How Twitter was killed

The morning ritual: Get your cup of coffee, open up your e-mail, switch your Web browser to Twitter... ARGH!

That was how the morning went for many people when they turned to Twitter only to find that the wildly popular social-networking site was dead in the water. How dead was it? There wasn't even a fail-whale to be seen.


So what happened? Twitter is still working it out. But, the site's official blog reported that "We are defending against a denial-of-service attack, and will update status again shortly." As of 12:46 PM Eastern, Twitter was up, still staggered, but working again.

Well, working for now anyway.

DDoS attacks are hard to beat. While some Twitter fans are claiming that this is the biggest DDoS attack ever, I'm inclined to doubt it. Twitter, even though its performance has gotten much better, has often teetered on the edge of collapse due to the enormous load its users put on its social network infrastructure. No, the DDoS attack on Google earlier this year was probably still the worst attack on record.

How is this happening? Well, let me tell you. Today's DDoS attacks are made by Windows-powered botnets. They're not terribly sophisticated about these attacks. The last major one, which may or may not have come from North Korea, was driven by MyDoom, Windows malware from 2004.

While we don't have the details yet on what exactly is happening to Twitter, DDoS attacks work in one of three broad ways. The first is to simply overrun a server or server farm's network bandwidth with so much traffic that the connection can't keep up. That's relatively easy to block, so that probably wasn't the means used against Twitter.

Another method is to make Web server requests that end up using up all of a server's resources. Usually, though, DDoS attacks are aimed straight at your network's TCP/IP infrastructure. These assaults come in three varieties: those that exploit weaknesses in a given TCP/IP stack implementation; those that target TCP/IP weaknesses; and the tried and true brute force attack. These days, the last, thanks to armies of zombie Windows PCs are easier to do than ever.

So, one, or perhaps several of these methods were used to kill Twitter. The next question is why kill Twitter?

I don't know who did it, but I do have a theory. Twitter has become the way for Iranian protesters to keep in touch with each other and let the rest of the world know about how their election was stolen from them. The Iranian opposition had been planning protests against President Mahmoud Ahmadinejad's inauguration ceremony. A great deal of this planning has been over the Internet on blogs, and, of course, Twitter.

Funny timing don't you think that Twitter would be knocked completely off the air at just this time? And, if you think that governments don't use the Internet to knock out their enemies, you haven't been paying attention. Russians already successfully attacked Estonia's Internet infrastructure in 2007. With Windows botnets growing by leaps and bounds, it's easier than ever for governments or even just a handful of people to knock out major Web sites like Twitter.

I've said it before, I'll say it again. Thanks to Windows' security weaknesses, botnets are now commonplace and we can only expect to see more DDoS attacks in the future.

I'm not the only one who sees it this way. Patrick Peterson, Cisco Fellow and Chief Security Researcher, told me, "Ten years ago we saw the first DDoS attacks take down some of the world's largest web sites. Today attackers have tens of thousands of PCs in their botnets, each PC using sophisticated application-level techniques to overwhelm their victim sites. The irony here is that botnets, infected criminally-controlled consumer PCs, are the problem. Many of today's tweetless are part of the attack if their PC has been infected due to poor security."

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon