Friday, August 07, 2009


On denial-of-service attacks

If you’re a Twit... [um, no...] if you like Tweety... [still no...] if you’re a Twitter user [there, that works] you might have been frustrated yesterday when Twitter had service problems. So, apparently, did Facebook and LiveJournal, all three hit with denial-of-service attacks on Thursday morning. Here’s Twitter’s status message from around 7 A.M. PDT:

Site is down

We are determining the cause and will provide an update shortly.

Update: we are defending against a denial-of-service attack.

...followed by this one about an hour later:

Ongoing denial-of-service attack

We are defending against a denial-of-service attack, and will update status again shortly.

Update: the site is back up, but we are continuing to defend against and recover from this attack.

Update (9:46a): As we recover, users will experience some longer load times and slowness. This includes timeouts to API clients. We’re working to get back to 100% as quickly as we can.

The media, including the New York Times attribute the attacks to “hackers”:

In a denial-of-service attack, hackers typically direct a “botnet,” often made up of thousands of malware-infected home PCs, toward a target site in an effort to flood it with junk traffic. With the site overwhelmed, legitimate visitors cannot access the service.
Fox News, through the inane babbling of Courtney Friel, invokes hackers and claims that DoS attacks “steal your information”:
[...] Twitter is blaming the attack on hackers, and they said they’re defending against a denial-of-service attack and will update their status again shortly. Denial-of-service attack, that’s what hackers use to crash your computer and steal your information. So, hopefully, they’ll get that fixed, ’cause a lot of twitterers are going crazy, talking to themselves, they’ve nowhere to broadcast their information.
(To be fair to Ms Friel, she’s been put out of her depth; Fox preferred to give this item to their “entertainment reporter”, rather than to consider it a tech story.)

Now, Twitter, itself, isn’t using the term “hackers”. Here’s what Twitter’s Biz Stone said at 8 A.M. PDT:

Denial of Service Attack

On this otherwise happy Thursday morning, Twitter is the target of a denial of service attack. Attacks such as this are malicious efforts orchestrated to disrupt and make unavailable services such as online banks, credit card payment gateways, and in this case, Twitter for intended customers or users. We are defending against this attack now and will continue to update our status blog as we continue to defend and later investigate.
Mr Stone correctly attributes the attack to “malicious efforts”, but avoids the overused and inconsistently used term for the people controlling it.

I’m being picky about this because there are a lot of misconceptions about DoS attacks, and I don’t want to confuse things as I talk about it. “Hackers” was originally not a particularly negative term, once used to refer to the top echelon of computer adepts, brilliant folks, if often quirky ones. It has since gone to the dark side, referring to those who break into other people’s computer systems. Some do use it to talk about this sort of attack; I prefer not to.

Because, you see, last month’s Twitter attack was hacking, in the break-in sense. The attacker in that case did break into computer accounts — and did steal information. It was confidential company information, not personal information belonging to its customers, but it could have been either.

This is not that.

This is more related to the attacks a week or so earlier than that, in which web sites in the U.S. and South Korea were affected. That, too, was a set of denial-of-service attacks.

And keep in mind that the botnets used in these sorts of attacks are big business. Get rid of the image of a post-adolescent with more time than sense, and no social life. Whether or not that profile is accurate, there’s nothing rudimentary, nothing ad hoc, nothing cute and precocious about this stuff. Zombie networks are cultivated carefully, are traded and leased for a lot of money, and run sophisticated software that’s hard for professionals to crack into.

So, what’s the difference between a hacker break-in and denial of service?

Computers and computer networks have limited capacities. You install so many computers, of whatever speeds. You set up your network with so many routers. You plan for a particular load on your system. If the load exceeds what you’ve planned for, your systems don’t run as well as you’d like — response is slower as requests come in faster than you can service them, and people have to wait in queues. The same is true of power systems, as when we have “brown-outs” during periods of peak demand. The same is true of telephone systems, when everyone phones mom for Mother’s Day, and sometimes we can’t get through. The same is true of face-to-face systems, when you show up at a store at a busy time and have to wait for service.

In the cases we’re used to, though, there are two aspects that keep them under control:

  1. The people we’re waiting behind are also looking for legitimate service.
  2. There’s a limit to the number of people who will come for service, so even if the lines get long and slow, we’ll get to the front eventually.

