Page 1 of 2
Twitter attacks
Posted: Sun Aug 09, 2009 11:33 am
by matthijs
So it seems twitter has been down for a couple of days now. What can be done in such situations? With massive botnets attacking from thousands of pc's and many different locations all over the world, is it even possible for the Twitter devs to do anything against these things?
Re: Twitter attacks
Posted: Sun Aug 09, 2009 11:47 am
by jackpf
Twitter is down?
I personally think it's a turn for the best. I've never actually used it, but people just talking about it annoys me.
I hate the way all these social networking websites clone eachother, like, EXACTLY, and then suddenly it's "the new thing", when it's in fact exactly the same as the last "new thing", just with a new and stupider name.
/rant.
Re: Twitter attacks
Posted: Sun Aug 09, 2009 12:32 pm
by matthijs
I don't use twitter either, but that's not the question here. I actually am interested in the general technical issues behind an attack like this and what people think about possible solutions, problems, etc
it's an interesting example, because so many third-party apps relying on twitter are down as well. Facebook has also been under attack, but if I believe the news they have been able to handle the attack a bit better
Re: Twitter attacks
Posted: Sun Aug 09, 2009 1:17 pm
by jackpf
Sorry, I just felt like getting that off my chest
But yeah,
this article seems to provide some decent information about what happened.
I don't think there is a solution to DoS. Twitter say they now use software to filter out fake requests, but this slows down requests for
everyone, since all requests must be checked.
And yeah, apparently facebook wasn't hit quite so hard. Since they're larger, they host their site with multiple service providers, so attacking one server cluster would allow them to switch over to another without too much ill effect.
Good on "Cyxymu" or whatver his name is though

He must own a lot of computers...
Re: Twitter attacks
Posted: Sun Aug 09, 2009 1:37 pm
by josh
I think theres multiple techniques, it used to be they sent the ping of death which kinda caused recursion in a way, that I believe is what they can filter, but if the seemingly legit IPs are just requesting the index I dont see how it can be blocked, you would think you could just block an IP after it requests the same page 50x in an hour period though or something, and employ judicious caching, but I haven't had the "privledge" to encounter this type of issue first hand ( crosses fingers ). In reality it probably depends on the bot software, if it is so good at mimicking real traffic how do you even begin to delineate a valid request from a ddos? One way would be via javascript but then again the bot could easily just run a real browser just not visible to the host user
This was also interesting:
http://en.wikipedia.org/wiki/Denial-of- ... _of_attack
It seems if they know 1 of your pages is expensive to generate CPU wise they could aim to max out that one page, it seems more likely when huge sites go down theyre doing it at the network level
Re: Twitter attacks
Posted: Sun Aug 09, 2009 1:56 pm
by matthijs
The central problem is, I think, that an DDOS attack can come from thousands or millions of individual computers, while a website/app is always a single address (even if it load balances on different servers)
The only way this can be really prevented is to have the website be distributed as well. Not sure if or how that would be possible. Something like what's done with torrents. Nobody is the single source for a file, but everybody has little snippets of that file. So if one person closes his computer, it doesn't matter for the distribution of the file
Re: Twitter attacks
Posted: Sun Aug 09, 2009 1:59 pm
by josh
Which could raise security issues ( obviously ), I dont think there any immediate answer, maybe more secure operating systems that don't allow botnets
Re: Twitter attacks
Posted: Sun Aug 09, 2009 2:45 pm
by matthijs
Or maybe if everybody would ditch Windows and switch to Linux/mac/other secure system you wouldn't have those botnets in the first place
Re: Twitter attacks
Posted: Sun Aug 09, 2009 3:18 pm
by Weirdan
matthijs wrote:Or maybe if everybody would ditch Windows and switch to Linux/mac/other secure system you wouldn't have those botnets in the first place
You would have those botnets on linux then.
Re: Twitter attacks
Posted: Mon Aug 10, 2009 12:42 am
by matthijs
Ok I should have phrased that differently (don't want to kill the thread). What I should have said, is something like: if it's not possible to defend an attack like this on the server level, is there something which can be done on a local level to prevent computers from being hijacked? (I'm not talking about running a virusscanner or something, that's like mopping while the tap is running) What about mobile phones. Soon there will be more mobile phones accessing the internet then pc's. Phones are almost always switched on and connected, so I can imagine they are a nice target to create a botnet from
Re: Twitter attacks
Posted: Mon Aug 10, 2009 11:26 am
by josh
Personally, it is a sign we have a lot to pioneer. It is a problem with usability / the user, if the user isn't going to question why a screen saver is requesting access to the internet and why theyre getting 10+ browser toolbars, well something isnt right there. Ive been using computers more then half my life when I was a little kid my dad used to lecture me on viruses and such god forbid we had the format the family computer, but I think most people's upbringing they think computers are like in the movies ( where every movie has some ridiculous fake OS ). If people were a little more educated / observant theyd stop it, but they lack the common sense or the current paradigm is too confusing for them which allows the botnets to exist in the first place
Re: Twitter attacks
Posted: Mon Aug 10, 2009 12:45 pm
by matthijs
True, (lack of) education is an important part of the problem.
However, I also think it's the way the operating systems are build. They are build by developers, for developers. For the general public, a very thin fancy UI is put on top of that. But inside, it's still a developer's system, with the possibilities and responsibilities that go with that.
I mean, it's ridiculous that it is possible for a regular pc user that executable programs are installed with one click of a mouse button (or even without knowing it happened!). And that those programs are able to wrack the whole system or do what they like. Furthermore, imagine I am a regular not so technical user. If I turn on my computer, I should see a task bar with all programs running. If a virus was installed some how, I should see it running in that task bar. That way, I'd know something was wrong.
Now I remember from windows that you could check the activity monitor. But there you see like 50 processes running, and it's absolutely not possible to know which are good and which are bad. Or take a regular Firewall. Again, dozens of processes running, packages going back and forth. Even for me as an "experienced" computer user, those things are meaningless.
Next you know, the firewall is asking "Process XGT564.core.something is requesting access to internet. Do you want to allow that?". If you click yes, you might have just allowed a virus internet access. If you click no, next you know your mail program isn't working anymore because you blocked something legitimate
Re: Twitter attacks
Posted: Mon Aug 10, 2009 7:28 pm
by josh
Yeah but at the same time I don't want my OS preventing me from installing a program like ultramon ( replaces your task bar and adds shell features ), there would have to be a way to communicate to the user exactly what installing a program entails, and for e.g. my mom asks me the other week what it means you need a plugin to open a word 2007 file in office 2003, shes called me and the computer hasnt even been plugged in, if a dialog even pops up it throws these kinda people off, let alone them trying to comprehend what a shell is, theyll think youre talking about mermaids or something lol.
Perhaps one method though, could be an on site captcha, if the user fails too much their ip gets null routed? It could be activated only when the load is above a certain level, you'd have to do rdns lookups on the ips and then cross check the hostname maps back to the correct IP as well which would incur some more overhead as well as block out legit users im sure, but that would be better then the site going down for everyone
Re: Twitter attacks
Posted: Sun Aug 30, 2009 8:34 pm
by josh
php.net does this.
"Server too busy, please try again later, or use a mirror" ( mirror links me to
http://php.net/mirrors.php which times out tho lol ), must be getting ddosd? I need the manual, specifically a comment from one of the pages heh
Re: Twitter attacks
Posted: Mon Aug 31, 2009 9:44 am
by jackpf
You should download the manual
