Security

The blogger behind the Cyxymu accounts is blaming Russia for the attacks.

(Credit: Twitter)

The Georgian blogger whose Twitter, Facebook, and YouTube accounts were targeted in denial-of-service attacks on Thursday, says he thinks Russia's federal security service is behind it.

"This hackers was from Russian KGB," the blogger, who uses "Cyxymu" on his accounts, wrote in a tweet early on Friday, adding later: "My twitter is online! Thank you all for support after ciber attack from Russia!"

Because of the difficulty in tracing distributed denial-of-service (DDoS) attacks back to the source, unless someone takes credit for the attack or brags about it to online associates, it's nearly impossible to determine exactly who was responsible.

Cyxymu is identified as a 34-year-old economics lecturer named Georgy from Tblisi, Georgia, by The Guardian. His blog postings are critical of Russia's dealings with the Caucasus region and his screen name is a Latinized version of the spelling of Sukhumi, the capital of Abkhazia, a breakaway Georgian republic.

"Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," he is quoted as saying. His LiveJournal account was attacked last year, as well, according to the report.

The DDoS attacks came on the eve of the one-year anniversary of a significant military clash between Russia and Georgia, which have had an ongoing conflict. In the 2008 South Ossetia war that began on August 7, 2008, Georgia attempted to retake control of South Ossetia and Russia launched air strikes against Georgia.

"When the war started in South Ossetia last year I couldn't avoid being drawn into politics," the blogger said.

The Georgian government is investigating potential links between its citizen and the attacks, and there are suspicions that the attack came from Russia, Shota Utiashvili, head of the Department of Information and Analysis at the Ministry of the Interior, told CNN.

Twitter was down for hours on Thursday during the attack, and LiveJournal suffered an outage. Facebook, and Google--whose Blogger, Google Sites, and YouTube were also affected--were able to fend it off.

Whoever was behind the attack may also be responsible for a spam e-mail campaign launched before the DDoS attack and targeting the blogger's accounts. In that attack e-mails were sent out that looked like they came from the blogger and included hyperlinks to his accounts on the targeted sites. A Facebook spokesman and others said that a spam attack would not have been effective enough to cause a DoS outage.

On his Blogger account the Georgian posted a copy of a Russian language news article in which he himself says the spam attack did not cause the DDoS attacks.

The Cyxymu accounts were back up on Friday on Twitter and Facebook (where he's a fan of John McCain), but his LiveJournal account appeared to still be inaccessible though a cached version was available on Google. His YouTube account, meanwhile, never went down.

The targeted Cyxymu account was back up on Twitter on Friday.

(Credit: Twitter)

Thursday's denial-of-service attack that knocked Twitter offline for a few hours and affected Facebook, LiveJournal, and Google Sites and Blogger wasn't your average attack.

Typically, someone who has a bone to pick with a specific Web site will round up some hijacked PCs and use them to try to shut the site down. In this case, whoever was responsible was trying to block access to a specific user's accounts and not the sites themselves.

Denial-of-service attacks aren't always straight forward and this one has its own unique twist. Let's take a look at what happened and why.

What's a denial-of-service attack?
A denial-of-service (DoS) attack is any effort designed to interfere with access to a Web site or Internet service. A common method of attack involves flooding a target server with so many communications requests that legitimate traffic can not get through. This can shut down or slow down the site temporarily.

Web sites aren't the only things that can be targeted in DoS attacks. Unplugging someone's computer is a very basic type of DoS attack.

What's a distributed-denial-of-service (DDoS) attack?
Because Web sites are built to handle a lot of traffic, it can take millions of simultaneous communications requests to have enough affect on the performance of the server for an attack. In a DDoS attack, tens of thousands or even millions of computers are used to send traffic to the target site all at the same time and repeatedly. As Sophos' Graham Cluley wrote on his blog: "It's a bit like 15 fat men trying to get through a revolving door at the same time--nothing can move."

