Posted by: : Category: Uncategorized
Thursday’s denial of service attacks on Twitter and Facebook, and the ones that flooded non-critical U.S. government sites several weeks ago, share a very interesting common denominator, according to a senior security researcher at Cisco.
They don’t make any sense. And that means trouble, according to Cisco’s Patrick Peterson.
“I’m afraid two outliers make a line and there is something going on,” Peterson said. “We have entered the third generation of denial of service attacks, and anyone that plans on rationality of criminals is at risk.”
What does that mean? It means that assuming that the bad guys online are just a new breed of bank robbers can get you into trouble if there’s a few sociopaths mixed in.
The ongoing attacks Thursday on Facebook and the micro-publishing site Twitter likely involve tens of thousands of compromised computers under the control of a single person. Likely the attack involves asking the sites to serve up a page of search results, or some other processor-intensive requests. That makes it hard to determine if the request is real query by a user or a malicious fake.
CNet, citing Max Kelly, chief security officer at Facebook, says this attack is personal, and political: it is reporting that the motive was to silence a single person — a Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube — as part of the continuin Russia/Georgia conflict.
Little of the investigation has been revealed, but in a status update late Thursday Twitter founder Biz Stone seemed to agree that there was a single perpetrator at least on his site:
Over the last few hours, Twitter has been working closely with other companies and services affected by what appears to be a single, massively coordinated attack. As to the motivation behind this event, we prefer not to speculate. [...]
We’ve worked hard to achieve technical stability and we’re proud of our Engineering and Operations teams. Nevertheless, today’s massive, globally distributed attack was a reminder that there’s still lots of work ahead.
Denial of service attacks began about a decade ago when some of the net’s top sites — Amazon, Yahoo and eBay among them — got taken down by teens seeking to make a name for themselves by taking advantage of glaring errors in network protocols.
Ihe second wave of attacks, which roughly ran from 2004 to 2007, criminals extorted money from web sites with the threat of a denial of service attack — the online equivalent of having hundreds of people repeatedly call a business in order to shut out its usual customers. In particular, extortionists targeted online gambling sites, many of which were outside the U.S., on the edge of legality and certainly not favorites of the authorities. Other DDoSes included politically motivated attacks on web sites that advocated controversial opinions and attacks by cyber-criminals on security firms.
Those all have valid, rational explanations, which have given some comfort to security researchers who have watched as criminals have assembled botnets that include tens of thousands of compromised computers. These are used to send spam, host phishing web sites and attempt to steal credit card numbers.
That’s nasty, but the motive is understandable.
But criminals have turned away from using the botnets to extract ransom from denial of service attacks after the police started being able to follow the money in such cases, leading to arrests. Perhaps Twitter and Facebook got ransom notes, but choosing such visible and money-losing targets for extortion would not be particularly smart.
And when unknown attacker brought down U.S. government sites like the Federal Trade Commission a few weeks ago, it turned out there was no understandable motive — once the hysterical notion that it was North Korean hackers was technically debunked.
But could either of the attacks be a way to test the strength of a new botnet? A cyberwar test-run?
Perhaps, Peterson admits, but why would the attack persist for so long on Twitter and Facebook if it were just a nation testing out its new botnet weapon?
The same holds for the attack on the U.S. government, according to Peterson, who points out the attack targeted non-essential government sites, which wouldn’t tell you much about how effective your botnet would be against a critical and protected target.
It all points to one thing, Peterson thinks. Botnets are too easy to assemble. There are too many unpatched Microsoft Windows machines on the internet that get repeatedly infected and taken over.
“The barrier to entry is too low,” Peterson said. “It may be that 998 of 1000 criminals out there are out to maximize profits and minimize risk, but it doesn’t take many of them to get their hands on a small botnet to create harm. Then you have a minority actor doing a disproportionate amount of harm.”
Paul Sop, the CTO for the anti-DDoS company Prolexic, agrees.
“High profile brands are often a target simply because they are there — sometimes as target practice for the attackers,” Sop said in an e-mail statement.
Peterson counseled that companies should identify what portions of their online operations are critical and talk to experts to make sure they are protected.
But he also recommended that companies not suddenly turn all of their security budget to preventing DDoS attacks — since most criminals would prefer to steal credit cards than keep people from posting 140 words about their daily life.
Fail Whale illustration by @yiyinglu
See Also:
- Twitter, Facebook Attacks No Surprise to Security Experts
- Denial-of-Service Attack Knocks Twitter Offline
- Facebook Confirms Denial-of-Service Attack
- Botnets Took Control of 12 Million New IPs this Year
- Twitter, Facebook Attacks No Surprise to Security Experts
- Activists Launch Hack Attacks on Tehran Regime
- DDoS Attack Strikes Campaigns Against Same-Sex Marriage Bans
- DDoS Attacker Pleads Guilty, Agrees to Two Years’ Prison
Source: Ryan Singel
