Yahoo Site Works Out of Traffic Jam; Sabotage Suspected

A technological attack on Yahoo, and possibly sabotage, caused the Web’s most popular destination to suffer its worst-ever outage on Monday.

Users were intermittently blocked from most areas of Yahoo for about three hours, beginning around 10:45 a.m. Company spokeswoman Diane Hunt described it as a onslaught of “fake requests for information” that tied up Yahoo’s Web server computers.

A few areas operated by Yahoo, such as the Yahoo online store, some elements of the company’s e-mail service, and the GeoCities.com Web-site hosting service, were unaffected, said Hunt.

Once the problem was identified, Yahoo was able to block the unwanted traffic, but has not been able to identify the source of the attack--or even determine whether the massive influx of traffic was malicious or accidental, although it was probably caused by a network vandal, the company said.

The event was particularly notable given that Yahoo, unlike many other prominent Web sites, had previously avoided major outages.

Such episodes, known as “denial of service attacks,” are typical on the Web, but rarely on the scale experienced by Yahoo, according to experts.

Unlike computer hacking--which typically involves an intruder gaining access to internal elements of a Web site’s data or management controls--Monday’s episode did not compromise user information or data on the site, said Hunt.

But the attack had substantial nuisance effects on Yahoo’s massive user base. The company draws some 42 million users every month, according to Media Metrix, a New York-based audience rating service.

Yahoo’s case involved a “distributed” attack, in which the bogus demands on Yahoo’s services were apparently routed to come from multiple computer servers at once, making them hard to thwart and even more difficult to trace.

“You’re bombarding, burying the site in an avalanche of [requests],” said Richard Power, editorial director of the Computer Security Institute in San Francisco.

“There is no way to prevent denial of service,” Power added. With Yahoo’s solution, “you’re only screening yourself off from a particular place of origin,” and remain open to future attacks, he added.

Another expert said Yahoo’s prolonged failure suggested the company was unprepared for such an attack on its systems.

“It’s kind of silly it took so long,” said James M. Atkinson, president and senior engineer at Granite Island Group, an Internet security consultant in Massachusetts. “The fact it went on for hours indicates a management and infrastructure problem that does not involve technology. This should have taken them off the map for 15 to 20 minutes, 30 at the most.”

Monday’s attack apparently didn’t affect the company’s stock. It gained 50 cents, closing at $354 on Nasdaq. Yahoo’s market capitalization--the value of all its outstanding shares--is roughly $93 billion.

The Associated Press was used in compiling this report.