Forensic Analysis Reveals Details of Twitter Attack
New evidence shows the assault resembled a conventional denial-of-service attack.
There has been speculation that the attack on Twitter consisted of a
widely distributed e-mail containing links to the Twitter page of a blogger
from Georgia (the former Soviet state).
Yet, based on available
data, that theory doesn’t seem to hold up. The attack may have been designed to
silence the blogger, but it is unlikely that the spam traffic amounted to much
of a denial-of-service attack, according to network-traffic
patterns seen by Arbor Networks, a networking services vendor. According to
the company, the attack resulted not from users clicking through a link in an
e-mail, but from two common types of packet floods used in more common
denial-of-service attacks.
“The attack
traffic is not an e-mail click but SYN floods and UDP floods going to Twitter’s
space,” says Craig Labovitz, chief scientist for Arbor. “It’s stuff
that does not look like it was directly tied to a click-through or e-mail
attacks.”
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Subscribe now
Already a subscriber?
Sign in
You’ve read all your free stories.
MIT Technology Review provides an
intelligent and independent filter for the
flood of information about technology.
Subscribe now
Already a subscriber?
Sign in
Early on Thursday,
Arbor’s network of Internet sensors could tell that traffic to Twitter had dropped
by half. While the company collected a dozen or so examples of attack traffic,
the company cannot tell from which sources the traffic came, Labovitz says.
Moreover, if the
attack’s origin had been widespread, such as when millions of people click on
links in e-mail messages, then the firm should have seen an increase in traffic to Twitter, not a
decrease. The drop in traffic witnessed by Arbor and other network monitoring
services indicates that the attack came from a smaller number of computers that
were, in general, not visible to the vendors.
Of course, there
are caveats. The link in the e-mail could have exploited an application issue
in Twitter’s site to consumer an inordinate amount of resources per
click-through. Alternatively, Arbor and other vendors could have failed to
monitor the specific paths to Twitter through which the attacks were routed.
“Without
more details, it is possible that it went along paths that we were not
monitoring,” acknowledges Labovitz.
Why wasn’t
Facebook as affected by the attacks as Twitter? The company has a much more
robust infrastructure consisting of an Akamai-like distributed hosting service
and crunches a lot more bandwidth than Twitter, says Labovitz. While Twitter
typically maxes out at 300 gigabits per second, Facebook accounts for 0.5
percent of the bandwidth of the entire Internet, he says.