What's a botnet?
The hijacked PCs that are used in a DDoS attack comprise a botnet. The individual computers are called "bots," "zombies" or "slaves" and are controlled remotely by the "master" attacker. The attacker relays instructions to the bots via a command-and-control server, typically using IRC (Internet Relay Chat). Botnets are also used to distribute spam. Some newer botnets, like one created by a version of Conficker, relay instructions via peer-to-peer.

How does an innocent PC become a bot?
There are different ways a criminal can get programs onto computers in order to turn them into bots that they can control. Often, criminals send spam with attachments containing malware or links to Web sites hosting malware. The malware--typically a worm, Trojan horse, or backdoor--is installed on the computer when the attachment is opened or the URL link is clicked. Many computers are compromised by drive-by downloads in which hidden malware on Web sites exploits Web browser vulnerabilities and is downloaded onto the visitors' computer without their knowledge.

Computer users usually have no idea that their computer has been compromised and botnet operators like it that way so they can keep using the bots indefinitely. Now, criminals who don't want to bother with do the grunt work necessary to compromise an army of machines can just lease one. A recent study by Finjan found that an underground network was offering to let criminals rent a botnet for as little as 5 cents to 10 cents per bot.

What happened in the DDoS that caused the Twitter outage this week?
While most DoS attacks are designed to take down a specific Web site, Thursday's DDoS attack targeted someone who has accounts on the different sites--a Georgian blogger, who uses the account name "Cyxymu" and who has accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube.The affected companies worked together to investigate the attacks and discovered that Cyxymu was the common thread linking the sites. An investigation is pending into who launched the attack and why.

In a clear and simple way, this Cisco graphic shows the relationship of the parties in a DDOS attack.

(Credit: Cisco)

How many bots are needed to take down a Web site?
The number depends on how much resources, servers and bandwidth, the target site has. It can take 25,000 to 50,000 bots to cripple a typical site and as few as 10,000 or less for a small Web site, according to Kevin Stevens, a security researcher for SecureWorks' Counter Threat Unit.

It's difficult to know exactly how big any particular botnet is and guesses vary widely. For example, estimates of the Conficker botnet ranged from 500,000 PCs to 10 million.

Who launches a DoS and why?
Unless someone takes credit, it's nearly impossible to find out who is responsible for a DoS attack. Often attackers will send traffic through proxies so there is no direct link to the source, even if investigators can get a hold of a bot used in an attack to dissect the code. Bots also may be located in another country.

The first big DDoS attack, in February 2000 took down some of the Web's most popular sites for hours, including Yahoo, CNN, eBay, Amazon.com, Buy.com, and E*Trade. The U.S. Federal Bureau of Investigation promptly held a news conference to discuss the disruption to the Internet and eventually tracked down the perpetrator, 15-year-old "Mafiaboy," after he bragged about it to friends online.

Mafiaboy was most likely trying to get attention, like script kiddie hackers do when they deface Web sites. Other attackers have different agendas. For instance, there are politically motivated DDoS attacks, such as those involving Russian and Georgian sites last year. Estonia sites were attacked in 2007. Meanwhile, the origin of recent DDoS attacks targeting U.S. government sites and sites in South Korea remain a mystery.

What kind of damage can a DoS attack do?
A DoS can make a Web site completely inaccessible to anyone for a period of time, like the most recent attack did with Twitter. Or it can be equivalent to a hiccup, slowing down page loads or affecting only part of the site.

Sites that aren't in the direct line of fire can also be affected. For example, if a company that is attacked is hosting images or content that is fed to other sites, those other sites may have trouble. So many sites feature Twitter updates that it's likely some of those associated sites were impacted when Twitter was down and the ancillary site's requests to get updates were ignored.

How can a DDoS be prevented or stopped?
There is no surefire way to prevent a DDoS attack. However, a company can reduce its risk by buying plenty of servers and bandwidth, and hosting content on backup servers. Companies can also limit the number of connections that the Web server allows at any one time and set the firewall to block certain types of data that are used in DDoS attacks, said SecureWorks' Stevens.

