By Jessica Sidman
The Daily Pennsylvanian
Although the University improved computer security after a Penn student
allegedly caused a server crash in February 2006, a similar type of
attack could still cause problems for even the largest Web servers.
Engineering junior Ryan Goldstein was indicted last month for
computer-fraud conspiracy after he allegedly helped a New Zealand hacker
nicknamed "AKILL" carry out the attack using a botnet - a virtual
network of virus-infected computers controlled from a central, remote
Hackers can use a botnet for sending spam, identity theft or
Goldstein's alleged hacking caused an inundation of traffic on the
Engineering School's server, leading to a server crash.
The Engineering staff overlooked the increase in traffic because of
recent modifications to the Engineering School's network at the time,
according to an affidavit filed by FBI agent and computer-crimes
specialist Jason Stroud.
University technicians made several changes at the time and continue to
make security improvements as they learn of new threats, IT Senior
Director Helen Anderson wrote in an e-mail.
In addition, Engineering students must now register for permission to
run CGI script, a technology used in web servers.
But a large attack could still potentially cripple the server.
"Web servers are sized for their normal usage rate plus extra capacity
for busy times," Anderson said. "A botnet of more than a million
computers is enough to cause trouble for even the largest Web servers."
Goldstein used a fellow student's username and password to gain access
to a University server, Stroud reported.
The user logged in 57,958 times in four days, with 13,289 failed
attempts, from computers in North America, Europe, Africa, Asia and
Latin America and then downloaded unusual files onto the Penn server.
The inundation of traffic caused the server to crash.
"It's been likened to trying to drink from a fire hose," FBI special
agent JJ Klaver said. "You can shut down an entire computer network by
flooding it with input."
The Penn server attack denied service to 4,000 students, faculty and
staff members. However, an attack on a corporate server, such as
Amazon.com, could cause a company enormous economic losses, said Fred
Cate, the director of the Center for Applied Cybersecurity Research at
Indiana University School of Law.
Similar attacks can also be used as online vandalism, political protests
or to hinder corporate competitors.
Goldstein pleaded not guilty to the computer-fraud conspiracy charges,
and he is still attending classes.
He faces a maximum sentence of five years in prison or a $250,000 fine.
Copyright 2007 The Daily Pennsylvanian
Visit InfoSec News