Skip to content

Security Experts Scramble to Decipher Social Media Attacks

August 7, 2009

Security analysts Thursday scrambled to find a motive behind the distributed denial-of-service attacks that brought down Twitter for several hours, and also hit Facebook, Google and LiveJournal.

With little information to go on, researchers ended up speculating on who launched the attacks and why, although several agreed that Twitter’s infrastructure needed immediate strengthening.

“If you monitor the hacking forums, it’s clear they’re pissed at Twitter,” said Richard Stiennon, founder of IT-Harvest, a security research firm. “Twitter came out of nowhere. Hackers hated that. They’d been using forums and IRC to communicate, and all of a sudden, the rest of the world has their own thing in Twitter.”

To Stiennon’s thinking, the rise of Twitter — and the backlash against it — resembles the situation in the 1990s, when AOL rose to prominence, but tech-savvy users denigrated it as little more than a glorified BBS (bulletin board system).

“It’s the same thing now,” Stiennon said. “They look at Twitter and think, ‘there goes the neighborhood.’ So they wanted to demonstrate that they could take it down and generate news at the same time.”

Roger Thompson, chief research officer at AVG Technologies, has a different idea.

“I think it was a vigilante,” he said, “who wants to call attention to the danger of botnets.”

Thompson’s theory posits that the vigilante — perhaps a security professional — assembled a small botnet, then aimed it at Twitter and Facebook, which was also attacked Thursday. He based his idea on several similarities to the distributed denial-of-service (DDoS) attacks that hammered U.S. government and South Korean commercial sites in early July.

Those attacks, at one point thought to originate from North Korea, were unfocused, had no noticeable political agenda and most important, ended with the botnet controller ordering the machines to self-destruct by wiping their hard drives.

“Who builds a botnet, then destroys it?” Thompson asked. “That’s just crazy.”

In fact, Thompson said he believed the Twitter hacker was the same person who ran the U.S./South Korea DDoS almost exactly a month ago. “No one profits from DDoS-ing Twitter,” he said. “The only possible explanation is that someone wanted to make people think about something, and I think that something is botnets.

“Botnets are a very big problem, but no one does anything about them,” he added.

Both Stiennon and Thompson used the word “easy” to describe the kind of DDoS attack required to successfully attack Twitter and other Web sites. “It wouldn’t take a real big botnet,” said Thompson. One with 20,000 to 30,000 bots could have spoiled Twitter’s day.”

A different motivation surfaced late Thursday, when a Facebook executive told CNET News that his company believed the attacks were directed against one individual, a pro-Georgian blogger identified only as “Cyxymu,” who had accounts on Facebook, Twitter, LiveJournal and Google Inc.’s Blogger and YouTube.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Max Kelly, Facebook’s chief security officer, said.

One thing security researchers seemed to agree on was that Twitter needed to bolster its Web infrastructure, or it will invite further attacks. “If Twitter is following the usual commercial site approach to plan for a 100% traffic increase, it would be easy for a DDoS to take it down,” Stiennon said.

“Twitter has to [re-examine] their infrastructure,” Stiennon recommended. “It wouldn’t take much more than $10 million to double the transaction capacity from what they have had. I’d double that or even quadruple that right away.”

Barrett Lyon, the former chief technology officer and co-founder of BitGravity, and a noted expert on DDoS attacks, concurred. He and Stiennon collaborated yesterday in an attempt to dig up information about the Twitter attack; Lyon pegged the attack a DDoS before Twitter acknowledged it later Thursday morning.

“It’s pretty clear [Twitter is] ready for a redesign,” Lyon said in an entry to his personal blog. “They need their own autonomous network, bring in bandwidth from many different providers, and have several layers of security. Building a strong ACL border and a nice mitigation layer would make a lot of sense for a company that is enabling communication.”

According to Lyon, Twitter relies on just one vendor to provide its link to the Internet backbone: NTT Communications, a subsidiary of Nippon Telegraph and Telephone, based in Tokyo.

“I would guess something in their load balancing farm was not configured to deal with the attack or this would have just been absorbed without much notice,” said Lyon, who noted that Facebook, which has a much more robust infrastructure, largely escaped harm.

Thompson, meanwhile, said if his premise is correct, Twitter may not have much time to get its act together. Noting the monthlong gap between the July DDoS attacks against U.S. and South Korean sites and Thursday’s assault on Twitter and others, he said the vigilante might strike again using the same timeline.

“If I was a betting man, I’d be betting on another one in early September,” Thompson said.

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Furl

2 Comments leave one →
  1. emilysinsight permalink
    August 7, 2009 1:53 PM

    Well, duh? No one has a motive? What about all the folks who could help Twitter defend itself from this sort of thing? If I break your window, you may call me to have it fixed.

  2. August 7, 2009 3:20 PM

    Excellent coverage, Chris! I have to say that I rather doubt it is the same person who perpetrated the July attack for one reason: they wiped out their own botnet. Unless the Twitter attack hacker follows suit I choose to believe they are different individuals or organizations. Firstly this is due to the break in the pattern; it is even more true of serial hackers than of serial killers that there tends to be a pattern advertising a link. In any case, if this hacker was doing it for publicity or awareness, he would want there to be a link. The message would be, according to some of these experts, “I am one hacker/organization. You don’t know who I am and you can’t find out, yet because the net is so vulnerable to DDOS attacks, I can take out one of the most popular web services in the world.” But I’m not seeing that right now.

    Secondly there is the fact that I’d rather not believe that one individual can conjure up botnets so easily and cheaply that he can destroy one and still have others at his disposal.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: