DDoS Zombie Attack Plagues Social Networks

Article ImageFor social network junkies-and companies that rely on sites such as Twitter and Facebook to interact with clients-Aug. 6 was a bleak day. A massive distributed denial-of-service (DDoS) attack targeting a single pro-Georgian blogger drastically slowed or stopped five major sites: Facebook, Twitter, YouTube, LiveJournal, and Fotki. Security teams worked around the clock to slow the damage as users grew more and more impatient, uncertain, and frustrated.

DDoS attacks are nothing new. Nor is it an uncommon way to target political enemies-in July, similar attacks targeted 27 government agencies and commercial websites in the U.S. and South Korea, slowing them for hours. In fact, any crafty hacker with a grudge could target any single user of any globally connected site. However, by cutting people off from some of the most trafficked digital social hubs in the U.S., the August attackers certainly knew how to get people talking.

Biz Stone, co-founder of Twitter, said in an interview with PBS interviewer Tavis Smiley that Twitter and other targets were the victims of DDoS attacks flooding hundreds of pages with rapid-fire requests from "millions of zombie computers that have been infected with some virus." Twitter said in a statement that the attacks were "geopolitical" in nature; Facebook chief security officer Max Kelly told CNET News the effort aimed to silence accounts belonging to a blogger known as "Cyxymu" who had, a few days before, blogged about an upcoming anniversary in the Russia-Georgia conflict.

Security researchers at McAfee Avert Labs also detected a spam campaign that spoofed the blogger's Gmail address to flood recipients with spam messages. They said it was part of an intimidation tactic directing even more traffic to targeted sites, although Kelly doubted the spam campaign had the same crippling effect as web-launched attacks.

Facebook, Twitter, Google, and other sites teamed up to fend off the attackers. Within 24 hours, the DDoS damage was contained, and the sites went back up.

"What we learned is that you have to tune your systems to handle this scale of assault," Stone told PBS. Twitter had spent so long catching up with its own skyrocketing popularity that it hadn't fully contemplated a wide-scale disaster plan for massive attacks, Stone said.

The Aug. 6 attacks made headlines because their victims are global hubs. Twitter warned during the downage that API clients would experience time-outs, and Sawhorse Media-which operates multiple sites aggregating niche Twitter content-told PaidContent that its sites had been affected. However, Twitter, Facebook, and other attacked sites assured users that no private data had been breached.

What happened to Twitter and Facebook could happen to any company hosting a website plugged into the global internet, says Adam Rothschild, vice president of network architecture and operations at Voxel dot Net, Inc., a managed server and high-bandwidth hosting company that has fielded its fair share of DDoS attacks.
Attacks launched from a sole well-connected source or sham IP addresses are becoming less common, Rothschild says. Many attacks he's seen lately come from botnets similar to the "zombie computers" Stone implicated in the Twitter attacks.

"As an industry, end-user broadband access providers need to clean up their game and more actively monitor their networks for potentially compromised subscribers," Rothschild says. "The same can be said of hosting providers leasing a server with a fat pipe to the net-many of these smaller and mid-sized shops do not maintain responsive security and abuse departments, or even have an inkling anything is going on until we pick up the phone and get in touch with them."

Simply being able to detect an attack isn't sufficient, Rothschild says. He advised companies to seek more details from their host administrators about contingency plans for handling the DDoS storm. A provider with multiple data centers could also help keep operations flowing relatively smoothly during an influx of malicious requests, he said.

Rothschild says companies should look for hosts thatallow sites to scale up and down quickly in the event of an attack, operated by administrators that have experience making quick security fixes, providing connectivity and failover between sites.

With age comes wisdom. Social networks have learned firsthand how crippling the new wave of DDoS attacks can be-and with millions of users who have millions of opinions, there are sure to be more. While they won't ever eliminate the cyberthreat, hopefully social networks and the sites that rely on them will put those lessons into action.

(http://cyxymu.livejournal.com; http://twitter.com/cyxymu; www.voxel.net)