History: Guam .gu Servers battered by Millennium Y2K mail relay Attacks

Email storms which characterized the downing of the etrade sites on Feb 2000 had its precursors in the Millennium attacks which ComputerWorld and Network World forcasted was coming. Guam sits geographically on a timezone 'where America's Day begins' from which the millenium starts for the rest of the nation. While the y2k computer compliant scare (which did not materialized) occupied the attention of the public, the eve of y2k was marked by a different attack. Bandwidth spikes (see chart below) of Nov and Dec 1999 steadily culminated to paralyze machines when the y2k compliant scare proved only as a diversion. Govtguam Data managers credited the protocol of choice: port 25 sendmail during which many firewalls were allowing through to the mail servers. It was an early era in which mail was not filtered by grey listing services and mail servers generally did not employ reverse arpa to block mail and did not have the mechanism to stop mail forwarding relays.

site of y2k attack

Further, the source of the unsolicited broadcast email were concealed by spoofing the originating ip addresses pretending that it came from sources within the network (localhost) and local subnets. Ostensibly, streams of millions of email at first appeared to intrude from compromised systems in Korea, Germany, Sweden, UK, Italy, Austria, Finland, Spain, Virginia, Salt Lake, Washington, Virginia, DC, Florida, and Texas.

Then it became obvious from Oct - Dec 1999 that many govtguam AIX and alphaserver mail servers without anti-spamming defenses were used as relays to forward millions of mail messages. The govtguam Systems managers, a voluntary consortium, used their small window of time to address the problem before their mail servers were effectively blacklisted from many internet sites. Three months of fundraising purchased new servers (needed for y2k compliance) as UOG network admins recoded the sendmail.cf files to repel the storm which overwhelmed the email servers through sheer numbers of attacking machines.

Annual traffic pattern Annual Traffic Pattern for Govtguam read right to left.
At that time, hijacking unsuspecting mail servers from businesses, government and educational sites was a new and unprecedented method of denial of service assault. The identities of compromised mail servers had been harvested by web spiders visiting Guam websites which publicized the mail addresses of webmasters and institutional staff. Other govtguam mail servers were obtained by interrogating the dns servers for 'mail exchangers' records. Once the identities of local mail servers were revealed, they were further tested by via email messages probing for the absense of anti-relay filters.

On the eve of y2k, the Denial of Service Attackers exploited the govt mail servers to relay spamming messages to large web commerce sites as yahoo, hotmail and aol, eBay.com and other major public e-commerce services. As much as 400,000 email in each govtguam mail server were undelivered daily while many thousands more found their target.

Surviving the Attack

The cyber terrorist is an opportunistic but ingenious individual versed in attack methods which expensive firewalls cannot defend against -- as evidenced later in Feb 2000 by the downing of 8 E-Trade sites. The attacker thrives by stealthily engaging a high profile site, is excited by the 'hunt', motivated by curiousity and seeks anonymity of conquests through use of an alias moniker. Though the resource-poor .gu government network does not hold informational assets to be a tempting target, its mailservers can launder the trail of an attacker by being employed as a relay agent or launch point for a massive email flood.

uog site of y2k attack

The assessment from the onset was that govtguam dp managers did not have the resources to engage the attacker and were wary of his vast repertoire of tools for launching Denial of service (DoS) attacks. On Jan 1st 2000, in the midst of the storm, the managers made a momentous decision to jettison the old servers from the UOG gateway and fire up the next generation servers with anti-relay mail defenses deep within Dept of Administration in Hagatna behind the firewall. The justice, UOG and DOE managers also relocated their new servers deep inside their network. As a precaution, all email addresses within government of guam were changed to disengage the attacker. The network routers were further coded to resist spoofing of internal ip addresses.

In retrospect, these prudent decisions assured that govtguam was no longer participatory in further attacks to other sites. The full-fledge zombie-based DOS attacks later blossomed at the first week of February 2000 marked by international media coverage regarding a series of denial of service attacks to pre-eminent mail servers at Yahoo, eBay, Amazon Buy.com and GTE. The White House convened a Net Security Summit after Federal attorney general Janet Reno, assisted by the FBI, pursued leads focusing on benign networks which were unwittingly used as launch pads to send out millions of messages which overloaded the targeted E-Trade web sites.

The FBI's National Infrastructure Protection Center related that Technophiles had secretly embedded tools [using an exploit with the Washington Univ. File Transfer Protocol (WUFT) to plant Trojans] as the Trinoo and Tribe Flood Network (TFN & tfn2k) into hundreds of computers which were triggered by an encrypted command to flood a high capacity website thereby knocking it out. To be successful, Solaris {Sparc} or {Intel} platforms and Linux on Intel platforms were compromised within high-bandwidth internet sites. The cumulative load originating from high-bandwidth sites (some on the next generation Internet II network) will then flood the target website with email messages. CNN reported that a copy-cat amateur 15 yr old Montreal boy known as Mafiaboy was arrested on April 15 2000 for bringing down 1,200 CNN-hosted sites on Feb 7-14. The other more sophisticated attackers responsible for bringing down the other e-trade sites a week earlier were reportedly not found.

On Jul 20 2000, The Internet Engineering Task Force resolved to develop ICMP Traceback Messages, which would let network managers discover the path that packets take from an attacker. The FBI asks that any suspected network criminal activity be sent to NIPC Watch and Warning Unit (202)-323-3204/3205/3206 nipc.watch@fbi.gov

LINKS:

|Guam Webpage| Guam's Indigenous Poet| Legends of Guam|