Business - Written by on Monday, September 8, 2008 10:58 - 3 Comments

Jeff DeChambeau
Facebook: the silent botnet

Wired’s Threat Level has a story up about how researchers have created a facebook application that’s capable of delivering Distributed Denial of Service (DDoS) attacks using nothing more than a facebook application and its users. The application, Photo of the Day, is installed by users who want a daily photograph. When users load up the page/photo of the day, the application sends a server to a third-party server (the one being attacked) and requests a large file from it, usually a high resolution image. This high resolution image is silently downloaded to the user’s computer, and not displayed. The effect of this is that by simply using the application, users are draining bandwidth from some targetted server. If enough users are using the application in this way, the server could get overloaded with requests, and rendered inaccessible to the people who are actually trying to visit it.

The researchers chose to point the hidden attack at their own server, of course — but were surprised that more than 1,000 Facebook users installed the application, even though they only mentioned it to friends.

That led to a peak of 300 requests per hour and on its peak day, the traffic went above 6 Mbits per second.

It’s a pretty clever attack. But 6Mbits isn’t really that much, it’s roughly equivalent to the maximum speed of a typical DSL connection (or double the speed of a typical DSL connection if your building, like mine, has old copper wiring). Given enough users and sufficiently large taget files, this attack could be pretty potent.

Distributed attacks like these are not new, but using a social networking platform (in this way), instead of unguarded IIS installs, is new. Arguably this is the next step from myspace/msn virus spam, where an account is breached and it messages all of its contacts, requesting that they “install a picture” — which is actually the attack software. But this is the first time that I’ve seen an attack like this that actually delivers value to the nodes (in this case, the application users).

Nefarious hackers have already had users willingly (albeit unknowingly) participate in illegal online activities. In what was another very clever move, spammers were able to get users to solve CAPTCHAs in exchange for free porn (the link is clean). They used these results to sign up for online email accounts, to likely be used to sell pharmacueticals back to those same users.

All of this seems to bring about, once again, the conclusion that technology is not inherently good or evil, but a) people will use it to do bad things (or expose them, like the facebook researchers), and b) users need to be protected, most often from themselves and their unsafe computing habits.

I think that the problem with b) is that computer security education, while quickly growing in importance, simply isn’t sexy. So instead of safe habits, annoying security applications are phoned-in. As computing power moves from the desktop to the cloud, people are going to have to port (or learn) their safe computing habits to a new venue, otherwise it’s going to really be the wild west, where no server or account is safe from harm. Facebook is just the latest example.

Also, and this isn’t exactly Wikinomics related, but the BBC has a great piece on the history of the construction of the Large Hadron Collider. Check it out.



3 Comments

You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Facebook: the silent botnet
Sep 8, 2008 20:42

[...] Go to the author’s original blog: Facebook: the silent botnet [...]

Jeff DeChambeau
Sep 9, 2008 0:10

What a fantastic trackback.

Anne Wambui Muchoki
Feb 7, 2009 1:52

wow i reallylike your research

Now available in paperback!
Don Tapscott and Anthony D. William's latest collaboration, Macrowikinomics: New Solutions for a Connected Planet. Learn more.

Business - Oct 5, 2010 12:00 - 0 Comments

DRM and us

More In Business


Entertainment - Aug 3, 2010 13:14 - 2 Comments

Want to see the future? Look to the games

More In Entertainment


Society - Aug 6, 2010 8:19 - 4 Comments

The Empire strikes a light

More In Society