Summery
I want a full summery for this article it's due in 24 hours from now..
it’s types in word documents the long is one and half pages
The iPremier Company (A): Denial of Service Attack
January 12, 2007, 4:31 AM
Somewhere a telephone was chirping. Bob Turley, CIO of the iPremier Company, turned beneath the bed sheets, wishing the sound would go away. Lifting his head, he tried to make sense of his surroundings. Where was he?
The Westin in Times Square. New York City. That’s right. He was there to meet with Wall Street analysts. He’d gotten in late. By the time his head had hit the pillow it was nearly 1:30 AM. Now the digital display on the nearby clock made no sense. Who would be calling at this hour? Why would the hotel operator put a call through?
He reached for the phone at his bedside and held it to his ear. Dial tone. Huh? The chirping was coming from his cell phone. Hanging up the hotel phone, he staggered out of bed, located the cell phone and flipped it open.
“This is Bob Turley.”
“Mr. Turley?” There was panic in the voice at the other end of the line. “I’m sorry to wake you, Joanne told me to call you.”
“Who is this?”
“It’s Leon. Leon Ledbetter. I’m in Ops. We met last week. I’m new. I mean, I was new, last month.”
“Why are you calling me at 4:30 in the morning, Leon?” “I’m really sorry about that Mr. Turley, but Joanne said—“ “No, I mean what’s wrong? Why are you calling?”
9-601-114
601-114 The iPremier Company (A): Denial of Service Attack
“It’s our website, sir. It’s locked up. I’ve tried accessing it from three different computers and nothing’s happening. Our customers can’t access it either; the help desk is getting calls.”
“What’s causing it?”
“Joanne thinks—if we could only—well, someone might have hacked us. Someone else might be controlling our site. Support has been getting these e-mails—we thought it was just the web server, but I can’t access anything over there. Joanne is on her way to the colo.1 She said to call you. These weird e-mails, they’re coming in about one per second.”
“What do the e-mails say?”
“They say ‘ha.’”
“Ha?”
“Yes, sir. Each one of them has one word in the subject line, ‘ha.’ It’s like ‘ha, ha, ha, ha.’ Coming from an anonymous source. That’s why we’re thinking—.”
“When you say they might have hacked us—could they be stealing customer information? Credit cards?”
“Well, I guess no firewall2—Joanne says—actually we’re using a firewall service we purchase from the colo, so—.”
“Can you call someone at the colo? We pay for monitoring 24/7, don’t we?” “Joanne is calling them. I’m pretty sure. Is there anything you want me to do?” “Have we set our emergency procedures in motion? “Joanne says we have a binder, but I can’t find it. I don’t think I’ve ever seen it. I’m new—“ “Yes, I got that. Does Joanne have her cell?”
“Yes sir, she’s on her way to the colo. I just talked to her.” “Call me back if anything else happens.” “Yes sir.”
Turley stood up, realizing only then that he had been sitting on the floor. His eyes were bleary but adrenaline was now cranking in his bloodstream. Steadying himself against a chair, he felt a wave of nausea. This was no way to wake up.
He made his way to the bathroom and splashed water on his face. This trip to New York was an important assignment for someone who had been with the company such a short time. It demonstrated the confidence CEO Jack Samuelson had in him as the new CIO. For a moment Turley savored the memory of the meeting in which Samuelson had told him he would be the one to go to
1 “Colo” is short for “colocation facility,” where Internet companies often house their vital computing hardware. Colocation facilities are sometimes called “Internet Data Centers” or simply “hosting facilities.” They provide floor space, redundant power supplies, high-speed connectivity to the Internet, and a variety of other services to their customers.
2 A “firewall” is a combination hardware/software platform that is designed to protect a local network and the computers that reside on it against unauthorized access.
2
The iPremier Company (A): Denial of Service Attack 601-114
New York. As that memory passed another emerged, this one from an earlier session with the CEO. Samuelson was worried that the company might eventually suffer from “a deficit in operating procedures.” “Make it one of your top priorities,” he had said. “We need to run things professionally. I’ve hired you to take us to the next level.”
Looking himself over in the mirror, seeing his hair tussled and face wet, Turley lodged a protest with no one in particular: “I’ve barely been here three months.”
The iPremier Company
Founded in 1996 by two students at Swarthmore College, the iPremier Company had evolved into one of the few success stories of web-based commerce. From its humble beginnings, it had risen to become one of the top two retail businesses selling luxury, rare, and vintage goods on the web. Based in Seattle, Washington, the firm had grown and held off incursions into its space from a number of well-funded challengers. For the fiscal year 2006, profits were $2.1 million on sales of $32 million. Sales had grown at more than 20% annually for the last three years, and profits, though thin somewhat variable, had an overall favorable trend.
Immediately following its Initial Public Offering in late 1998, the company’s stock price had nearly tripled. It had continued up from there amid the euphoria of the 1999 markets, eventually tripling again. A follow-on offering had left the company in a strong cash position. During the NASDAQ bloodbath of 2000, the stock had fallen dramatically but had eventually stabilized and even climbed again, although not to pre-2000 levels. Since then, the company had held its own, recovering from a difficult period by streamlining and focusing its business to achieve profitability when others couldn’t. Eventually the company began to grow again, though more slowly than before. In the treacherous business-to-consumer (B2C) segment, iPremier was one of a very few survivors.
Most of the company’s products were priced between fifty and a few hundred dollars, but there were a small number of items priced in the thousands of dollars. Customers paid for items online using their credit cards. The company had flexible return policies, which were intended to allow customers to thoroughly examine products before deciding whether to keep them. The iPremier customer base was high-end—so much so that credit limits on charge cards were rarely an issue, even for the highest-priced products.
Management and Culture
The management team at iPremier was a mix of talented young people who had been with the company for a long time and more experienced managers who had been gradually hired as the firm grew. Recruitment had focused on well-educated technical and business professionals with reputations for high performance. Getting hired into a senior management position required excelling in an intense series of three-on-one interviews. The CEO interviewed every prospective manager at the director level and above. The reward, for those who made the grade, was base compensation above the average of managers at similar firms, and variable compensation that could be a significant multiple of the base. All employees were subject to quarterly performance reviews that were tied directly to their compensation. Unsuccessful managers did not last long.
Most managers at iPremier described the environment as “intense.” The company stated its governing values in terms of “discipline, professionalism, commitment to delivering results, and partnership for achieving profits.” Unlike many Internet companies, iPremier had taken a balanced approach to growth and profitability, although growth had tended to rule the day. Throughout the
3
601-114 The iPremier Company (A): Denial of Service Attack
company, there was a strong orientation toward doing “whatever it takes” to get projects done on schedule, especially when it came to system features that would benefit customers. The software development team was proud of its record of consistently launching new features and programs a few months ahead of a major competitor, MarketTop. Value statements aside, it was well understood by senior managers that their compensation and future prospects with the company depended on executing to plan. Managers pursued “the numbers” with obsessive zeal.
Technical Architecture
The company had historically tended to outsource management of its technical architecture and had a long-standing relationship with Qdata, a company that hosted most of iPremier’s computer equipment and provided connectivity to the Internet. Qdata was an early entrant into the Internet hosting and “colocation” business, but it had been battered by the contraction of the Internet bubble and lost any prospect of market leadership. The facility was close to the corporate offices of iPremier; some felt there was little else to recommend it. Qdata was a steady provider of basic floor space, power, connectivity, environmental control, and physical security, and it offered some higher-level “management services,” such as monitoring of websites for customers at its network operations Center (NOC) and some Internet security services (such as the firewall service used by iPremier). But Qdata had not been quick to invest in advanced technology and had experienced difficulty in retaining staff.
