Cyxymu DDoS denies Twitter, Facebook, LiveJournal service

Twitter, Facebook, and LiveJournal are still suffering from yesterday's distributed denial of service (DDoS) attacks. In IT Blogwatch, bloggers look east for the culprit and wonder how to pronounce Cyxymu.

By Richi Jennings. August 7, 2009.

Your humble blogwatcher has selected these bloggy morsels for your enjoyment. Not to mention recursive translations...

Steven J. Vaughan-Nichols brings us up to speed:

The morning ritual: Get your cup of coffee, open up your e-mail, switch your Web browser to Twitter... ARGH!.


How is this happening? Well, let me tell you. Today's DDoS attacks are made by Windows-powered botnets. They're not terribly sophisticated about these attacks. The last major one, which may or may not have come from North Korea, was driven by MyDoom, Windows malware from 2004. ... If you think that governments don't use the Internet to knock out their enemies, you haven't been paying attention. Russians already successfully attacked Estonia's Internet infrastructure in 2007.

Dan Goodin has another theory:

As Twitter struggled to return to normal Wednesday evening, a trickle of details suggested that the outage that left 30 million users unable to use the micro-blogging service for several hours - at least in part - may have been the result of a spam campaign that targeted a single user who vocally supports the Republic of Georgia.


The torrent of traffic that brought the site to its knees wasn't the result of a traditional DDoS, or distributed denial of service attack, but rather people who clicked on a link in spam messages that referenced a well-known blogger called Cyxymu. As spam goes, the emails looked benign enough. One of them carried the subject "Visit my blog" and contained the words "thanks for looking at my blog" in the body. They contained respective links to Cyxymu's accounts on Twitter, Facebook, LiveJournal and YouTube, all of which also reported receiving abnormal amounts of traffic on Thursday.

Graham Cluley disagrees and explains:

I don't think that's likely. Most people wouldn't have bothered clicking on the link. ... Imagine you received one of these emails. You would be pretty annoyed right? Most people's natural instinct is to get angry about whoever sent you the unsolicited email promoting his blog or YouTube channel. ... In other words, Cyxymu may have been set up as a scapegoat by the spammer - with the intention of having their anti-Russian webpages removed.


Today is ... the first anniversary of Georgian troops moving into South Ossetia, an incident which lead to conflict between the Russian and Georgian armies last year. ... Cyxymu's YouTube channel is still available. It contains a number of videos, many related to skirmishes between Russians and Georgians.

Twitter's Biz Stone grumbles:

Over the last few hours, Twitter has been working closely with other companies and services affected by what appears to be a single, massively coordinated attack. As to the motivation behind this event, we prefer not to speculate.


We've worked hard to achieve technical stability and we're proud of our Engineering and Operations teams. Nevertheless, today's massive, globally distributed attack was a reminder that there's still lots of work ahead. ... Please note that no user data was compromised in this attack.

Pat Belcher also won't speculate:

I don’t want to speculate on who was behind the attack, whether it was a criminal organization, a nation-state or a combination of the two.

  But it should be noted that criminal malware authors also picked today to launch an updated version of the Koobface Virus, which propagates by using facebook and twitter posts to trick people into downloading trojanized software. Any outage of Twitter during this attack would certainly be at odds with this criminal organization since it would impact their ability to distribute malware and thus make money..

Craig Labovitz has quantitative answers to questions:

From the data, Twitter traffic declined abruptly around 9am EDT this morning. ... 55 ISPs in the Internet Observatory were exchanging roughly 200 Mbps with Twitter before the DDoS. Then traffic dropped to a low of 60 Mbps. ... As of 1pm EDT, Twitter traffic was still down by 50% at 150 Mbps (normally we see close to 300 Mbps for this time of day).

From DNS, it looks like Twitter has moved some of their infrastructure to different address blocks as of 2pm EDT.

Stellaa is distraught:

I get my morning reading from people I follow on Twitter. Now I had to go back to my old ways, my bookmarks. Since 6:00 am PDT its been down. Silence. No global voices coming into my phone and computer.


For the non Twitter crowd this does not mean anything, but for me, it's a deafening silence. I follow people from all over the world. My own little news service, with links, commentary and just news. In the morning when I wake up, our other hemisphere friends were busy reading and linking.  What a treasure chest I find in the morning. How to ruin a routine.

So what's your take?

Get involved: leave a comment.

Previously in IT Blogwatch:

Don't miss out on IT Blogwatch:

And finally...

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email:

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon