Is There Rhyme or Reason to the Attacks on Twitter?
- By Ryan Singel
- August 6, 2009 |
- 7:51 pm |
- Categories: Social Media
Thursday’s denial of service attacks on Twitter and Facebook, and the ones that flooded non-critical U.S. government sites several weeks ago, share a very interesting common denominator, according to a senior security researcher at Cisco.
They don’t make any sense. And that means trouble, according to Cisco’s Patrick Peterson.
“I’m afraid two outliers make a line and there is something going on,” Peterson said. “We have entered the third generation of denial of service attacks, and anyone that plans on the rationality of criminals is at risk.”
What does that mean? It means if you make the assumption that the bad guys online are just a new breed of bank robbers, that can get you into trouble if there are a few sociopaths mixed in.
The ongoing attacks Thursday on Facebook and the micro-publishing site Twitter likely involve tens of thousands of compromised computers under the control of a single person. Likely the attack involves asking the sites to serve up a page of search results, or some other processor-intensive requests. That makes it hard to determine if the request is a real user action or a malicious fake.
CNET, citing Max Kelly, the chief security officer at Facebook, says this attack is personal and political: it is reporting that the motive was to silence a single person — a Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube — as part of the continuing Russia/Georgia conflict.
UPDATE Friday 8:55 Pacific: Facebook confirmed that the attack “appears to be directed at an individual who has a presence on a number of sites, rather than the sites themselves. Specifically, the person is an activist blogger and a botnet was directed to request his pages at such a rate that it impacted service for other users. ”
In an interview with the Guardian, a Georgian economics professor who blogs under the name Cyxymu says he was the intended target. He blamed the attack on the Russian government, which he says is trying to stifle his criticism of Russia’s conduct in its year-long war with Georgia.
Little of the investigation has been revealed but in a status update late Thursday, Twitter founder Biz Stone seemed to agree that there was a single perpetrator, at least on his site:
Over the last few hours, Twitter has been working closely with other companies and services affected by what appears to be a single, massively coordinated attack. As to the motivation behind this event, we prefer not to speculate. [...]
We’ve worked hard to achieve technical stability and we’re proud of our Engineering and Operations teams. Nevertheless, today’s massive, globally distributed attack was a reminder that there’s still lots of work ahead.
Denial of service attacks began about a decade ago when some of the net’s top sites — Amazon, Yahoo and eBay among them — got taken down by teens seeking to make names for themselves by taking advantage of glaring errors in network protocols.
In the second wave of attacks, which roughly ran from 2004 to 2007, criminals extorted money from websites with the threat of ongoing denial of service attack. In particular, extortionists targeted online gambling sites, many of which were outside the U.S., on the edge of legality, and certainly not favorites of the authorities. Other attacks were politically motivated, launched against websites that advocated controversial opinions, or made by cyber-criminals against security firms.
Those attacks all have rational explanations, which have given some comfort to security researchers who have watched as criminals have assembled botnets that include tens of thousands of compromised computers. These are used to send spam, host phishing websites and to steal credit card numbers.
That’s nasty, but the motive is understandable.
But criminals turned away from using the botnets to extract ransom from denial of service attacks after the police started being able to follow the money in such cases, leading to arrests. Perhaps Twitter and Facebook got ransom notes, but choosing such visible and money-losing targets for extortion would not be particularly smart.
And when unknown attackers brought down U.S. government sites like the Federal Trade Commission’s a few weeks ago, it turned out there was no understandable motive — once the hysterical notion that North Korean hackers were responsible was debunked.
But could either of the attacks be a way to test the strength of a new botnet? A cyberwar test-run?
Perhaps, Peterson said, but why would the attack persist for so long on Twitter and Facebook if it were just a nation testing out its new botnet weapon?
The same holds for the attack on the U.S. government, he said, pointing out that the attack targeted non-essential government sites, meaning it wouldn’t tell you much about how effective your botnet would be against a critical and protected target.
According to Peterson, it all points to one thing: Botnets are too easy to assemble. There are too many unpatched Microsoft Windows machines on the internet that repeatedly get infected and taken over.
“The barrier to entry is too low,” Peterson said. “It may be that 998 of 1,000 criminals out there are out to maximize profits and minimize risk, but it doesn’t take many of them to get their hands on a small botnet to create harm. Then you have a minority actor doing a disproportionate amount of harm.”
Paul Sop, the CTO for the anti-DDoS company Prolexic, agrees.
“High profile brands are often a target simply because they are there — sometimes as target practice for the attackers,” Sop said in an e-mail statement.
Peterson counseled that companies should identify what portions of their online operations are critical and talk to experts to make sure they are protected.
But he also recommended that companies not suddenly devote all of their security budget to preventing DDoS attacks — since most criminals would prefer to steal credit cards than keep people from posting 140 characters about their daily life.
Fail Whale illustration by @yiyinglu
See Also:
- Twitter, Facebook Attacks No Surprise to Security Experts
- Denial-of-Service Attack Knocks Twitter Offline
- Facebook Confirms Denial-of-Service Attack
- Botnets Took Control of 12 Million New IPs this Year
- Twitter, Facebook Attacks No Surprise to Security Experts
- Activists Launch Hack Attacks on Tehran Regime
- DDoS Attack Strikes Campaigns Against Same-Sex Marriage Bans
- DDoS Attacker Pleads Guilty, Agrees to Two Years’ Prison
via wired.com
Comments
Post a Comment