert with ZDNet to find a solution, and the FBI was contacted.

8:00 a.m. SYN FLOOD, a type of DoS attack characterized by an overwhelming flood of Web traffic coming from nonexistent computers, was identified as the DoS method.

8:30 a.m. Some of the spoofed computer traffic was identified and blocked from accessing the site, slightly diminishing the load on ZDNet's servers, but not effectively squelching the attack.

8:00 - 9:43 a.m. Until the DOS situation subsided, apparently on its own, the teams worked to identify the location of traffic, while altering parameters that manage the illegal traffic.

Denial of Service attacks are designed to deny the use of a particular Web service to a group of users, in ZDNet's case its more than 1 million daily visitors. DoS attacks do not fit the traditional definition of a "hacker" attack, in that computers and servers are not broken into, data assets are not corrupted, and privacy is not compromised.

ZDNet was effected by the most common kind of DoS attack, the SYN FLOOD. During a SYN FLOOD attack, people attempting to visit Web sites are unable to retrieve pages, as the Web provider's servers are overwhelmed with an enormous influx of page requests from bogus sources, which cannot be processed. During the two attacks on ZDNet, affected sites received 50 to 100 times the amount of Web traffic than its servers could sustain under peak load. The servers ran out of resources and were incapable of responding to normal requests.

Because advertising is ZDNet's primary revenue stream, it does not expect these attacks to have a financial impact, unlike some of the other affected sites, which derive a significant portion of their revenues from online transactions. ZDNet's advertising clients have been supportive. In addition, the two attacks have not had significant impact on ZDNet's daily traffic, perhaps because of the national DoS news coverage during the first attack, for which ZDNet's audience typically turns to its sites for information, and because the second attack occurred during a holiday weekend.

ZDNet regrets the loss of service to its visitor base, and joins other Web businesses in its concern for the protection of the Internet's integrity. After its first attack, ZDNet joined a grassroots coalition including other top Web sites effected, for the purpose of sharing information with hosting companies like GTEI/BBN, and the FBI.

The success of the Internet is critical to the nation's economy. Internet businesses recognize the importance of working together to nurture the Web's development, and to build infrastructure security solutions that will protect against infractions like DoS attacks. The Internet is a unique industry, in that competing Web businesses are cooperating to raise the bar for the Web's performance, development, security and protection.

The private sector has the expertise to help address computer crime and thus should be primarily responsible for Internet protection at this early stage of the industry's development.

While the government should not be responsible for protecting the Internet's infrastructure, it should continue to prosecute the parties responsible for Internet-related crimes like DoS attacks. We appreciate the government's active role in collecting and sharing information to help identify the perpetrators and in providing that information, when appropriate, to Web businesses as they work to protect themselves.

# # #

 

 

 

 

 



NEWSLETTER
Join the GlobalSecurity.org mailing list