The denial-of-service attacks that shut down Twitter globally for a few hours and disrupted Facebook and LiveJournal last week were intended to be surgical strikes against a small-time blogger espousing anti-Russian sentiments, tech security researchers say.
But the widespread collateral damage highlighted the fragility of social networks that aggregate large blocks of user accounts in systems built for speed. Social networks expose patrons to "more vulnerabilities than in traditional networks," says Suzanne Magee, CEO of security firm TechGuard. "We share our vulnerabilities because we are sharing resources with others."
As of late Friday, Twitter was generally accessible to most of its more than 30 million users, but some features remained glitchy.
Twitter co-founder Biz Stone said in a blog post that the network was "working to restore access" to external applications "affected by defensive measures."
Last Thursday morning, an attacker set out to bombard the Twitter, Facebook and LiveJournal accounts of a blogger who calls himself Cyxymu, from Tbilisi, Georgia. At the time, he had 46 followers on Twitter, and frequently expressed objections to the Russian invasion of Georgia, says Nick Bilogorskiy, anti-virus researcher at security firm SonicWall.
Traditionally, such attacks involve flooding a specific Web page with tens of millions of requests from thousands of infected PCs, called bots. Flood attacks are easy to spot and block.
This attacker directed a comparatively small number of bots to disrupt the computer servers routing traffic to the blogger from Georgia — and to millions of other Twitterers.
Bilogorskiy estimates that it took at least 100,000 bots to shut down Twitter's servers. It would cost about $5,000 to rent bots for such an attack, he says.
Patrick Peterson, Cisco security researcher, says it was like "throwing a hand grenade to kill a fly." The big beneficiary: the blogger Cyxymu, who now "has gained exactly the visibility the attackers presumably were trying to smother," he says.
By late Friday, the blogger had more than 1,000 followers on Twitter.
Shortly after Twitter restored the servers, Cyxymu began sending out tweets blaming the Russian secret police for shutting him down on the eve of the anniversary of the Russian-Georgian war, an unsubstantiated claim.
Security experts say the attacker used slightly different methods to cut off the blogger's accounts on Facebook and LiveJournal, but those networks weren't as badly stalled as Twitter.
"Twitter did a remarkable job defending against the attack," says Beth Jones, security analyst for Sophos. "They are still somewhat fledgling in this arena and are still beefing up their network."