Blogger targeted in Twitter, Facebook DoS

A Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google's Blogger and YouTube was targeted in a denial-of-service attack that led to a site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The blogger, who uses the account name 'Cyxymu' (the name of a town in the Republic of Georgia), had accounts on all the sites, which were attacked at the same time, said Max Kelly, chief security officer at Facebook.

"It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard," Kelly said. "We're actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back-end and to take action against them if we can."

Kelly declined to speculate on who was behind the attack, but said: "You have to ask who would benefit the most from doing this and think about what those people are doing and the disregard for the rest of the users and the internet."

Twitter was down for several hours on Thursday, and also suffered periodic slowness and time-outs.

Cyxymu's LiveJournal page was not accessible, but a cached version showed it was updated on Thursday with a message about the DoS attacks on his accounts on the US-based sites. "Now it's obvious it's a special attack against me and Georgians," the message said in Russian.

The site also apologised for a spam email attack in which the sender was spoofed and made to look like the emails were sent by him. It is unclear whether or how the spam attack is related to the DoS attacks.

In the distributed denial of service (DDoS) attack on the sites, computers that have been compromised by viruses or other malware are instructed by the attacker's computer to visit the specific websites all at the same time, and repeatedly. The barrage of connection requests overwhelms the target sites, so legitimate web traffic cannot get through.

Such co-ordinated attacks require the efforts of tens of thousands or more hijacked computers, which together form a botnet. Spammers send emails with malicious attachments or URLs to millions of people to create botnets. Criminals also can lease existing botnets for specific campaigns for as little as $0.05 (3p) to $0.10 per bot.

A Facebook spokesman dismissed a theory that the attack was triggered by a spam campaign in which emails had links to the sites. It is unlikely that there would be enough recipients — all clicking on the URLs at the same time — to bring a site down, he said. There was a spam campaign that directed people to Cyxymu's accounts, but it was not the cause of the DoS, he said.

"The people who are coordinating this attack — the criminals — are definitely determined and using a lot of resources," Kelly said. "If they're asking our infrastructure to generate hundreds of pages a second, that's a lot of pages our users can't see."

Facebook and Google were able to minimise the impact to their sites, including Blogger, YouTube and Google Sites, a free website service. Facebook even managed to keep the Cyxymu account accessible to surfers from that region, Kelly said, although it was inaccessible to those in other geographic areas, including San Francisco.

This was the first co-ordinated attack on the sites and all the companies involved were working closely on the investigation, he said. "My team and the teams that are working together at all these companies are doing a really good job very quickly and I'm proud and happy," he said.

Twitter and LiveJournal did not immediately return emails and calls seeking comment.

A Google spokesman said: "We are aware that a handful of non-Google sites were impacted by a DoS attack this morning and are in contact with some affected companies to help investigate this attack. Google's systems prevented substantive impact to our services."

Political conflicts between Russia and its former republic spilled online last year with DoS attacks and website defacements from both sides.