Thursday's denial-of-service attack that knocked Twitter offline for a few hours and affected Facebook, LiveJournal, and Google Sites and Blogger wasn't your average attack.

Typically, someone who has a bone to pick with a specific Web site will round up some hijacked PCs and use them to try to shut the site down. In this case, whoever was responsible was trying to block access to a specific user's accounts and not the sites themselves.

Denial-of-service attacks aren't always straight forward and this one has its own unique twist. Let's take a look at what happened and why.

What's a denial-of-service attack?
A denial-of-service (DoS) attack is any effort designed to interfere with access to a Web site or Internet service. A common method of attack involves flooding a target server with so many communications requests that legitimate traffic can not get through. This can shut down or slow down the site temporarily.

Web sites aren't the only things that can be targeted in DoS attacks. Unplugging someone's computer is a very basic type of DoS attack.

What's a distributed-denial-of-service (DDoS) attack?
Because Web sites are built to handle a lot of traffic, it can take millions of simultaneous communications requests to have enough affect on the performance of the server for an attack. In a DDoS attack, tens of thousands or even millions of computers are used to send traffic to the target site all at the same time and repeatedly. As Sophos' Graham Cluley wrote on his blog: "It's a bit like 15 fat men trying to get through a revolving door at the same time--nothing can move."

What's a botnet?
The hijacked PCs that are used in a DDoS attack comprise a botnet. The individual computers are called "bots," "zombies" or "slaves" and are controlled remotely by the "master" attacker. The attacker relays instructions to the bots via a command-and-control server, typically using IRC (Internet Relay Chat). Botnets are also used to distribute spam. Some newer botnets, like one created by a version of Conficker, relay instructions via peer-to-peer.

How does an innocent PC become a bot?
There are different ways a criminal can get programs onto computers in order to turn them into bots that they can control. Often, criminals send spam with attachments containing malware or links to Web sites hosting malware. The malware--typically a worm, Trojan horse, or backdoor--is installed on the computer when the attachment is opened or the URL link is clicked. Many computers are compromised by drive-by downloads in which hidden malware on Web sites exploits Web browser vulnerabilities and is downloaded onto the visitors' computer without their knowledge.

Computer users usually have no idea that their computer has been compromised and botnet operators like it that way so they can keep using the bots indefinitely. Now, criminals who don't want to bother with do the grunt work necessary to compromise an army of machines can just lease one. A recent study by Finjan found that an underground network was offering to let criminals rent a botnet for as little as 5 cents to 10 cents per bot.

What happened in the DDoS that caused the Twitter outage this week?
While most DoS attacks are designed to take down a specific Web site, Thursday's DDoS attack targeted someone who has accounts on the different sites--a Georgian blogger, who uses the account name "Cyxymu" and who has accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube.The affected companies worked together to investigate the attacks and discovered that Cyxymu was the common thread linking the sites. An investigation is pending into who launched the attack and why.

In a clear and simple way, this Cisco graphic shows the relationship of the parties in a DDOS attack.

(Credit: Cisco)

How many bots are needed to take down a Web site?
The number depends on how much resources, servers and bandwidth, the target site has. It can take 25,000 to 50,000 bots to cripple a typical site and as few as 10,000 or less for a small Web site, according to Kevin Stevens, a security researcher for SecureWorks' Counter Threat Unit.

It's difficult to know exactly how big any particular botnet is and guesses vary widely. For example, estimates of the Conficker botnet ranged from 500,000 PCs to 10 million.

Who launches a DoS and why?
Unless someone takes credit, it's nearly impossible to find out who is responsible for a DoS attack. Often attackers will send traffic through proxies so there is no direct link to the source, even if investigators can get a hold of a bot used in an attack to dissect the code. Bots also may be located in another country.

The first big DDoS attack, in February 2000 took down some of the Web's most popular sites for hours, including Yahoo, CNN, eBay, Amazon.com, Buy.com, and E*Trade. The U.S. Federal Bureau of Investigation promptly held a news conference to discuss the disruption to the Internet and eventually tracked down the perpetrator, 15-year-old "Mafiaboy," after he bragged about it to friends online.

Mafiaboy was most likely trying to get attention, like script kiddie hackers do when they deface Web sites. Other attackers have different agendas. For instance, there are politically motivated DDoS attacks, such as those involving Russian and Georgian sites last year. Estonia sites were attacked in 2007. Meanwhile, the origin of recent DDoS attacks targeting U.S. government sites and sites in South Korea remain a mystery.

