At the height of its game last year, a loose-knit hacking group calling itself Fluffy Bunny appeared able to break into websites at will.
For a six-month period starting in mid-2001, Fluffy Bunny penetrated the networks of several top Internet firms, including Exodus, VA Software and Akamai. In effort to expose what it saw as frauds and poseurs, the cracking group also vandalized websites operated by leading computer security outfits, including the SANS Institute.
Fluffy Bunny’s unique brand of security mischief – along with its pink toy-rabbit mascot – created Fluffy admirers even among computer system administrators and security professionals.
But Fluffy Bunny dropped the ball on its most outrageous plan – an operation that members referred to as “The day the Internet stood still.”
Using their undetected toehold in Akamai’s network, last year some of the group’s members contemplated a massive, distributed denial-of-service (DDoS) attack on the Internet’s 13 domain-name root servers, according to a source close to Fluffy Bunny.
The attack would have marshaled the global network of 12,000 high-bandwidth systems operated by Akamai. These systems are designed to speed up Web surfers’ access to content at high-traffic sites, including Yahoo, MSNBC, Microsoft and Whitehouse.gov.
If successful, such a bludgeoning of the Internet’s nerve center could have paralyzed the Net far beyond the brief, localized outages experienced by big sites during the historic DDoS attacks of early 2000, according to experts.
To commandeer the attack, hinted at in the text of one of the group’s defacements, Fluffy Bunny would rely heavily on a set of proprietary files members stole from an internal Akamai server in April 2001.
Copies of the archived files – which included around 100 MB of Akamai source code, private encryption keys, and internal company documentation – were provided to Wired News last week by the anonymous source.
According to Akamai, the purloined files currently pose no threat to the company’s content delivery network or to customers. Spokesman Jeff Young said this week that Akamai took “appropriate action” when it learned of the intrusion on its network last year.
“While no systems are completely invulnerable, we do not believe the information alone could enable attackers to devise programs to exploit our network,” said Young, who declined to detail the steps Akamai took to mitigate the risk created by the file theft.
Contained in the stolen Akamai archives are two chapters of a document titled “Akamai Secure Communications Infrastructure” that is labeled internal-use only. Also included are programs for deploying software over the network to Akamai’s servers.
The archives additionally contain a collection of public and private encryption keys, which may have been used as part of a scheme for authenticating Akamai customers when site content is updated. Also included is source code to what are apparently programs for communicating with Akamai routers. Binary copies of the proprietary build of Linux operating system software used on Akamai’s servers are also part of the package.
Although the files do not appear to be in wide circulation, Akamai requested that Wired News not publish the file names of the stolen archives.
Aside from offering a potent army of potential DDoS attack agents, Akamai’s network also poses as a tantalizing target for website defacers, according to a senior security analyst for a major consulting firm.
“The idea of attacking Akamai has been floating around in various hacker circles – black, gray and white – for over a year. How else could you get a controversial message to a ton of people very quickly and all at the same time?” said the analyst, who asked not to be named.
But even with knowledge of the inner workings of Akamai’s security infrastructure, attackers would be unable to easily seize control of its network, according to Steve Gibson, a software developer who operates the security information site Grc.com.
“If all of the Akamai servers were turned into attack agents, that obviously would be really bad, but I don’t think Fluffy got the keys to the kingdom,” Gibson said.
The complexity of Akamai’s infrastructure, as well as its strong authentication technology, would likely frustrate the hackers despite their possession of key internal documents and programs, according to Gibson.
“That’s probably why Fluffy never used it. ‘The day the Internet stood still,’ never happened, and it’s been over a year that they’ve had this information,” Gibson said.
Indeed, Fluffy Bunny has been stymied in the past. Unable to hack directly through the defenses of SecurityFocus.com, in November 2001 the group instead compromised a small, online advertising company, so that banner ads with its trademark pink bunny rotated onto the SecurityFocus site for several hours before being detected.
But it may ultimately have been law enforcement – not insurmountable technical obstacles – that reined in Fluffy Bunny’s hacking hubris. Two key Fluffy members, a European and an American, were arrested last year according to sources familiar with the investigation.
The defacement archive at Alldas.org shows no website attacks attributed to Fluffy Bunny since early this year.
The FBI and federal prosecutors would not provide specifics on their pursuit of the group, citing the ongoing nature of the investigation.
Its brief tenure in the limelight as the Internet’s savviest hacking crew seemingly over, Fluffy Bunny appears to have gone underground for good.