Networking

Today, as of 11 a.m. (EST) the popular web service Twitter was down.  A recent status update from Twitter attributed the cause of the outage to the site experiencing a denial-of-service attack.  While the site previously suffered from numerous system-related outages last year, they have taken great steps to ensure the reliability of the service, given its increasing popularity.  To add insult to injury, other popular social networking sites , such as Facebook, have also been reported to be experiencing problems.

Denial-of-What?

Denial-of-service attacks attempt to bring down sites/services by overwhelming them with more traffic than they can handle.  They are hard to defend against, especially distributed denial-of-service attacks, due to their distributed nature and the difficulty in distinguishing valid requests from malevolent ones using automated methods.

Counter-measures

While their is no sure way to prevent DDoS attacks, the best counter-measure would be to increase the amount of available resources for the site/service, effectively providing the attackers with a harder target.  Provisioning increased bandwidth and backup server resources will not stop the attack, but may defeat its purpose by ensuring continuity of the site/service.

The BIG picture

What makes attacks like these possible are the numerous unprotected and unpatched vulnerabilities (published and unpublished) present on the millions of average user workstations around the world.  Unethical individuals and groups can take advantage of these vulnerabilities to assume control of an unsuspecting victim’s personal computer, creating a “zombie army” of computing.  They can then use this platform for launching attacks.  Keeping computers up to date with the latest security patches as well as monitoring your network traffic for any unusual traffic spikes is key to doing your part to help prevent these attacks.

UPDATE (2:30 pm EST)

Facebook confirmed that it also was suffering from a DDoS attack.  Facebook posted a message on its own service stating:

You may have had trouble accessing Facebook earlier today because of network issues related to an apparent distributed denial-of-service attack. We have restored full access for most people. We’ll keep monitoring the situation to make sure you have the reliable experience you expect from us.

Speedtest

I had recently worked on a problem with a customer in which they had been experiencing  issues with the phone quality of their Voice-over-IP (VOIP) phone system at one of their branch offices (VPN connection).  During my review, I was told the Internet connection was supposed to be 20×2 (20 Mbps down and 2 Mbps up), but my speed tests were showing 3Mbps down/512 Kbps up.  What?!

I asked my customer to verify with their ISP what the contracted bandwidth was and they confirmed that they were paying for 20×2 service.  Many phone calls later, the customer determined “unofficially” from a friendly insider at the ISP that they may be throttling their bandwidth due to BitTorrent traffic.  A BitTorrent client was discovered in use by an employee at that location.  After the BitTorrent client was stopped, the bandwidth resumed to normal levels.

Well this situation was resolved for this particular customer, but how do you determine if your traffic is being throttled if you don’t have an “inside” connection?

Glasnost

Glasnost is a tool that will test to see if your ISP is suspected of throttling bandwidth.  It performs a series of tests that download/upload normal traffic and BitTorrent traffic, then compares the results of the two types of tests.  If any significant difference is detected, you can assume that your ISP is throttling your bandwidth.

According to their site, “Our test runs BitTorrent and TCP downloads as well as uploads on a well-known BitTorrent port and a non-BitTorrent port.”.

Bad ISPs

Another source of useful info is Bad ISPs.  This site maintains a list of ISPs known to throttle bandwidth for BitTorrent/P2P traffic, as well as other issues, such as high traffic volume.

Bottom Line

Of course, the main issue here is to restore your bandwidth levels.  You would think that ISPs would not throttle traffic on a “business” type account, but that’s not always the case.  Most likely any technician or higher up you speak with at the ISP will not be able to remove the throttling, so the best course of action is to find the offending workstation(s) on your network that may be causing the BitTorrent/P2P traffic and stop it or block the traffic directly on your firewall.  Tools such as Wireshark or Microsoft NetMon are useful for detecting, identifying, and analyzing network packets.