In addition, companies can ask the ISP to impose bandwidth limits and to block the IP addresses serving up the attack. Some companies offer DoS detection software, and sites can configure their Web server to monitor traffic patterns and automatically ban IP addresses that could be associated with an attack.

In 2001, the White House was able to thwart a DDoS attack that was programmed into the code of the Code Red virus by moving the site away from the targeted IP address. And in 2005, Microsoft sidestepped a DDoS that was going to be triggered by PCs infected with the Blaster virus by killing the targeted IP address.

Once an attack has been launched a company can try to redirect the attack traffic to a null IP address, or a black hole, according to Trend Micro's David Perry.

More information on prevention and mitigation can be found on the SANS Web site and on the US-CERT site.

What can individuals do to prevent their computers from being used in a DDoS attack?
To keep malware off a computer, people should install the latest operating system and application patches, update their antivirus and other security software, consider using auto-updates for browsers and be careful about opening up attachments and visiting Web sites.

Larry Magid of CBSNews.com has more information for consumers on his Safe and Secure blog.

Hackers launched a distributed denial-of-service (DDOS) attack that sporadically downed popular blog network Gawker Media over the weekend and on Monday, the company confirmed in a blog post early Tuesday morning.

When CNET News spoke to Gawker Media representatives on Monday, they were not yet sure what was causing the outages but had not ruled out malicious behavior.

The attacks appear to have been launched at Consumerist, a blog that Gawker sold to Consumer Reports last year but which is still hosted on the same servers. The motivation behind them is not yet clear.

The New York-based Gawker Media has sold or merged a number of its blog titles over the past few years, but it remains the parent company of several extremely high-profile blogs--often with an edgy gossip angle--like Gizmodo, Jezebel, and the eponymous Gawker.com.

DDOS attacks occur when hackers swamp a site with excess pings from multiple sources to bring it down; they can knock out entire hosting companies.

The denial-of-service attacks launched on Web sites in South Korea and the United States earlier this month appear to have come from a master server in the United Kingdom, according to security researchers in Vietnam.

The master server controls all of the eight command and control servers involved in the series of distributed denial-of-service attacks that started on the July 4 weekend, security firm Bkis said in a blog posting on its Web site on Monday. Bkis said it gained control of two of the servers.

The Vietnamese firm estimated the number of compromised PCs involved in the attacks to be around 167,000 in 74 countries.

Botnet expert Joe Stewart of SecureWorks told CNET News that that number sounded high. Security experts had been estimating that there were 50,000 infected PCs in the botnet.

The attacks targeted dozens of government and commercial sites in the U.S. and South Korea, causing temporary outages at many of them.

Code on the compromised PCs was set to erase or overwrite data late last week but researchers in the U.S. were not aware of any reports of that happening.

The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.

There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn't mean it wasn't happening or won't in the future, said Gerry Egan, a product manager in Symantec's Security Technology Response group. (Click here for Larry Magid's related podcast with Symantec expert.)

There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.

The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service, and The Washington Post.

One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. "Basically, your system is in trouble if this executes," Egan said.

Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn't being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.

Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other antivirus vendors have reported.

A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to e-mail addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.

The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It's unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.

"There is nothing new or novel in the technology," he said. Judging by the high-profile sites attacked it's likely the attackers are just trying to get attention, he added.

South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan, and Guatemala, but not North Korea, according to an Associated Press report.

For more information listen to CNET blogger Larry Magid's podcast on the subject.

This graphic shows how the different malware components on the denial of service botnets interact.

(Credit: Symantec)

Hosting company GoGrid suffered a distributed denial-of-service attack Monday afternoon that affected approximately half of its thousands of customers, co-founder David Hecht said on Tuesday.

The DDoS attack hit Monday afternoon, slowing customers' Web sites, creating latency issues, and making clients' Web sites inaccessible, Hecht said.

Although GoGrid was able to stabilize the situation by late Monday afternoon, getting most of its customers' sites back online, the company faced a decision whether to stay on course with a scheduled maintenance later that night or reschedule for another date.

The maintenance, which required GoGrid to take its portal down and troubleshoot support queries over the phone, was designed to expand its capacity, deploy minor bug fixes, and add additional improvements to the service.

