Another Day, Another DDoS Blitz for Twitter

For the second time in less than a week, Twitter has been hit by a distributed denial of service (DDoS) attack.

Unlike the first attack last week, the latest cyberassault, which started on Tuesday, has been confined to Twitter so far — Facebook has apparently not been affected.

That has led Roger Thompson, chief of research at security vendor AVG Technologies, to speculate the second attack could be linked to the attacks on U.S. and South Korean government Web sites last month.

The attacker could be a vigilante who wants to draw attention to the security problems plaguing the Internet, Thompson has speculated.

Twitter’s Latest Outage Outrage

This time, the attacks on Twitter were much less severe than the first attack, which took the microblogging service down for more than two hours last week, leaving its 45 million or so users tweetless.

The latest attack hit the site in waves.

“We’re currently experiencing another wave of Distributed Denial of Service (DDoS) attacks against our system,” Alex Payne, platform lead at Twitter, wrote on the service’s Web dev blog on Tuesday at 12:23 p.m.

About one hour later, he blogged that the attacks had ceased and things would be back to normal soon. Following complaints by users Andrew Badera and Dewald Pretorius, who were responding to his post, he wrote at 1:57 p.m. that the attack had resumed.

“Our service provider is putting network hardware in place to counter the attack,” Payne wrote. “We’re trying to work with them to ensure minimal impact to the API, but in the near term there may be issues with OAuth and the Streaming API.”

The hardware fix did not go well. “Just found out that our hosting provider put some hardware in place that may cause disruptions,” Payne wrote at 2:22 p.m. on Tuesday. “Our operations team just spoke to them and they should be taking it down in 15-30 minutes.”

At 7 a.m. PST Wednesday, Pretorius wrote that the problem had resumed and that he was getting between two and five rejections per second.

Come Back, Lt. Calley

Last week’s DDoS attacks were suspected to be the work of Russian hackers, who apparently undertook the attack to silence a single Georgian blogger. The blogger goes by the name “Cyxymu” and was posting articles about the anniversary of Russia’s invasion of Georgia.

However, this latest DDoS attack is more likely related to the attacks last month on U.S. and South Korean government Web sites, AVG’s Thompson said. Over the July 4 weekend, massive DDoS attacks hit at least 14 U.S. government Web sites, including that of the Department of Homeland Security, as well as several South Korean government sites.

While some blamed North Korea, Thompson was skeptical. “What have they got, three Commodore 64s over there?” he said. “It’s more likely the work of a vigilante who wanted to draw attention to the botnet problem.

The targeted sites had very little in common apart from being government Web sites, Thompson explained. “There was not a lot of point to the attack except to make people think,” he said.

The latest DDoS attack, he believes, could be the work of that same vigilante or group of vigilantes. “It could be him again, now that he’s got everyone’s attention.”

Bashing the Botnets Now

The vigilante, Thompson suspects, wants to draw attention to the growing problem with botnets because the botnets that launched the attacks on July 4 self-destructed after a few days.

“Anybody who’s got or can rent a botnet can launch a DDoS attack, and the chances of catching them are pretty slim,” he said.

Botnets are informal networks of computers set up and controlled remotely by hackers, usually without the knowledge of the computers’ owners. They are used to launch attacks that can overwhelm Web servers and knock sites offline. The computers used in botnet attacks can be woken up and put to sleep remotely through commands over the Internet. Some cybercriminal gangs set up large botnets by surreptitiously installing malware on thousands of unsuspecting Web surfers’ computers. The botnet masters then rent or sell parts of these to criminals who use them for various purposes.

Cybercriminals are becoming increasingly sophisticated, and it’s getting more and more difficult to trace the botnet operators. This has led to a surge in malware — McAfee Avert Labs cataloged more than 1.2 million samples of malware in the first half of the year. In all of last year, which itself set a record in malware creation, McAfee saw only 1.5 million unique pieces of malware.

Preventing DDoS Attacks

It’s almost impossible to prevent a DDoS attack, Thompson said. “They’re absurdly easy to launch, but almost no one bothers because there’s no money in it.”

The DDoS attacks were probably caused by flooding the Twitter infrastructure with TCP or UDP packets, said Charlie Miller, principal analyst, software security at Independent Security Evaluators.

UDP, or User Datagram Protocol, lets computer applications send messages to other hosts on an Internet Protocol (IP) network without having to do an electronic handshake.

In light of the repeated attacks against its infrastructure, Twitter needs to take action to improve security. “They could distribute their infrastructure better and use an approach like Akamai to further reduce risk,” Miller told TechNewsWorld.

Akamai provides a distributed computing platform for global Internet content and application delivery.

1 Comment

  • You may be absolutely right, when you suggest someone ‘in control, currently’ of a major botnet is trying to simply make everyone look and pay attention…

    For years botnets main purpose is to send SPAM for crime and phishing for account log ins…

    But, it is harder and harder to get SPAM and PHISHING to be profitable, after a lot of technologies and user education has been made to stop SPAM and Phishing.

    Rendering the botnets, ‘traditional role’ more and more obsolete.

    Attacking twitter, a MASSIVELY social and high profile ( and sadly ‘easy soft target, as twitter already has infrustruture problems ) is the PERFECT target to down, with a botnet.

    The botnet master may simply be trying to ‘send a message that botnet is here’, get rid of me please!

    In either case… whether intentional or not… attacking Twitter will certainly give spotlight to the attackers… especially facebook that have lawyers and money … twitter, mostly makes news of the downtimes, which makes light of the botnets.


Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels