Internet Security Systems - AlertCon(TM)

Social Network Denial of Service (SDoS)?

Posted by Gunter Ollmann on January 26, 2009 at 10:15 AM EST.

Over recent weeks I’ve had a number of people come to me and ask how social networks fit in to the evolving threat landscape – following comments I made in the WoSP relating to Dark Reading’s 2009 security prediction of “radical extremist hackers.

The security concern’s I have revolve around the increasing use of popular social networking sites to deliver and coordinate mass appeals, and how the next chapter is likely to see these very same forums being used to coordinate actual attacks. For example, most recently, with the Israel and Hamas war in Gaza, we observed the creation of Groups within Facebook such as “Let's collect 500000 signatures to support the Palestinians in Gaza” (with 655k members) and “Support Israel fighting against Hamas at Gaza - operation 'Solid Lead'” – and there was (and still is) a lot of Web defacement activity going on between the involved parties.

or...


 

Clustering of like-minded common-cause individuals isn’t exactly a new phenomenon. Popular bulletin boards back in the 1980’s probably started the electronic trend, and it’s carried through to the Internet with popular messaging forums. However, the explosion of social networking site participation is entirely new and opens the door to a new generation of coordinated mass attacks.

DDoS Tools

Over the last couple of years we've observed the development of specialist denial of service tools designed for use by the average home user so they can participate in common-cause attacks. The tools themselves are fairly simple (from an attack perspective) – usually focusing on flooding a particular port (e.g. TCP 80) and bandwidth consumption (e.g. multiple Web page requests).

Some of the most news worthy have been those falling under the theme "Electronic Jihad" which seek to solicit like-minded community member to download the DDoS tool to their computer and “donate” bandwidth to the subsequent attack.

Perhaps the most resent noteworthy implementation of the attack strategy was employed in the run up to the Olympic games as Chinese activists used a custom flavor of DDoS tool to target CNN because of their coverage of the protests surrounding the Olympic torch and Tibet.


 

The attack itself appeared to have largely failed against www.cnn.com – probably because of mix of preparation by the CNN network security teams and the relatively low number of Chinese willing to participate in the attack.

Of course, with the recent Israel/Hamas war, similar tools were made available.

Social Networks

Having taken note of how this type of common-cause attack has evolved and the increased growth of major social networking sites with tens-of-millions of members, I believe it is increasingly likely that we’ll see more coordinated and larger attacks in the future.

Given how easy it is to create and join a social network group, and progress a common-cause, it is inevitable that we’ll see the creation of a new mass attack phenomenon – let’s label it the “Social Networking Denial of Service” or SDoS for short – with the potential of hundreds-of-thousands of group members “taking up arms” and donating the use of their computer for future cyber-attacks.

A fear I have is that the major social networking sites will be too busy being “independent” or “Neutral” or simply competing against each other to gain/retain members/customers, that they will do little to prevent this natural progression of attack (disagreeable content -> flame wars -> hate forums -> Boycott -> SDoS coordination).

Smaller Targets

While a lot of the emphasis thus far has been on the bigger stuff – border-line cyber-warfare – I actually see more day-to-day damage being reaped against the smaller (and softer) targets.

There are a lot of political and social causes that attract sizable groups of activists which will likely benefit from reaching deeper in to the social networking sites and attracting more patrons. Using unintimidating electronic vehicles such as “download this software to donate spare bandwidth on your computer…” it'll become increasingly easy for members of common cause groups to target a particular adversary.

For example, future “victims” of SDoS attacks could include:

  1. Nuclear Power Boards – A lot of people have grave concerns about nuclear power, and there are well established protest movements targeting public and government meetings discussing the future of nuclear power plants.
  2. Pharmaceutical Research – The targeting of corporations that conduct animal research has been popular and well coordinated for quite some time.
  3. Family Planning Advice Sites – Family planning advice has often fallen afoul of religious groups around the world.
  4. Online retailers – Online-only retailers trying to sell items seen as a threat to another’s beliefs (e.g. Nazi memorabilia, cruciform adult sex-toys, Yoga manuals, etc.).

Even if a particular social networking cause only manages to gather a couple of thousand active members willing to donate their bandwidth, that can still be thousands of malicious requests and gigabits of traffic per second targeting an organization’s online infrastructure – and more than capable of online disruption.

The Mobile Threat

Putting on an “evil genius” hat, then it doesn’t actually take much effort to migrate these SDoS tools over to the mobile platform. Imagine that, as part of a social network movement you download and install a piece of software that will donate some of your phone capabilities (e.g. SMS text messaging or voice calls), and that your cellphone now participates in the attacks (probably limited to “free local calls” or a donation of $20 of calls/SMS’s).

Even with only a few thousand members, it would be easy to DoS the incoming phone lines of the targeted organization or cellphones of company executives.

Going one step further, imagine if some of the Facbook groups that appeared during the Israel/Hamas war were to also use mobile SDoS tools? Armed with a few thousand “active members”, how hard would it be to conduct a distributed DoS against the emergency services telephone lines? How damaging would that be?

The growth of social networking sites as a coordination point for “common causes” and factions is something that needs to be carefully monitored going forward.

Note: I'd recommend anyone interested in learning more about the specific tools used for the DDoS attacks to visit Dancho Danchev's blog. Credit to Dancho for the screenshots of the tools in operation.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.