07th August 2009, bits.blogs.nytimes.com
The meltdown that left 45 million Twitter users unable to access the service on Thursday came in two waves and was directed at a single blogger who has voiced his support for the Republic of Georgia in that country’s continuing conflict with Russia.
Facebook’s chief security officer, Max Kelly, told CNet that the attack was aimed at a user known as Cyxymu, who had accounts on Facebook, Twitter, LiveJournal and other sites affected by Thursday’s cyberassault.
In an interview with The Guardian, the blogger said he believed the strike was an attempt to silence his criticism on the behavior of Russia in the conflict over the South Ossetia region in Georgia, which began a year ago on Friday.How did a targeted attack against a single user manage to cripple Twitter for almost an entire day?
The assault was two-pronged, said Beth Jones, a security analyst with Internet security firm Sophos.
Early Thursday, the attackers sent out a wave of spam in the name of Cyxymu. The technique, known as a “joe job,” is intended to discredit a Web user by making him appear as though he is the source of a large amount of junk e-mails.
“They’re literally designed to smear someone’s online reputation,” said Ms. Jones. “These hackers wanted to make him look responsible for millions of spam e-mails that went out yesterday morning.”
The messages contained links to Cyxymu’s accounts on several social networks and Web sites, including LiveJournal, Twitter and Facebook.
The next leg of the attack, Ms. Jones said, was a distributed denial of service (DDOS) attack designed to knock Cyxymu off the Web.
The hackers used a botnet, a network of thousands of malware-infected personal computers, to direct massive amounts of junk traffic to Cyxymu’s pages on Twitter, LiveJournal, YouTube and Facebook in an attempt to disable them, Ms. Jones said. The impact on everyone else was “collateral damage.”
Twitter was overwhelmed by the attack and its site was paralyzed for hours. Facebook, certain Google Web sites and LiveJournal had better defenses, but still faced temporary problems.
It’s possible that Cyxymu was targeted because the user was so active online, Ms. Jones said. “They knew where to find him,” she said. “Some of the others might not have been so overt.”The attacks coincided with the one-year anniversary of the Russia-Georgian conflict. “When the conflict started a year ago, there were various denial-of-service attacks coming from both sides, attacking Web sites.”