The iPremier Company had a long-standing initiative aimed at eventually moving its computing to another facility, but several factors had conspired to keep this from happening. First, and most significant, iPremier had been very busy growing, protecting its profits, and delivering new features to benefit customers; hence the move to a better facility had never quite made it to the top of the priority list. Second, the cost of more modern facilities was considerably higher—two to three times as expensive on a per-square-foot basis. The computers at iPremier occupied a great deal of space, so a move to another facility would have increased costs enough to affect the slender but increasing profit trend the company was eager to maintain. Third, there was a perception—not necessarily supported by fact, according to the operations staff—that a move might risk service interruption to customers. The operations staff maintained that with appropriate modernization of the computing infrastructure, growth could be accomplished by adding installations in other facilities, rather than by expanding floor space in the existing facility. The work of planning how this might be carried out had never been done, however. Finally, one of the founders of iPremier felt a personal commitment to the owners of Qdata because the latter company had been willing to renegotiate their contract at a particularly difficult time in iPremier’s early days.
Exhibit 1 provides a diagram of iPremier’s technical architecture. 4:39 AM
Turley situated himself at the desk in his hotel room and began paging through the digital phonebook on his cell phone. Before he could find the number for Joanne Ripley—his technical operations team leader—the phone began to chirp. The incoming call was from Ripley.
“Hello, Joanne. How are you this morning?”
A cautious laugh came from the other end of the circuit. “About the same as you, I’m guessing. I assume Leon reached you.”
4
The iPremier Company (A): Denial of Service Attack 601-114
“He did, but he doesn’t know anything. What’s going on?” “I don’t know much either, yet. I’m in the car, on my way to the colo.” “Can’t you do something from home?”
“Well—no. Leon can’t access any of the boxes behind the firewall via the line at the office,3 so something is screwy with our connectivity to the colo. Sounds like a problem outside the perimeter of our architecture. I called Qdata, but they assured me there’s no problem with connectivity into or out of the building. They’re looking into it further, but their night shift is on duty. I don’t know where they get those bozos. I haven’t talked to anyone yet who knows what he’s doing.”
“How long till you get there?” “I’m driving fast and running red lights. I ought to be there in five minutes.” “How long after that until we are back up and running?”
“That depends on what’s wrong. I’ll try restarting the web server as soon as I get there, but if someone has hacked us, or if there’s some kind of attack going on, that might not do it. Did Leon tell you about the e-mails?”
“The ‘ha, ha’ e-mails? Yeah. Makes it sound like something deliberate.” “I’d have to agree with that.” “No chance it’s a simple DoS attack?” “I doubt it’s a simple DoS attack; we’ve got software that’s deals with those.” “Can we track the e-mails?”
“Not soon enough. They’re coming through an anonymizer that’s probably in Europe or Asia. If we’re lucky we’ll find out sometime in the next 18 months who sent them. Then we’ll discover they’re originating from some DSL-connected PC in Podunk, Idaho, and that the Joe Schmo who owns it has no idea that it’s been compromised by hackers.”
“Any chance they’re stealing credit cards?”
“There’s really no way of knowing without more info.”
“Should we pull the plug? Physically disconnect the communications lines?”
“We could. But if we start pulling cables out of the wall it may take us a while to put things back together. Right now most of our customers are asleep.”
“Joanne, don’t we have emergency procedures for times like this, a binder or something at least? I don’t think I’ve seen it but it comes up when people mention our business continuity plan. When I mentioned it to Leon, he seemed to have no idea what I was talking about.”
3 The hosting facility where the production computer equipment was housed was connected to the iPremier Company’s offices via a leased communication line. This line would ordinarily permit people at the office to connect to production computers without traversing the public Internet.
5
601-114 The iPremier Company (A): Denial of Service Attack
“We’ve got a binder,” said Ripley. “I’ve got a copy with me. Keep it in my car. There’s one at the office too, even if Leon can’t find it. But to be honest, well—it’s out of date. Lots of people on the call lists don’t work here anymore. I don’t think we can trust the cell phone numbers and I know some of the technology has changed since it was written. We’ve talked about practicing incident response but we’ve never made time for it.”
