Twitter DDoS Attack Takes Twists and Turns

The fallout from the distributed denial-of-service attack that hit several Web 2.0 sites Aug. 6 has taken a couple of twists and turns. 

Besides knocking out Twitter for a time on the Aug. 6, the attack triggered a response from the company that a day later disrupted service for some users. According to Twitter, its defensive measures blocked some Twitter clients from communicating with Twitter's API, leaving them unable to tweet via SMS. 

If that wasn't enough, researchers at McAfee found attackers have begun leveraging interest in the situation to spread malware by using search engine optimization techniques to lure users into clicking on search results leading to malicious sites.

All this because of an apparent act hacktivism targeting a pro-Georgian blogger named "Cyxymu." 

"It's not surprising that political motivation is mentioned where major DDoS attacks are concerned, as many services now play key roles in politically charged events," said Chris Boyd, director of research at FaceTime Security Labs. "However, it's important not to get carried away with 'the Reds under the bed' way of thinking-recent attacks on key U.S. Websites were blamed on everyone from China to North Korea, with no smoking bullet evidence that these attacks were ever officially sanctioned."

What is known is that the attack hit Facebook, Twitter, YouTube, Fotki and LiveJournal. Researchers are still on the trail of whoever was behind it, but have determined the attack packets sent to the Websites were requests to fetch pages hosted for the blogger, who reportedly had just recently blogged about the upcoming anniversary of the war between Russia and Georgia. 

Between this incident and the recent DDoS attacks targeting both public and commercial Websites in the United States and South Korea, Web administrators are advised to take precautions to secure their own sites, said John Harrison, group product manager at Symantec Security Response. For starters, admins should have spare IP addresses registered as well as the ability to swap them in for attacked IPs via DNS. They should also familiarize themselves with the capabilities of their ISP and have a monitoring system to provide an early warning. 

"When under attack, there are a variety of mitigation techniques; most are specific to the type of DDoS attack," he said. "Use technologies, including firewalls and routers, to block or redirect IP addresses and types of traffic. Involve others, the ISP and perhaps the ISPs of attacking clients. Web admins can add the additional IP addresses they have in reserve and move services off the attacked servers." 

There isn't too much end users can do, but they should steer clear of any sites affected by a DDoS while it's going on.

"Computer users are also encouraged not to visit sites that are rumored to be under a DDoS attack for the sole purpose of seeing what happens," he said. "This -rubbernecking' type of activity, similar to that which happens when there is an accident on the freeway, only causes an increase in traffic to the site, which will only delay access to the Website even longer and prolong the attack."