Monday´s attack on Yahoo led to traffic levels of 1GB a second through the routers serving the portal site. The attack on Yahoo is believed to have been a distributed one involving a number of compromised computers.

In the last few weeks, there was a significant rise in the number of scans that internet hosts were receiving and many of these scans appeared to originate from hosts in the Pacific region, IPs that traced back to Korea, Indonesia, Taiwan and Australia were seen stepping methodically through hosts in the Irish (.ie) domains requesting domain record zone transfers (axfrs). Once the zone file for the Irish sites were received, these hosts would sequentially scan through each domain looking for computers with potential weaknesses. The program used for this was Sscan, a common cracker tool. This program would be used to generate a log of scanned boxes which the cracker would later return to collect.

The DoS has two phases; the acquisition and the attack itself. In the acquisition phase, the crackers set about acquiring the control over the computers to be used in the attack. This normally involves scanning large numbers of computers attached to the internet. Once a vulnerable computer is identified, the crackers will attack it and try to compromise it. Once compromised the computer will be used to scan others.

After a sufficient number of computers have been compromised, the programs to be used in the denial of service attacks will be loaded on to them. Four  popular programs for this have been identified: Tribal Flood Network, Trinoo, TFN2K, and Stacheldraht. These programs can be set to activate at a specified time with the results seen on the Yahoo, Amazon, Buy and CNN sites.

The FBI is currently investigating the outages. However it is expected that other sites will be hit in the coming days.