“Hmm. So what’s the plan when you reach the colo?”
“Whoops.” There was a pause while Ripley negotiated a traffic obstacle. “Sorry. Let me restart the web server and see what happens. Maybe we can get out of this without too much customer impact.”
Turley thought about it for a moment. “Okay. But if you see something that makes you think credit cards are being stolen, I want to know that immediately. We may have to take drastic action.”
“Understood. I’ll call you back as soon as I know anything.” “Good. One more thing: Who else knows this is going on?” “I haven’t called anyone else. Leon might have. I’ll call him and call you right back.” “Thanks.”
Turley flipped his cell closed then picked up the hotel phone. After a series of transfers, he found someone who would bring coffee to his room, despite the odd hour. Never before had he so desperately wanted coffee.
Just as he replaced the hotel phone his cell rang again.
“Damn.” It was Warren Spangler, VP of business development. Turley remembered vaguely that Leon Ledbetter had come into the organization via a recommendation by Spangler. They were old high school buddies or something. Ledbetter had almost certainly called Spangler.
“Hi, Warren,” said Turley, flipping the phone open.
“Hi, Bob. I hear we’ve got some kind of incident going on. What’s the story?”
“Something’s definitely going on, but we’re not sure what yet. We’re trying to minimize customer impact. Fortunately for us it’s the middle of the night.”
“Wow. So is it just a technical problem or is somebody actually doing it to us?”
Turley was eager to call the chief technology officer (CTO), so he didn’t really have time for this discussion. But he didn’t want to be abrupt. He was still getting to know his colleagues.
“We don’t know. Look, I’ve got to—“
“Leon said something about e-mails—“
“Yes, there are suspicious e-mails coming in so it could be someone doing it.”
“Oh, man. I bet the stock takes a hit tomorrow. Just when I was going to exercise some options. Shouldn’t we call the police?”
“Sure, why don’t you see what you can do there, that’d be a big help. Look, I’ve got to—“
6
The iPremier Company (A): Denial of Service Attack 601-114
“Seattle police? Do we know where the e-mails are coming from? Maybe we should call the FBI? No. Wait. If we call the police, the press might hear about this from them. Whoa. Then our stock would really take a hit.”
“I’ve really got to go, Warren.”
“Sure thing. I’ll start thinking about PR. And I’ll work with Leon on this end. We got you covered here, bro. Keep the faith.”
“Will do, Warren. Thanks.”
Turley ended that call and began searching through his cell phone’s memory to find the number for Tim Mandel, the company’s CTO. He and Mandel had already cemented a great working relationship. Turley wanted his opinion. Just as Turley was about to initiate the call, though, another call came in from Ripley.
Turley flipped the phone open and said: “Leon called Spangler, I know. Anything else?”
“Ah, no. That’s it for now. Bye.”
Turley dialed Mandel. At first the call switched over to voicemail, but he retried immediately. This time Mandel answered sleepily. It took five full minutes to wake Mandel and tell him what was happening.
“So what do you think, should we just pull the plug?” Turley asked.
“I wouldn’t. You might lose some logging data that would help us figure out what happened. Whatever we do, we want to preserve evidence of what has happened or else we may never know exactly.”
“I’m not sure that’s the most important thing to me right now, knowing exactly what is happening.”
“I suggest you change your mind about that. If you don’t know what happened this time, it can happen again. Worse than that, if you don’t know what happened, you won’t know what, if anything, you need to disclose publicly.”
Turley thought about that for a moment. What if they halted the attack but he could not be sure of the danger, if any, to customer information? What would the company need to say publicly? It was too much to sort out on the fly. Mandel was saying something else.
