Twitter denial-of-service reveals fragile infrastructure, morphing motives
Posted on | August 7, 2009 | 1 comment
The denial-of-service attacks that shut down Twitter and disrupted Facebook and LiveJournal this week were intended to be surgical strikes to obliterate a small-time, anti-Russian blogger.
But the attacks turned out to be not so surgical after all.
That’s the consensus of top security researchers and analysts interviewed by LastWatchdog.
There are two important revelations associated with this attack. First, the success of social networks’ revolve around aggregating huge blocks of user accounts in systems build for speed — systems that are intrinsically fragile. And second, many things can motivate malicious cyber attacks.
Full range of emotions
There has not been a high-visibility disruption of major web sites on this scale since February 2000, when a 15-year-old Montreal school boy, using the handle Mafiaboy, installed bots on computers at Yale and Harvard universities, then instructed his botnet to crash CNN’s Web site for four hours and create chaos at the Web sites of Yahoo, eBay, Amazon, Dell, Excite, and E-Trade.
Michael Calce bragged in chat rooms that the FBI would never catch him. They did. Calce paid his debt to society and wrote this book about his experiences as the quintessential bragging-rights hacker.
But in the decade since then, the Internet has been commercialized at breakneck speed, and social networks are just the latest digital gathering place where participants can express the full range of human emotion and endeavor — good and evil.
“As more and more people depend on social networks, they expose themselves and their information to more vulnerabilities than in traditional networks with good security architecture in place,” observes Suzanne Magee, CEO of security firm TechGuard. “It’s like an arsonist attacking a office space in a building — all of the building occupants may be affected. We share our vulnerabilities because we are sharing resources with others. ”
Twitter outsources datacenter, becomes media darling
Yesterday — Thursday morning, 06 Aug. ‘09 — an attacker set out to bombard the Twitter, Facebook and LiveJournal accounts of a blogger who calls himself Cyxymu, from Tbilisi, Georgia. Cyxymu at the time had fewer than 50 followers on Twitter, and frequently expressed objections to the Russian invasion of Georgia, says Nick Bilogorskiy, antivirus researcher at security firm SonicWall.
The attacker pointedly did not resort to a brute force “SYN flood” attack, like the one Mafiaboy used; he would have needed tens of thousands of bots to continually swamp Cyxymu’s Twitter profile page with hundreds of millions of nuisance requests.
Instead, Cyxymu’s nemesis used a “DNS attack,” directed at the domain name servers assigned to resolve the domain name “twitter.com” to the unique IP addresses of millions of individual Twitter members, says Craig Labovitz, chief scientist at Arbor Networks.
A bit of context: In order to scale as quickly as it has Twitter eschewed building and maintaining an in-house datacenter, says Labovitz. It also opened up its APIs to encourage third-party developers to create cool new applications spinning off the core Twitter service. The tactics were extremely successful. Twitter has skyrocketed from obscurity to media darling with 35 million users in a little over one year.
DNS server attacks exposes chinks
Last Thursday, the attacker exposed the chink in Twitter’s armor. He or she took aim at a certain DNS servers at NTT Communications, the Tier 1 Internet backbone provider that supplies datacenter services to Twitter. “This was a targeted attack,” says Labovitz. “Brute force attacks have gotten easier to detect and mitigate, so we’re seeing an evolution to attacks that are harder to detect and mitigate, and much more crafted to the individual service or application.”
The DNS attack was extremely effective, says SonicWall’s Bilogorskiy. “The (Twitter) web site could not serve pages, because it’s domain was not getting resolved to IP addresses. In essence, DNS is a more sophisticated type of attack, finding the weakest point in the network’s infrastructure. Sometimes a target site can be brought down with less effort this way.”
This chart from PandaLabs Sean- Paul Correll shows how Twitter.com availability cratered multiple times on Thursday morning (times shown are Bilbao, Spain):
Bilogorskiy estimates that it took at least 100,000 bots to disrupt Twitter’s DNS servers on this scale. In today’s cyber underground, it would cost $5,000 to $10,000 to rent a botnet to conduct such an attack, he says.
Twitter managed to restore stable PC access in North America in about three hours. However, access in certain geographic regions outside the USA, and functions of third-party applications, including iPhone access and direct messages, remained spotty.
Tossing grenade at a fly
In a Friday afternoon blog post titled, “The Adventure Continues,” Twitter co-founder Biz Stone conceded that “we’ve been contending with a variety of attacks that continue to change in nature and intensity. We’re working to restore access to apps built on the Twitter platform that were affected by defensive measures-there was some overcompensation on our part as we tune our system to deal with this scale of attack.”
While Twitter scrambled, Cyxymu used restored access to his Twitter account to jump on a soapbox. He began tweeting that the Russian secret police was behind the attack, bent on silencing him on the anniversary of the Russia-Georgia war, a claim the prompted scoffs of incredulity.
“I’m sure that governments or intelligence agencies have more direct and efficient methods for silencing somebody,” says Stefan Tanase, senior researcher at Kaspersky Labs. “dDoS-ing social networks doesn’t make sense, it is like using a tank to kill a mosquito.”
Pick your analogy. Cisco security researcher Patrick Peterson says its like “throwing a hand grenade to kill a fly.” The big beneficiary: Cyxymu, who now “has gained exactly the visibility the attackers presumably were trying to smother.”
Morphing motivations
Keep in mind Cyxymu began the week with about 46 followers on Twitter; and ended it with 1,429 and climbing. One might construct a scenario whereby Cyxymu launched the attack against himself to achieve global recognition. A $5,000 expenditure for botnet dDos services might seem reasonable enough, in that light.
“The only way such an attack could conceivably be profitable would be if it was done as part of an extortion plan, and that seems unlikely against such a large target,” observes Trend Micro analyst David Perry. “It is too likely to draw the kind of international press attention that demands retribution and law enforcement engagement.”
Another surprising beneficiary of the attack: Twitter. “The only thing that I’m sure is going to happen after these incidents is that Twitter will gain even more popularity as a result,” says Tanase. “Everybody’s talking about it, the story is all over the news, all over the world – so the only thing that will happen is that Twitter will be even more popular after this.”
This all speaks to morphing motivations for cyber attacks. We’ve come a long way from Mafiaboy. Bragging rights and quick profits aren’t the only drivers for making use of readily available cybercrime tools and services.
Whoever set out to shut down Cyxymu, and for whatever reasons, the attack exposed the fragile infrastructure of social networks in general and Twitter in particular.
“There is no sure-fire way to prevent a denial of service attack,” says Beth Jones, Security Analyst for Sophos. “Twitter did a remarkable job defending against the attack. They are still a relatively small company, and are still somewhat fledgling in this arena and are still beefing up their network. Facebook and LiveJournal have been around for much longer and have been able to ramp up their systems and bandwidth.”
–Byron Acohido
Comments
1 Comment »
RSS feed for comments on this post.
It’s interesting to watch as the facts begin to get publicized in the twitter case. At first it was speculated to be a DNS attack, then later it wasn’t. Now it is again.
In any event, attacks against authoritative DNS servers can be mitigated, at least until the network pipes get saturated. DNS servers can be designed to reject amplified DNS floods as well as other types of DDoS attacks, and are being built to respond to huge amounts of DNS queries that modern networks are imposing on DNS systems.
Nevertheless, I am surprised that other sites being served by the same DNS server at NTT didn’t suffer. A DNS attack should affect ALL sites listed on the DNS server, not just twitter. It seems there is some more explanation needed on just what really happened.
Comment by Joe Gersch — 8/10/2009 @ 2:00 pm