What kind of damage can a DoS attack do?
A DoS can make a Web site completely inaccessible to anyone for a period of time, like the most recent attack did with Twitter. Or it can be equivalent to a hiccup, slowing down page loads or affecting only part of the site.

Sites that aren't in the direct line of fire can also be affected. For example, if a company that is attacked is hosting images or content that is fed to other sites, those other sites may have trouble. So many sites feature Twitter updates that it's likely some of those associated sites were impacted when Twitter was down and the ancillary site's requests to get updates were ignored.

How can a DDoS be prevented or stopped?
There is no surefire way to prevent a DDoS attack. However, a company can reduce its risk by buying plenty of servers and bandwidth, and hosting content on backup servers. Companies can also limit the number of connections that the Web server allows at any one time and set the firewall to block certain types of data that are used in DDoS attacks, said SecureWorks' Stevens.

In addition, companies can ask the ISP to impose bandwidth limits and to block the IP addresses serving up the attack. Some companies offer DoS detection software, and sites can configure their Web server to monitor traffic patterns and automatically ban IP addresses that could be associated with an attack.

In 2001, the White House was able to thwart a DDoS attack that was programmed into the code of the Code Red virus by moving the site away from the targeted IP address. And in 2005, Microsoft sidestepped a DDoS that was going to be triggered by PCs infected with the Blaster virus by killing the targeted IP address.

Once an attack has been launched a company can try to redirect the attack traffic to a null IP address, or a black hole, according to Trend Micro's David Perry.

More information on prevention and mitigation can be found on the SANS Web site and on the US-CERT site.

What can individuals do to prevent their computers from being used in a DDoS attack?
To keep malware off a computer, people should install the latest operating system and application patches, update their antivirus and other security software, consider using auto-updates for browsers and be careful about opening up attachments and visiting Web sites.

Phishing attacks rose 52 percent in July while spam as a percentage of all e-mail stayed about the same compared with the previous month, according to the latest reports from Symantec that tracked spam and phishing activity for the month.

The State of Spam (PDF) and State of Phishing (PDF) reports were released Thursday.

With some fluctuations, spam averaged around 89 percent of all e-mail in July, noted Symantec. That compares with about 90 percent for the month of June. There are distinct trends in certain types of junk mail. Image spam, which sneaks past filters by embedding spam in an image, accounted for 17 percent of all spam at one point in July. Health-related spam declined 17 percent, while 419 spam (often better known as Nigerian hoax spam) rose 3 percent.

Spam as a percentage of all email

(Credit: Symantec)

Spammers continued to tap into people and events in the news to spread their junk, noted Symantec. Popular subject lines for spam in July included references to Michael Jackson's death ("Who killed Michael Jackson" and "Jackson is still alive: Proof") and to President Obama and health care ("Obama isn't helping; Let us give you cheap pills.")

With the release of the latest Harry Potter flick, Potter-related subject lines were hot among spammers. Symantec pointed to one health-related spam that talked about a Harry Potter e-book but included a URL to an online pharmacy.

Desperate to get past junk mail filters, spammers are often using seemingly innocuous subject lines typically found in a legitimate message, such as "Hi," or "Aloha," or "You have a new message."

Popular subject lines for spammers

(Credit: Symantec)

Nigerian hoax, or 419, spam is as popular as ever, found Symantec. Symantec found that these spammers are now using Voice over Internet Protocol (VoIP) to create phony accounts on sites that offer VoIP services. They then send "friend" invitations to their victims hoping to lure them in with the promise of vast riches.

Among countries where spam originates, the U.S. is still top dog, accounting for 25 percent of global spam. Brazil, South Korea, and Turkey were also popular regions for spam production.

Countries where spam originates

(Credit: Symantec)

A spam report from McAfee released on July 29 found similar results to the Symantec report.

For July, around 63 percent of phishing URLs were created using phishing toolkits, a jump of 150 percent over June, said Symantec. These software toolkits automate the process of setting up a fake Web site so that even a novice criminal can pull off effective phishing attacks.

How are phony phishing sites created?

(Credit: Symantec)

More phishers are also abusing legitimate SSL (Secure Sockets Layer) certificates on their phony sites, noted Symantec. Since the site displays the familiar SSL padlock icon, it provides the user with a false sense of security.

Free Web hosts have been an easy base of operations for phishers since they cost nothing and require little in technical skills to build a site. A total of 130 different Web-hosting companies served 2,402 phishing sites in July, reported Symantec. However, that level is down 14 percent month to month, due to more preventive measures on the part of Web hosts and the rise in the popularity of toolkits.

Among countries hosting phishing sites, again the U.S. took the lead with 29 percent of all phishing sites worldwide. China came in No. 2 with 9 percent.