Facebook flakiness: reliability problems, or an attack?

Facebook once again is in the middle of major flakiness right now: links to nowhere, spontaneous logouts. The best thing to do when something like this happens is to treat it as a sign that it’s a good time to take a break from Facebook for a little while. So I decided to write this blog post.

Given the high tensions on all sides, the ongoing troll infestation in the group, and examples in the election campaign of what certainly seem to be some Republican dirty tricks being played, it’s natural to wonder whether this is some kind of attack like those described in “How to Rig an Election”. Speaking as somebody who’s had a lot of software engineering and computer security experience, my initial answer is probably not.

Stuff like this happens all the time on the web; Hotmail and a bunch of other Microsoft sites were down for a day just last month. It happened on Facebook right before Super Tuesday, and briefly to my.barackobama.com on March 4th (I was a good boy and reported it to they’re ‘info’ account: “I’m sure you know this already but just in case”). My ISP has 99% uptime which is another way of saying my blog and email are down, briefly, multiple times a month. Usually it’s just a traffic overload, hardware or network problems, or some flaky software.

And really, why would anybody choose now for an attack. The One Million Strong group and Facebook presence generally is a huge advantage for the Obama campaign, and so overly-zealous supporters of either the Clintons or John McCain might want to disrupt it — and anybody who wanted to disrupt the US election process might well want to make it look like one of those groups was responsible. For that matter high school kids have done stuff like this in the past just for bragging rights (a very bad idea, by the way, as mafiaboy can tell you). So there’s no shortage of potential suspects. But why wait until a Saturday morning where things are low-key in general and the most urgent business is hanging out and watching the Wyoming results?

Which doesn’t mean it’s impossible. So to continue my transition back to my real life as a strategy/security consultant that I started with The Day After, let’s look at this as a possible attack from a security perspective. Maybe they decided to do a small test now thinking nobody would notice, in preparation for a major attack in time for Pennsylvania, North Carolina, Puerto Rico, or Denver.

What we’re seeing affected more than just the group (I was losing random email messages), and links I couldn’t follow took me elsewhere on the site, so it doesn’t match a DNS attack or URL hijacking. Also, while I got logged out a few times, I could log back in, so it wasn’t malicious reporting. And at first blush, unless they have a configuration setting that says “be flaky for users of this group”, it’s hard for me to see how a rogue employee or contractor could have accomplish it.

It could however be a “Denial of Service” attack where the attackers generate so much load on the group, or Facebook as a whole, that it starts to suffer intermittent failures under load — exactly what’s happening to us.

There are a couple of obvious ways that an attacker could accomplish this. One is to unleash the spambots that are already on Facebook. We’ve all seen the auto-generated spam for a site that will actually “pay users to post spam” — and if you’re not on Facebook, you’ve probably seen them or similar ones on MySpace and elsewhere. One of them hit the One Million Strong for Barack group on March 3 or 4, bringing up a lot of old threads before getting blocked. And these are just the ones that get through the automated spam filters.

So if an attacker suddenly cranked a whole bunch of them up … that could cause a lot of load on Facebook, as the automated filters have to process jillions of messages. Yeah, that’d probably work. [Once or twice, anyhow; once Facebook realizes this possible attack, it’s probably pretty simple to introduce some tweaks for this case.]

Another more straightforward possibility is to do some kind of distributed denial of service attack, (DDoS) pointing a whole bunch of machines in a botnet at Facebook. One of those aforementioned high-school kids confessed to doing something this to Yahoo! and a bunch of other high-profile sites a few years ago; botnets have gotten a lot bigger since then, and a DDoS attack took out the entire country of Estonia recently. Not sure how expensive this would be, but once again, it could work.

Hmm. Now that I’ve gone through all this, I find myself wondering about Facebook’s and my.barackobama.com’s and other social networks’ ability to deal with these kinds of threats moving forward. The Obama campaign makes great use of these; it also leaves them potentially vulnerable to an attack at a key time (a political battle on the floor in Denver, the week before the election). There are people out there who have gone to jail for playing this kind of dirty trick for political gain; and there are people and organizations in the US and abroad who would benefit greatly from disrupting the US political process.

So it seems like, no matter what did or didn’t happen in this case, this is a good thing to think about in the next few months.

Not right now, though, at least for me. When something like this happens, I take it as a sign not just to spend less time on Facebook for a while, but to spend less time online.

So as soon as I cross-post this, I’m going for a walk.

I suggest everybody else do the same.