Twitter Silenced : Denial Of Service Explained

Twitter suffered a well publicised denial of service last night. The attack, which succeeded in bringing down the service for over an hour, also caused problems for Facebook, LiveJournal and other social networking sites.

CNET have discovered that the target of the attack was Georgian blogger ‘Cyxymu’.

A Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube was targeted in a denial of service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The blogger, who uses the account name “Cyxymu,” (the name of a town in the Republic of Georgia) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.

What is a Denial of Service (DoS) attack? Exactly what it says on the tin – an attack that denies a particular service to a target user or population. It could involve manipulating the computer of a single user to deny them access to the network or a particular website. Usually, though, it involves targetting a particular service at its source and denying it the whole population.

Several methods exist for executing a denial of service. Resource exhaustion is usually the method of choice. The attacker attempts to exhaust some resource that is required to deliver the service. They could concentrate on consuming network bandwidth, sockets, CPU or disk space, for example.

Early DoS attacks were launched directly from a single attacker computer and would typically involve the generation of a lot of traffic or making multiple connections to a website. The Apache server still suffers from a vulnerability exploitable by a single attacker – weaponised by rsnake in the Slow Loris tool in June this year.

As DoS defenders became more adept, attackers began utilising Botnets – large networks of compromised machines under the control of an attacker – to generate even larger amounts of traffic. These attacks, from a distributed set of drones, typically consume all the network bandwidth available to the target service and are known as distributed denial of service attacks (DDoS). They are much harder to defend against because there is no discernable pattern in the incoming traffic. While traffic from a single computer can easily be blocked, it is much more difficult to block traffic from 100,000 machines.

What if you don’t have access to a botnet? A technique known as reflected amplified DDoS can be employed. This involves an attacker making many, very small, requests for service to many servers. The requests are designed such that the response goes to the target, not back to the attacker. In this way the attack is ‘reflected’ from the servers. The request is also designed such that the response will be much larger than the original request – it is ‘amplified’. Using this technique, the attacker than direct more traffic against the target than he was capable of generating himself.

Reflected amplified DDoS attacks are difficult to execute – not many services allow a user to make a request on behalf of another user – but are also difficult to defend against. Network impersonation (IP address spoofing) can be used in order to achieve reflection, but can also be defended against relatively easily.

There are many twists on these themes used in real world attacks. Those twists, and the imagination required to conceive them, are the pre-requisite for success – the first attack to use a new technique will often be successful. It had better be good, though, because it’s unlikely to work a second time.