[liberationtech] Social site sieges -- collateral damage in cyberwar?

Fri Aug 7 16:11:42 PDT 2009

Social site sieges -- collateral damage in cyberwar?

By JOHN MURRELL <jmurrell at bayareanewsgroup.com>

*Early this morning,* Twitter was still trying to regain steady footing
after being pummeled to its knees by a denial of service attack that began
24 hour earlier<http://click1.newsletters.siliconvalley.com/mykvskmml_rqgkwkggvws_dbbgcjgb.html>.
Availability remained spotty in places, as did responsiveness to third-party
apps. Meanwhile, speculation swirled over the who, why and how of the
simultaneous assaults that also hit Facebook, LiveJournal and Google's
Blogger and YouTube, all of which held up better than the microblogging
service.

The selection of targets and the nature of the attacks posed a puzzle.
Malware authors, spammers and other online evildoers certainly have an
interest in social sites, but mainly as vehicles to reach victims, so taking
the sites down by flooding them with data requests would be
counterproductive. Denial of service attacks have sometimes figured in
extortion plots, but there was no indication of that in this case.
Perhaps, some
posited<http://click1.newsletters.siliconvalley.com/hgdwbdkky_rqgkwkggvws_gbkjqtjk.html>,
it was the work of a maladjusted griefer who simply enjoys creating random
chaos.

But the latest information indicates there was nothing random about it.
According to several security experts, the attacks were a carpet-bombing
offensive aimed at a single individual — an outspoken Georgian blogger who
uses the name "Cyxymu" and has accounts on each of the targeted services.
"It was a simultaneous attack across a number of properties targeting him to
keep his voice from being heard," Facebook security chief Max Kelly told
CNet<http://click1.newsletters.siliconvalley.com/hgdwbdkkk_rqgkwkggvws_yhmvjpvm.html>.
"We're actively investigating the source of the attacks and we hope to be
able to find out the individuals involved in the back end and to take action
against them if we can."

Given Cyxymu's history of controversial
commentary<http://click1.newsletters.siliconvalley.com/yhfjvfmmp_rqgkwkggvws_tdvhkzhv.html>
and
today being the first anniversary of the war between Russia and
Georgia<http://click1.newsletters.siliconvalley.com/fwjmqjggq_rqgkwkggvws_ihgdktdg.html>over
the South Ossetia region, a credible case emerged for pro-Russian hackers or
sympathizers as the
who<http://click1.newsletters.siliconvalley.com/czgtbgddn_rqgkwkggvws_ohtgvmgt.html>
and
political conflict as the why behind the assault.

The how remains in question. Bill Woodcock, research director at the
non-profit Packet Clearing House, told the
Register<http://click1.newsletters.siliconvalley.com/gbzqjzkkz_rqgkwkggvws_bnhmkrmh.html>
that
the social sites weren't directly besieged by a botnet generating
overwhelming data requests, but rather by excessive traffic generated
through spam — a technique known as a
"joejob."<http://click1.newsletters.siliconvalley.com/czgtbgddh_rqgkwkggvws_wscfgpfc.html>
"This
was not like a botnet-style DDoS," Woodcock said. "This was a joejob where
people were just clicking on links in e-mail, and the people clicking on the
links were not malefactors. They were just the sort of idiots that click on
links in e-mail without knowing what they are." But Facebook's Kelly said
the tidal wave of traffic was too great to have been driven by spam. "The
people who are coordinating this attack, the criminals, are definitely
determined and using a lot of resources," he said. "If they're asking our
infrastructure to generate hundreds of pages a second, that's a lot of pages
our users can't see."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20090807/265a2dba/attachment.html>