In its notice to customers, GoGrid stated:

In the end, the decision was made to proceed with the maintenance because this capacity expansion had been planned for several months and would give us more flexibility in ensuring low utilization across our infrastructure. In hindsight, this may have been a poor decision because the maintenance took longer to complete, and the maintenance window had to be expanded by several hours.

On Monday night, GoGrid spent hours rebooting its servers and developing a long-term game plan to solve the ongoing issue, but by morning, the company continued to be inundated with customer calls that their Web sites were not reachable from certain parts of the Internet.

GoGrid determined that the problem apparently was centered on a routing issue, with some of its networks failing to properly announce GoGrid routes. The routing issue was resolved late Tuesday morning.

The company is continuing to investigate the issue and asks its customers to run a traceroute to their servers' IP address and report it to GoGrid's support staff, should they encounter connectivity problems.

A British Web site that warns consumers about online financial scams was taken down by a distributed denial-of-service attack on Monday.

Bobbear was being overwhelmed by a "huge" botnet with "over half a million recorded zombie hits from midnight to 8 a.m. today (GMT)," Bob Harrison, administrator of Bobbear, told security firm Sophos.

The site remained down as late as midday Pacific time.

Bobbear has been targeted before. In October 2007, hackers attempted to damage the company's reputation by sending e-mails that solicited donations to the company via an online payment service.

"An attack like this is unfortunate news for the Internet community, as it disrupts the dissemination of hundreds of pages of warnings about e-mail frauds archived by Bob over the years," Sophos senior technology consultant Graham Cluley writes in his blog. "The only consolation that Bobbear can take is that they must be having an impact on the fraudsters if they are prepared to launch an attack like this."

Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.

(Credit: Arbor Networks)

Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.

The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.

Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."

In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."

One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.

While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.

Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.

The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.

But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."

(Credit: Arbor Networks)

Two Europeans, one of whom is English, have been indicted by a U.S. federal grand jury in connection with a 2003 distributed denial-of-service attack that is the focus of a major FBI investigation.

The two men, who are not in custody, were indicted as part of the FBI's Operation Cyberslam, initiated in 2003 following a series of crippling distributed denial-of-service, or DDoS, attacks on a large Los Angeles vendor of digital recorders. The attacks effectively knocked that business offline, along with other private and government bodies, for two weeks, resulting in losses ranging from $200,000 to more than $1 million, according to the FBI.

Operation Cyberslam is the first successful investigation of a large-scale DDoS used for a commercial purpose in the United States, the FBI said.

In 2004, two U.S. residents were charged with masterminding the attacks. The two Europeans indicted last week are accused of carrying out the attacks, and they face up to 15 years in prison, if convicted on charges of conspiracy and intentionally damaging a computer system, according to the U.S. Department of Justice.

Lee Graham Walker, 24, of Bleys Bolton, England, was indicted on Thursday, along with a German 25-year-old named Axel Gembe. Gembe is believed to be the programmer behind Agobot, a well-known worm used to create botnets that can be used in DDoS attacks or for other purposes, such as relaying junk e-mail.

The attacks were allegedly ordered by Saad Echouafni, a native of Morocco who was the owner of Orbit Communications. Paul Ashley, a business associate of Echouafni, was then responsible for contacting Walker and Gembe to carry out the attack, the Justice Department said. Ashley pleaded guilty in 2004 and has already served two years in an Ohio prison for his part in the conspiracy.

Echouafni, also indicted in 2004, is being sought by the FBI, which said he should be considered armed and dangerous.

Walker and Gembe allegedly used a botnet they had created together to carry out the attacks. According to the indictment, the two arranged the attacks over Internet Relay Chat (IRC), also using IRC to discuss ways of making their botnet code more damaging to Web sites.

The particular technique used in the attack was allegedly used to direct a flood of synchronization packets to the target Web sites. The botnet used was also capable of directing large amounts of malicious HTTP traffic, according to the Justice Department.

Matthew Broersma of ZDNet UK reported from London.