FRAMINGHAM (08/07/2009) - Security analysts Thursday scrambled to find a motive behind the distributed denial-of-service attacks that brought down Twitter for several hours, and also hit Facebook, Google and LiveJournal.
With little information to go on, researchers ended up speculating on who launched the attacks and why, although several agreed that Twitter's infrastructure needed immediate strengthening.
"If you monitor the hacking forums, it's clear they're pissed at Twitter," said Richard Stiennon, founder of IT-Harvest, a security research firm. "Twitter came out of nowhere. Hackers hated that. They'd been using forums and IRC to communicate, and all of a sudden, the rest of the world has their own thing in Twitter."
To Stiennon's thinking, the rise of Twitter -- and the backlash against it -- resembles the situation in the 1990s, when AOL rose to prominence, but tech-savvy users denigrated it as little more than a glorified BBS (bulletin board system).
"It's the same thing now," Stiennon said. "They look at Twitter and think, 'there goes the neighborhood.' So they wanted to demonstrate that they could take it down and generate news at the same time."
Roger Thompson, chief research officer at AVG Technologies, has a different idea.
"I think it was a vigilante," he said, "who wants to call attention to the danger of botnets."
Thompson's theory posits that the vigilante -- perhaps a security professional -- assembled a small botnet, then aimed it at Twitter and Facebook, which was also attacked Thursday. He based his idea on several similarities to the distributed denial-of-service (DDoS) attacks that hammered U.S. government and South Korean commercial sites in early July.
Those attacks, at one point thought to originate from North Korea, were unfocused, had no noticeable political agenda and most important, ended with the botnet controller ordering the machines to self-destruct by wiping their hard drives.
"Who builds a botnet, then destroys it?" Thompson asked. "That's just crazy."
In fact, Thompson said he believed the Twitter hacker was the same person who ran the U.S./South Korea DDoS almost exactly a month ago. "No one profits from DDoS-ing Twitter," he said. "The only possible explanation is that someone wanted to make people think about something, and I think that something is botnets.
"Botnets are a very big problem, but no one does anything about them," he added.
Both Stiennon and Thompson used the word "easy" to describe the kind of DDoS attack required to successfully attack Twitter and other Web sites. "It wouldn't take a real big botnet," said Thompson. One with 20,000 to 30,000 bots could have spoiled Twitter's day."
A different motivation surfaced late Thursday, when a Facebook executive told CNET News that his company believed the attacks were directed against one individual, a pro-Georgian blogger identified only as "Cyxymu," who had accounts on Facebook, Twitter, LiveJournal and Google Inc.'s Blogger and YouTube.
"It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard," Max Kelly, Facebook's chief security officer, said.
One thing security researchers seemed to agree on was that Twitter needed to bolster its Web infrastructure, or it will invite further attacks. "If Twitter is following the usual commercial site approach to plan for a 100% traffic increase, it would be easy for a DDoS to take it down," Stiennon said.
"Twitter has to [re-examine] their infrastructure," Stiennon recommended. "It wouldn't take much more than $10 million to double the transaction capacity from what they have had. I'd double that or even quadruple that right away."
Barrett Lyon, the former chief technology officer and co-founder of BitGravity, and a noted expert on DDoS attacks, concurred. [Also read about Lyon's battle with online extortionists.] He and Stiennon collaborated yesterday in an attempt to dig up information about the Twitter attack; Lyon pegged the attack a DDoS before Twitter acknowledged it later Thursday morning.
"It's pretty clear [Twitter is] ready for a redesign," Lyon said in an entry to his personal blog [caution: NSF]. "They need their own autonomous network, bring in bandwidth from many different providers, and have several layers of security. Building a strong ACL border and a nice mitigation layer would make a lot of sense for a company that is enabling communication."
According to Lyon, Twitter relies on just one vendor to provide its link to the Internet backbone: NTT Communications, a subsidiary of Nippon Telegraph and Telephone, based in Tokyo.
"I would guess something in their load balancing farm was not configured to deal with the attack or this would have just been absorbed without much notice," said Lyon, who noted that Facebook, which has a much more robust infrastructure, largely escaped harm.
Thompson, meanwhile, said if his premise is correct, Twitter may not have much time to get its act together. Noting the monthlong gap between the July DDoS attacks against U.S. and South Korean sites and Thursday's assault on Twitter and others, he said the vigilante might strike again using the same timeline.
"If I was a betting man, I'd be betting on another one in early September," Thompson said.