In Depth

A Health-Care Provider Solves a Denial-of-Service Mystery

After daring a security vendor to prove his product worked, one network engineer ends up with a global solution for a denial-of-service attack.

By Scott Berinato

October 01, 2006 — CSO —

First, the firewalls just stopped responding. Then the network jammed up, and within hours, the

network engineer, whom we'll call Cam Smith, had all IT hands on deck, engineers from vendor

companies on the phone and frustrated execs on his back demanding updates. Maybe too regularly,

Smith recalls. "I wanted to tell them, When we have an update we'll give it to you, because a lot of times

when they were asking, there was nothing new to tell them. We were trying to focus on the problem."

p>

The problem would last three days, a virtual eternity for Smith's company, a midsize healthcare

company with a network of hospitals (and one that forbids Smith from using his name or his company

name in the press). Smith first characterizes the situation as "intermittent outages." When pressed,

though, as if being forced to think about something he'd rather forget, he finally confesses, "We were

down about 90 percent of the time. And we had poor quality of service when we were up. It was a

terrible time." (Patient care systems were not affected, Smith says, in part due to backup systems. "But

they very easily could have been," he adds.)

Smith's company is a "tweener," a midsize company, bordering on big, and probably big enough to

consider forming a dedicated information security team. But so far, the company still folds security into

the IT department. Smith is part of an ad hoc security committee made up of network engineers with

enough security experience to handle incidents.

It was on the third day of the crisis that the team discovered the DoS attack, in which a high

volume of legitimate but useless traffic floods a network and crashes it. "We could tell it was coming

from somewhere inside our network, but we couldn't tell from where," he says. So Smith and company

moved through the server room literally pulling plugs, one network zone at a time, to isolate the zone

letting in all the DoS traffic.

This went on for about three hours, Smith says, until finally the team located the source of the

attack: a single remote user on a dial-up connection, working from home on a company laptop, halfway

across the country.

Smith called the employee and told her to disconnect the machine, and the network came back.

Crisis over. Forensics commence. With the laptop shipped back to headquarters, Smith and his team

scrubbed it and found links to a malicious website that used ActiveX to take over the computer and

launch the DoS attack. The employee had downloaded a toolbar she had used at her previous job. What

• Email
• Print
• Comments
• Digg This
• SlashDot

• A Sports Clothing Company Wins the Battle Against Counterfeiters
• How One Small Business Fought Piracy
• Three Companies that Fought Back