“Come to think of it, Bob, preserving the logs is irrelevant because I’m pretty sure detailed logging is not enabled. Detailed logging takes up a lot of disk space on the server. To run at higher logging levels we would have to add significantly to our storage arrays and I’ve never been able to convince the finance guys that the expenditure was necessary. Plus detailed logging adds a performance penalty of about 20%, impacts the customer experience; nobody’s been game for that.”
“So we aren’t going to have evidence of what happened anyway.”
“There’ll be some, but not as much as we’ll want.”
Another call was coming in.
“Hold on, Tim.” Turley kicked the phone over to the waiting call. It was Peter Stewart, the company’s legal counsel. What was he doing awake?
7
601-114 The iPremier Company (A): Denial of Service Attack
“This is Turley.”
“Hey, Bob, it’s Pete. Pull the plug, Bob. Shut off the power, pull the cords out of their sockets, everything. We can’t risk having credit cards stolen.”
“Spangler call you?”
“Huh? No, Jack. Samuelson. He called me three minutes ago, said hackers had control of our web site. Told me in no uncertain terms to call you and ‘provide a legal perspective.’ That’s just what he said: ‘provide a legal perspective.’”
So the CEO was awake. The result, no doubt, of Spangler’s “helping” from that end. Stewart continued to speak legalese at him for what seemed like an eternity. By this time, Turley was incapable of paying attention to him.
“Thanks for your thoughts, Pete. I’ve got to go, I’ve got Tim on the other line.”
“Okay. For the record, though, I say pull the plug. I’ll let Jack know you and I spoke.”
“Thanks, Pete.”
Turley switched back over to the call with Mandel.
“Spangler’s got bloody everybody awake, including Jack. I recommend you get dressed and head into the office, my friend.”
“Is Joanne on this?” “Yes, she’s at the colo by now.” Turley’s phone rang. “Got a call coming in from her now.” He switched the phone. “What’s up Joanne?”
“Well I’m at Qdata,” she said in an angry voice, “and they won’t let me into the NOC. There’s no one here who knows anything about the network monitoring software and that’s what I need to use to see the traffic coming into our site. The Qdata guy who can do it is vacationing in Aruba. I tried rebooting the web server, but we’ve still got a problem. My current theory is an attack directed at our firewall, but to be sure I’ve got to see the packets coming in, and the firewall is their equipment. You got an escalation contact to get these dudes off their butts?”
“I’m in New York, Joanne. I’ve got no Qdata contact information with me. But let me see what I can do.”
“Okay. I’ll keep working it from this end. The security guard doesn’t look too fierce. I think I could take him.”
“Do what you can.”
Turley hung up. He noticed that Mandel had disconnected also. For a moment Turley sat back in the chair, not sure what to do next. There was a knock at the door. Coffee. Good news, for a change.
8
The iPremier Company (A): Denial of Service Attack 601-114
5:27 AM
He had just taken his first sip of hot coffee when he got the call he’d been dreading. It was from Jack Samuelson, the CEO.
“Hi Jack.”
“Bob. Exciting morning?”
“More than I like it.”
“Are we working a plan?”
“Yes, sir. Not everything is going according to plan, but we are working a plan.”
“Is there anything I can do?”
“Actually, Jack, there is. Call someone senior at Qdata and tell them we need their full and immediate support. They’re giving Joanne the runaround about access to their NOC.”
“I’ll do that right now, Bob.”
“Thanks, Jack.”
“Bob, the stock is probably going to be impacted and we’ll have to put a solid PR face on this, but that’s not your concern right now. You focus on getting us back up and running. Understand?”
“I do.”
The call ended. It had gone better than Turley had feared. He avoided the temptation to analyze Samuelson’s every word for clues to his innermost thoughts. Instead, he dialed Joanne.
“Hi, Bob,” she said, sounding mildly cheerful. “They let me in. I’m sitting in front of the console right now. It looks like a SYN flood4 from multiple sites directed at the router5 that runs our firewall service. So it is DoS attack, just not a simple one. By the way, this is not a proper firewall, Bob; we need to work on something better.”
“Fine, but what can we do right now?”
“Well, looks like the attack is coming from about 30 sites. If the guys here will let me, I’m going to start shutting down traffic from those IP addresses.”6
“Samuelson is waking up the senior guys at Qdata. If the night shift gives you any trouble, tell them it’s going to be raining executives really soon.”
4 Each “conversation” with a web server begins with a sequence of “handshake” interactions. The initiating computer first sends a “SYNCHRONIZE” or “SYN.” The contacted web server responds with a “SYNCHRONIZE-ACKNOWLEDGE” or “SYN-ACK.” The initiating computer then completes the handshake with an “ACKNOWLEDGE” or “ACK.” A “SYN flood” is an attack on a web server intended to make it think a very large number of “conversations” are being initiated in rapid succession. Because each interaction looks like real traffic to the website, the web server expends resources dealing with each one. By flooding the site, an attacker can effectively paralyze the web server by trying to start too many conversations with it.
5 As the name suggests, a “router” is a hardware platform that routes traffic across internal networks and the Internet. 6 An “IP address” corresponds to a particular machine located somewhere on the Internet.
9
7.
601-114 The iPremier Company (A): Denial of Service Attack
“Samuelson, huh? So everybody’s up for our little party. Okay, I’m going to try shutting off traffic from the attacking IP addresses. I’ll have to set the phone down for a minute.”
There was a pause of a couple of minutes. Turley heard some muffled conversation in the background, then several exclamations. Ripley came back on the line.
“Damn it, Bob, they’re spawning zombies. It’s Dawn of the Dead out there.”
“You’re going to have to translate that one for me, Ripley.”
“Every time we shut down traffic from an IP address, the zombie we’ve shut off automatically triggers attacks from two other sites. I’ll try it a few more times, but right now it looks like that’s just going to make things worse.”
“If it’s a denial of service attack, they haven’t hacked us, right? It means it’s not an intrusion. They haven’t gained entry to our system. So credit cards and customer data are safe. Can we say that?”
“There’s nothing that makes a DoS attack and an intrusion mutually exclusive. And targeting the firewall strikes me as a fairly sophisticated tactic. I’m not so sure these are script kiddies7, Bob.”
It was not the comforting answer he had hoped for, but it would have to do for the time being. “I’ll let you get back to it. Call me with an update when there is something to tell."
Turley hung up and thought about whether to call Samuelson and what to tell him. He could say that it was a DoS attack. He could say that the attack, by itself, was not evidence that customer information was at risk. But Turley wanted to think some more before he went on record. He’d talk to Tim, see what he thought.
For a moment, everything was quiet. He put the cell phone down and poured another cup of coffee. Pacing across the room, he picked up the TV remote and hit the “on” button. A movie appeared, an old Hitchcock film. An airplane was strafing Cary Grant. He muted the sound then walked to the window and pulled the curtain aside. There was a red glow in the sky to the east.
His cell phone rang. He went and picked it up. It was Ripley. “It stopped,” she said excitedly. “The attack is over.” “What did you do?” “Nothing. It just stopped. The attack just stopped at 5:46 AM.” “So—what do we do now?”
“The website is running. A customer who visits our site now wouldn’t know anything had ever been wrong. We can resume business as usual.”
“Business as usual?”
“Actually, I’d recommend that we give everything a proper going-over after an attack like this. We really ought to do a thorough audit. I’ve been thinking about how they targeted the firewall, and I don’t think it sounds like script kiddies.”
7 “Script kiddies” are relatively unsophisticated hackers who use automated routines—“scripts”—written by other more sophisticated hackers. These scripts are available to anyone willing to spend a little time searching for them on the Internet.
10
The iPremier Company (A): Denial of Service Attack 601-114
“Sit down when you get a chance and write me an e-mail that summarizes what you think we should do. Tell me how whatever you recommend will impact on customers, if at all. I’ve got to figure out what to tell Samuelson.”