Exclusive: Bitly hit by DDoS attack

News by Doug Drinkwater

The website of URL shortening service Bitly was down on Wednesday morning.The company has blamed a DDoS attack.

Visitors to the website were greeted with the messages ‘this webpage is not available' and ‘no data received' along with the respective error codes “ERR_TIMED_OUT” and “ERR_EMPTY_RESPONSE". The website was initially not accessible for approximately 20 minutes (between 10.10am and 10.30am GMT).

The service returned shortly afterwards, but the company then posted: "We are currently working to mitigate a DDoS attack. Some services will be unresponsive." The message, seemingly only visible to Bitly account holders, was later amended to say it was a "denial of service attack" and was removed from the website at 11.30am GMT. 

Bitly claims to shorten more than one billion links per month, and is most often used for social networking, SMS and email. A growing proportion of its users are enterprises and SMBs. Some larger groups even customise their own links via Bitly – The New York Times uses nyti.ms and soft drinks manufacturer Pepsi uses pep.si.

Symantec, which itself uses Bitly links, earlier this month detailed that spammers were targeting Bitly along with users of instant messaging services Snapchat and Kik Messenger. In particular, the spammers were apparently abusing custom Bitly domains as a result of an API configuration problem, which left the API key visible.

“Spammers have found a way to create their own links using branded short domains in order to entice users into a false sense of security,” wrote Symantec researcher Satnam Harang at the time.

The anti-virus firm found Bitly links generated using custom domains owned by brands and companies like USA Today, National Geographic, The New York Post and MIT News, among others.

"Bitly has confirmed that some spammers obtained Bitly API keys belonging to various brands," Narang wrote.

In response to the news, Cesar Cerrudo, CTO of IOActive Labs, told SCMagazineUK.com that the attack may have been in retaliation.

“DDoS is the weapon of choice for cyber crime and criminals to attack sites that could or have interfered with their ‘business'. I would not be surprised if Bitly has done anything along the lines of removing cybercrime-used accounts, filter/secure links that would make cyber criminal gangs angry. The end result is that they may have turned their weapons on Bitly in retaliation.”

Lamar Bailey, director of security R&D at Tripwire, added that the news is worrying, not least because Bitly is being used by many small and large corporations, but said that the attack may actually be a ‘practise run' for cyber criminals to carry out a bigger attack.

“Bitly has become critical infrastructure for many enterprises and SMB users,” Bailey told SCMagazineUK.com. “A successful attack on Bitly is more than likely a practice run for a larger scale attack planed in the future. A DDos of Bitly shows that the attack will work on pretty sophisticated sites without tipping off the intended target. Reports have been circulating from ARN and Prolexic about DDos potential attacks on the financial sector so this could be a dry run."

Update: Bitly emailed SCMagazineUK.com to issue the following statement:

“This morning, at 5:08 am EST (10:08 am GMT) Bitly was the target of a DDoS resulting in a service interruption," the company said. "We immediately instituted our planned response to this scenario to minimise impact. Bitly's services are up and running at 100 percent.  At no point was any of our data compromised.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews