SilkRoad Banner Logo

Publications

   Guest Info

Corporate Info
Contact Info

 Contracting

GSA IT FSS

 Wikis

Tim Bass' Wiki

 Forums

UNIX/Linux

 Web

intelWeb
Hosting

Flash


The Langley Cyber Attack next up previous
Next: Initial Countermeasures Up: E-Mail Bombs and Countermeasures: Previous: Exploiting Mail Exploders and

The Langley Cyber Attack

In January 1997, a commander within Air Combat Command (ACC) received an inflammatory e-mail message, apparently from President Clinton. The commander immediately understood that someone was using SMTP mail to impersonate the President. The chief of the information protection branch was directed to investigate the situation.

The first reaction to the forged e-mail at Langley was to examine the log-files of the sendmail based MTA. However, like most systems administered with limited resources, the level of auditing and logging of the MTA had been configured to the minimum possible setting to ``save disk space.'' The investigators increased the sendmail audit configuration to provide the maximum amount of logging information possible.

The investigation into the Langley SMTP infrastructure uncovered a larger systemic problem. SMTP MTAs, accessible from the public Internet, were being used covertly to distribute large volumes of pornography, bigoted hate-mail, and other unacceptable and criminal messaging [10]. This discovery initiated a concentrated effort to stop all malicious use of the SMTP infrastructure while simultaneously ensuring that all legitimate SMTP mail traffic was delivered. To accomplish this objective, Langley AFB installed a simple rules-based filter, which pre-processed all incoming and queued SMTP mail [10]. These countermeasures were successful in preventing illicit use of the MTAs. The rules-based filter is discussed in more detail in section III.C.

The results of this investigation into the Langley Cyber Attack have gained national media attention. The results were discussed extensively in the United States Air Force (USAF). In addition, the chairman of the President's Commission on Critical Infrastructure Protection referenced the Langley Cyber Attack as a critical example of an actual international cyber attack [11] via the Internet. Commercial organizations have since reported millions of dollars in damages resulting from forged SMTP mail originating from the Internet [12].




 

Figure 6: Daily Volume of Mail Bombs (bold) vs. Total E-mail



Interviews with the system administrators (SAs) of the SMTP MTAs also uncovered very interesting information. The MTA often ``locked up,'' according to inexperienced SAs, but they never investigated the cause of the service disruptions nor examined log files to determine the cause of the system failures. Routinely, the SAs casually rebooted the platforms and continued performing other duties that were assigned a higher priority.

Examining the log files in real time showed a much larger problem on the enterprise than isolated e-mail spoofing. Large volumes of e-mail originating in the Internet (Figure six), were being delivered to other Internet sites via the SMTP MTAs. Further examination of the e-mail being relayed covertly led to the discovery that incredible volumes of pornographic materials was being distributed via the Langley MTA to users at commercial Internet Service Providers. The largest number of targeted users were AOL subscribers.


 
next up previous
Next: Initial Countermeasures Up: E-Mail Bombs and Countermeasures: Previous: Exploiting Mail Exploders and
 
 
Privacy policy       Contact Us       Home 		 
         

© 1993-2005, SilkRoad, Inc. All rights reserved.