A denial-of-service attack is an insidious variation. In the general case, item 1 breaks down: the requests for service that are jamming things up are not legitimate, and are not really looking for service. The attackers are making requests and are not waiting for the responses (or are throwing them away when they get them). The purpose is to keep the servers too busy to provide service to those who really want it. It would be like going to a store and asking the clerk to find something for you in the back... and then walking away while they went back to look.

And when the attack comes from a botnet, as a distributed denial-of-service attack, item 2 breaks down as well: there is essentially no limit to the number of requests that can be queued in front of you. The servers may be entirely unable to service legitimate customers. On top of that, software often fails under such unexpected conditions, so the service systems might fail completely (imagine the fed-up clerk who just walks out and goes home, tired of wild goose chases in the stockroom).

These days, pretty much every denial-of-service attack is a distributed one.

Because they’re based on overloading service providers, denial-of-service attacks have varying success, depending upon how prepared the providers are for heavy loads. Hence, some computer systems held off the attacks in early July, while others caved in. Those with more excess capacity, or with techniques to reduce the damage done by bogus requests, were able to keep going.

But what techniques are there for reducing the damage?

There are many, but the basic point of all of them is the same: identify the bogus ones as early as possible, doing as little work as possible before throwing them away. Some examples:

  • Keep track of known “bad actors” and refuse to service them (blacklisting).
  • Limit the number of requests you’ll accept from a given requester in a given time (rate limiting).
  • Check back with the requester periodically, and stop work if the requester goes away (keep-alive).
  • Give priority to trusted requests, and delay untrusted ones.
  • Challenge the requester in some way, assuming that bogus requesters will go away in the face of a challenge (or will be unable to correctly respond to it).

The other thing to note is that the only thing a denial-of-service attack does is block service for legitimate users. It does not “steal your information.” It does not steal anyone’s information. No Twitter user’s account will have been compromised by yesterday’s shenanigans. All that will have happened, in the end, is that they will have spent the morning talking to themselves.


Thomas J. Brown said...

Can you please clarify what you mean by "bad actors?" How does one identify them in a DoS situation while ensuring legitimate users don't get blacklisted?

Barry Leiba said...

Ever the problem with these sorts of things. With email spam it’s problematic enough — many blacklists are blocking IP addresses that are “known to send spam”, and it’s too easy to get onto such a blacklist, and sometimes too hard to get off. But in that case, at least, it’s our service provider that’s affected.

In the case of a DoS attack against a web site, you and I are directly affected, because it’s our IP addresses that the web service sees. If your computer (not mine, heavens!) should become part of a botnet, and be used for a DoS attack, it might get blacklisted. And then when you legitimately try to access that web site later, yes, your legitimate use might be blocked.

Mitigating that, though is the knowledge that email spam is a long-term thing, whereas a DoS attack is fairly short-lived. So these kinds of blacklists usually turn over relatively quickly. Your IP address isn’t likely to be blocked for more than a day, perhaps a few days at most (depending upon how conservative they want to be). That means that, if Twitter should use blacklisting for this, a Twitter user who’s also part of the attacking botnet might be blocked from using Twitter for some while after the attack is over... but he’ll be let back in before too long.

Thomas J. Brown said...

You're right about IPs usually being let back in fairly quickly. When I was working at the T.V. station a few years back, I wrote a function in PHP that, if a user was suspected of flooding, banned their IP for 24 hours.

Sue VanHattum said...

I couldn't get onto my gmail account on Sunday and then again (next time I tried as I'm at camp) on Tuesday. (I was shocked.) Do you know if that could have been caused by this sort of attack?

Barry Leiba said...

I didn't notice anything on Sunday, but, then, I was touring Gripsholm Castle then. But Gmail seemed to be having problems once or twice last week, while I was in IETF meetings.

It could have been due to a DoS attack, or it could have been some other issue that Google was having. I don't know that Gmail has any "status" pages, where they might share such things.

The Ridger, FCD said...

Yeah. I was kind of surprised to hear that a DoS attack was about "stealing information". Made me wonder who wasn't telling us what was really happening, but since I'm not on Twitter I had no experience of it.