Low-Grade Hacker Briefly Halts E-MailBy Brett Altschul
Some MIT computer systems came under attack last week, briefly halting e-mail delivery. However, programmers from Information Systems rapidly restored the systems' integrity.
The attack was probably perpetrated by less-than-top-grade hackers, said Thomas J. Coppeto '89, a programmer for IS who worked on the problem. "The people doing this just aren't that smart."
IS heard about this sort of attack occurring other places recently, Coppeto said. "There has been source code published on the Internet that sends packets to a machine and causes it to stop accepting connections," he said.
"In this case with the mail servers, they stopped accepting mail connections," Coppeto said. "The mail servers were unable to process requests to deliver mail. Mail wasn't moving."
The attack went on for about a week before being noticed, Coppeto said. "There was a little performance degradation here and there. It got bad enough [last] Wednesday or Thursday for us to notice."
"One thing that confused us was that they didn't attack the more famous machines, like mit.edu," he said. "The attacks were aimed against the more back-end machines."
Attacks of the same type are still occurring but without any further effect and on a smaller scale, Coppeto said. "After a while, the people get bored and go pick on somebody who isn't as protected as we are."
Attack difficult to trace, easy to fix
The attack requires a slow but constant stream of packets, about one each second, he said. "With tens of thousands of packets floating around, you can't just look at the big volume users when you're trying to find the source of the attacks."
Although it is not impossible, it is extremely difficult to trace this kind of attack, Coppeto said. The difficulty stems partially from the fact that the address each packet apparently comes from is fake. Moreover, the bogus address is different on each individual packet, making it almost impossible to tell which packets are involved the the attack.
IS had heard about other institutions suffering attacks of this nature, but MIT has never been targeted by a serious attack of this type before, Coppeto said.
"It took us a little while to realize that this was the kind of thing we'd been hearing about," Coppeto said. "When we noticed the problem and looked at the servers, there wasn't anything wrong with them, so people were wondering why they weren't working properly. Eventually, we figured out that this was the kind of attack that people had been talking about lately."
Coppeto said that the problem was solved easily once programmers identified it. "We basically had to recompile the kernel operating system," Coppeto said. "From down time to up time, it was only about four hours."
The system is fortified very well now, Coppeto said. "The way it's set up now, the normal traffic has more effect than one of these attacks, and there are various kernel patches out there that provide even better protection."
There will not be any further problems with mail if we are subjected to more attacks like this one, he said.
MIT is very fortunate to have kernel source code on hand and programmers capable of implementing the necessary repairs on duty, Coppeto said. "I really do feel sorry for the sites that don't have access to the sources for their operating systems and can't install the patches on the fly because they might be down for days."