Operation “Silence Cyxymu” Crushes Twitter, Facebook, LiveJournal

Twitter went offline today due to a Distributed Denial of Service attack.  There were reports that other sites were impacted too, but service was only mildly affected. Here is a snapshot of the dropoff in traffic to Twitter according to Arbor Networks:

The below graph shows Observatory data from 55 providers around the world to Twitter’s two NTT hosted addresses blocks: 168.143.0.0/16, 128.121.0.0/16.

From the data, Twitter traffic declined abruptly around 9am EDT this morning.

We generally don’t see a lot of data (i.e. it takes thousands of tweets to match the bandwidth of a single video), but 55 ISPs in the Internet Observatory were exchanging roughly 200 Mbps with Twitter before the DDoS. Then traffic dropped to a low of 60 Mbps around 10:40am and began climbing after that. As of 1pm EDT, Twitter traffic was still down by 50% at 150 Mbps (normally we see close to 300 Mbps for this time of day).

According to Facebook’s Chief Security Officer Max Kelly, the denial of service attacks that took Twitter offline and impacted the performance of Facebook, LiveJournal and Google’s Blogger sites were because someone had set out to silence the voice of a single person–  A Georgian blogger by the name of Cyxymu, who had an account on each of the affected web services.

If this is true, it represents an amazing operation by some organization to squelch his speech.  From CNET here:

A Russian activist blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube was targeted in a denial of service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The pro-Georgian blogger, who uses the account name “Cyxymu,” had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Kelly said. “We’re actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back end and to take action against them if we can.”

Kelly declined to speculate on whether Russian nationalists were behind the attack, but said: “You have to ask who would benefit the most from doing this and think about what those people are doing and the disregard for the rest of the users and the Internet.”

Twitter was down for several hours beginning early Thursday morning, and suffered periodic slowness and time-outs throughout the day.

I don’t want to speculate on who was behind the attack, whether it was a criminal organization, a nation-state or a combination of the two.  But it should be noted that criminal malware authors also picked today to launch an updated version of the Koobface Virus, which propagates by using facebook and twitter posts to trick people into downloading trojanized software.  Any outage of Twitter during this attack would certainly be at odds with this criminal organization since it would impact their ability to distribute malware and thus make money.

Thanks to Poppy for the tip!