Denial-of-service got Twitter. Is your network next?

On Thursday, Twitter was taken down by a denial-of-service attack, while Facebook suffered related problems. And other social/media sites like Gawker and Live Journal were hampered by attacks as well. These attacks illustrate just how crucial network security is in a world where organized cyberattacks can bring down even the most prominent sites.

While the news cycle is quickly headed to the point of diminishing returns (lots of ruminations on DDoS, where the attacks originated, and how it was done), I've yet to see posts on how such attacks can be prevented.

In light of Twitter's susceptibility, preventing networks from similar attacks must be on the minds of many organizations. How would you go about protecting your company?

I asked Joe Habib from WildPackets about it, and he provided three tips for preventing network attacks:

1. Using a network analysis tool, capture all data in one place. All pertinent network traffic can be aggregated to a single location, rather than scattered across the network. Data is captured in a common data format and does not need to be transferred or translated in any way for analysis.
2. Set up alerts to isolate questionable behavior and zero in on it. If you see requests for considerable more data being requested than normal, look into the matter. Many network analysis tools today allow you to be notified when thresholds are exceeded. You know the typical or average level, so beware of extending beyond the "norm."
3. Use network forensics data mining tools to reconstruct the sequence of events that occurred at the time of the attack. This will give you a complete picture. If you were not able to prevent a particular attack this time, you will at least gain crucial information to prevent a similar attack in the future.

The right tools help IT personnel get to the root of the problem. Having the appropriate tools in place and following the correct procedures helps eliminate or mitigate the effects of an attack. At least that's what John Pescatore, a security analyst at research firm Gartner, said was the hard lesson that Twitter has learned. "It basically just shows that Twitter wasn't spending the money to filter out DDoS attacks," he said, according to an article in the Los Angeles Times.

Follow me on Twitter @daveofdoom.

[baconstang]

Please don't attack my www.idonthavealife.com.

[ca5ter]

Now that's some funny stuff.

[baconstang]

Oooops.... turns out that is someone's term project or something.

[neebski]

Haha, I can't believe I spent the time to go to www.idonthavealife.com!

[Yellowbird77]

I got slammed today. All my audio disappeared (drivers missing) and when I put a disk in to re-install my drivers for my sound board?

The reg keys began to disappear. I had to do a full recovery to get back up and running.

[yogihost]

Lot of companies take this for granted and suffer
Surprise to see company like Twitter don't have anything in place to avoid DOS attack

--
Yogi
www.makedotsimple.com

[johnbishop2]

http://twitter.eatspoop.com/

HA HA HA. They had that one coming.

[cerebral_but_dull]

While it's nice to warn large networks like Twitter, small sites can really do nothing about DDos attacks. I don't think this attack was about trying to muddle up Twitter, but simply practice for blackmail against government and corporate sites, utilities, etc.
The US government has a lot on their plate right now, but for years we have done nothing at all as we've watched botnets grow and grow. When we see bot activity we need a fast and efficient way to advise the network and the individual bot owner, and possibly immediately disable the bot's connection.

[dainathomas1]

this is seriously pathetic .. I can access my account but cant do anything there .. neither I can check my direct messages nor .. my i can go to my homepage .. ..

[VoiceOfLogic]

Thats what you get for relying on BS "social networking" fruity stuff. Use a telephone.

[The_happy_switcher]

Windows computers compromised AGAIN leads to bad s**t on the Internet. Microsoft just cost the world some more money-- again.

[VoiceOfLogic]

Yes. Thats right. And every time a drunk driver gets behind the wheel of, lets say a Ford -- FORD murdered that innocent person driving along happily. Oh, and also, so did Dewars. *****. Use your brain. I can hack into any Linux or Mac OS system just as equally. If you have this drooling urge to BLAME someone, why not blame the idiots at Twitter for not keeping their system secure? Oh - that would be like blaming the drunk person for getting into the car when they shouldnt have OR maybe even blaming the bartender for serving him too much.

[Random_Walk]

"I can hack into any Linux or Mac OS system just as equally."

Unless your name is Charlie Miller, I suspect you may want to leave the l33t claims where they belong. ;)

[The_happy_switcher]

@voice: your analogy of the drunk driver is so poor it's hardly worth my
time to tell why it's so dumb on so many levels. You're such a great hacker, then by all means
hack ME, Sherlock. Or better yet entertain us with stories of fantasy about how you've infected
Macs or Linux machines--without the victim letting you sit in front of their computers and knowledge of their
passwords.

[Dalkorian]

@VoiceOfLies - can you really hack into any Linux or Mac OS just as equally? Wow, you're simply amazing. Go tell your mommy not to let you out to the interwebz anymore because you're such a dangerous haxor! ROFLMAO @U.

[MacSnob]

If Cuba now has thousands of low power celeron pc's they can link them up to target anyone they chose. Don't dismiss them as a bunch of technologically challenged gubes.

[Random_Walk]

LOL! You kinda forget the whole bandwidth issue. There are only so many gigabits (megabits?) of pipe running in and out of the island, you know? So unless Cuba suddenly started laying in OC-192's across the Caribbean and didn't mention it to anyone...

[Random_Walk]

Dave - you kind of forget that most companies are small enough that they only have the following, and damned little else:

* a business DSL line with some ISP, and
* a hosted website somewhere that doesn't do much more than advertise the small business.

...which kinda makes the article useless for them. They can still get along just fine, because the former is often too frickin' big to easily soak for long, and the latter too small to damage the business with if it went down.

That said, one huge weak link involves inbound VPN lines... which weren't even mentioned in the article. Some are web-based (obviously), but unless it's a dedicated set VPN, any of them can be soaked by DDoS in a targeted attack. It's not just about the websites, yanno?