Posted by: : Category: Uncategorized
Thursday’s denial of service attacks on Twitter and Facebook, and the ones that flooded non-critical U.S. government sites several weeks ago share a very interesting common denominator, according to a senior security researcher at Cisco.
They don’t make any sense. And that means trouble, according to Cisco’s Patrick Peterson.
“I’m afraid two outliers make a line and there is something going on,” Peterson said. “We have entered the third generation of denial of service attacks, and anyone that plans on rationality of criminals is at risk.”
What does that mean? It means that assuming that the bad guys online are just a new breed of bank robbers can get you into trouble if there’s a few psychopaths mixed in.
The ongoing attack Thursday on Facebook and the micro-publishing site Twitter likely involves tens of thousands of compromised computers under the control of a single person. Likely the attack involves asking the site to serve up a page of search results, or other processor-intensive requests that make it hard to determine it the request is real or a malicious fake.
There’s no rational explanation for the attack other than that the sites are popular, according to Peterson, leaving only the conclusion that the botnet’s master is simply crazr.
Late Thursday, as Twitter’s founder Biz Stone seemed to agree with that assessment in a status update.
Over the last few hours, Twitter has been working closely with other companies and services affected by what appears to be a single, massively coordinated attack. As to the motivation behind this event, we prefer not to speculate. [...]
We’ve worked hard to achieve technical stability and we’re proud of our Engineering and Operations teams. Nevertheless, today’s massive, globally distributed attack was a reminder that there’s still lots of work ahead.
Denial of service attacks began about a decade ago when some of the net’s top sites — Amazon, Yahoo and eBay among them — got taken down by kids seeking to make a name for themselves by taking advantage of glaring errors in network protocols with not much effort.
Then in the second wave of attacks — which roughly ran from 2004 to 2007, criminals extorted money from web sites with the threat of a denial of service attack — the online equivalent of having 100s of people repeatedly call a business in order to shut out its usual customers.
In particular, extortionists targeted online gambling sites, many of which were outside the U.S., on the edge of legality and certainly not favorites of the authorities. These were augmented by politically motivated attacks on web sites that advocated controversial opinions and attacks by cyber-criminals on security firms.
Those all have valid, rational explanations, which have given some comfort to security researchers who have watched as criminals have assembled botnets that include tens of thousands of compromised computers. These are used to send spam, host web sitesphishing websites and attempt to steal credit card numbers.
Nasty, but understandable.
As for using the botnets to extract ransom from denial of service attacks, the police have a well-known track record of being able to follow the money in such cases, making it an unwise decision for criminals.
Perhaps Twitter and Facebook got ransom notes, but choosing such visible and money-losing targets for extortionparticularlyticulary smart.
And when unknown attacker brought down U.S. government sites like the Federal Trade Commission went down a few weeks ago, it turned out there was no understandable motive — once the hysterical notion that it was North Korean hackers was technically debunked.
But could either of the attacks be a way to test the strength of a new botnet? A cyberwar test-run?
Perhaps, Peterson admits, but why would the attack persist for so long on Twitter and Facebook if it were just a nation state testing out its new botnet. The same holds for the attack on the U.S. government, according to Peterson, who points out they attacked non-essential government sites, which wouldn’t tell you much about how effective your botnet would be against a critical and protected target.
It all points to one thing, Peterson thinks. Botnets are too easy to assemble. There are too many unpatched Microsoft Windows machines on the internet that get repeatedly infected and taken over.
“The barrier to entry is too low,” Peterson said.
“It may that 998 of a 1000 criminals out there are out to maximize profits and minimize risk, but it doesn’t take many of them to get their hands on a small botnet to create harm. Then you have a minority actor doing a disproportionate amount of harm.”
Paul Sop, the CTO for the anti-DDoS company Prolexic agrees.
“High profile brands are often a target simply because they are there – sometimes as target practice for the attackers,” Sop said in an email statement.
Peterson counseled that companies should identify what portions of their online operations are critical and talk to experts to make sure they are protected.
But he also recommended that companies should not suddenly turn all of their security budget to preventing DDoS attacks — since most criminals would prefer to steal credit cards than keep people from posting 140 words about their daily life.
See Also:
- Twitter, Facebook Attacks No Surprise to Security Experts
- Denial-of-Service Attack Knocks Twitter Offline
- Facebook Confirms Denial-of-Service Attack
- Botnets Took Control of 12 Million New IPs this Year
- Twitter, Facebook Attacks No Surprise to Security Experts
- Activists Launch Hack Attacks on Tehran Regime
- DDoS Attack Strikes Campaigns Against Same-Sex Marriage Bans
- DDoS Attacker Pleads Guilty, Agrees to Two Years’ Prison
Source: Ryan Singel
