Distributed Denial of Service — also known as DDoS attacks — are a fairly common way to block access to a site. A multitude of requests for a web page, usually generated by scripts or bots, overloads the servers and access is knocked out. Sometimes, a DDoS is used to make a political point or for trolling. In Bitly’s case, it may have been a trial run for something bigger.
We are currently working to mitigate a DDoS attack. Some of our site may be unavailable, but we're working to restore full functionality.
— Bitly (@Bitly) February 26, 2014
Bitly is a URL shortening service that has been creating custom services for SMBs and larger corporations like Pepsi, The New York Times and Symantec for years. According to findings from Symantec security response manager Satnam Harang, spammers had somehow gotten their hands on Bitly’s corporate API keys.
SC Magazine quotes Harang saying, “spammers have found a way to create their own links using branded short domains in order to entice users into a false sense of security.”
Armed with this knowledge, it’s possible that Bitly decided to take proactive measures to protect its services. And according to Cesar Cerrudo, CTO of IOActive Labs, such action could have led spammers to seek revenge. “DDoS is the weapon of choice for cyber crime and criminals to attack sites that could or have interfered with their ‘business,’” Cerrudo told SCMagazine.
Lamar Bailey, director of security R&D at Tripwire, thinks the DDoS may be more worrying than simple revenge.
A successful attack on Bitly is more than likely a practice run for a larger scale attack planed in the future. A DDoS of Bitly shows that the attack will work on pretty sophisticated sites without tipping off the intended target. Reports have been circulating from ARN and Prolexic about DDoS potential attacks on the financial sector so this could be a dry run.”
The good news is that Bitly had planned for this very contingency and was able to respond to the attack quickly. The outage lasted less than an hour and no data was compromised. Bitly, or any other online service, might not be so lucky next time.
Image credit: GirlieMac