When Facebook Is Down, Don't Blame Hackers

Facebook and its related properties spent several hours offline in many parts of the world today. Just don't call it a DDoS attack.
group of facebook workers in a meeting room
NOAH BERGER/Getty Images

It happened again. Facebook went down in pockets around the world for several hours Wednesday, as did Facebook-owned Instagram and WhatsApp. The outage inspired the usual existential jokes—and rush to news sites to fill the void—but it also gave rise to conspiracy theories that hackers were the cause. As is almost always the case, those theories are wrong.

Facebook confirmed as much in a tweet, saying that while it was still investigating the root cause of its woes, it had ruled out a distributed denial of service attack. On the surface, DDoS makes for a reasonable enough suspect; as a class of attack, its whole purpose is to bring sites down. But assumptions that hackers would hobble not just Facebook but also Instagram and WhatsApp with a DDoS attack rely on a shaky grasp of what that would entail and how prepared companies are to stop them.

For its part, Facebook has provided vague guidance as to what actually did happen. “We are currently experiencing issues that may cause some API requests to take longer or fail unexpectedly,” the company wrote on a developer status page. "We are investigating the issue and working on a resolution.” That could indicate a wide range of culprits, from routine maintenance gone awry to a Domain Name System issue. [Update: Facebook confirmed Thursday that the problem stemmed from a "server configuration change that triggered a cascading series of issues." It has since resolved the issue.]

Even before that disclosure, it was apparent that the down time was unrelated to any sort of cyberattack. "I can confirm that it has nothing to do with outside hacking efforts," wrote Facebook spokesperson Tom Parnell in an email to WIRED Wednesday. But you don’t even have to take Facebook’s word for it.

“There’s no collaborating evidence of any kind to indicate a malicious attack,” says Troy Mursch, a security researcher who runs Bad Packets Report, which keeps close tabs on the activity of botnets and network attacks that cause actual harm. “In regards to an actual attack or any widespread attack, we can confirm that is not the case there.”

Which is not to say that hackers don’t try to compromise Facebook every day. They do! They’ve even succeeded at least once, compromising account data of a whopping 30 million users. But Facebook’s value for criminals rests in its data. Taking it offline doesn’t serve any obvious ends. And even if it did, it’s unclear who might be able to pull it off.

ThousandEyes

At its most basic level, a DDoS works by throwing more traffic at a site or service than it can handle. By overwhelming servers, a successful DDoS will make it impossible for anyone to pull up a page or refresh their app. They’ve also gotten huge; in 2018, network security firm NetScout spotted a DDoS that funneled 1.7 terabits per second of data at a single target. Around that same time, GitHub got slammed with a 1.35 Tbps attack. What those assaults have in common, aside from their girth? Neither of them succeeded.

DDoS itself isn’t a solved problem, especially as perpetrators have found clever ways to incorporate so-called memcached servers and ransomware into the mix—Netflix even DDoS’d itself once, to demonstrate a novel technique. “It’s always an arms race between the attackers and the defenders,” says Roland Dobbins, a principal engineer at NetScout. “That’s the nature of the beast. It’s what we’ve seen over the last 25 years or so of DDoS attacks on the public internet.”

But while roughly 20,000 DDoS attacks take place every single day on the public internet, Facebook makes for an exceedingly unlikely target. “If you’re a DDoS attacker and you’re trying for a big target, and you want to have a big impact, you would probably look for an organization or a brand that doesn’t have as much connectivity to begin with,” says Alex Henthorn-Iwane, vice president at network security firm ThousandEyes. “A Facebook, a Google—those kinds of companies—are so massive, and their bandwidth and interconnectivity is so huge, that they can effectively absorb large-scale attacks on their own. And they undoubtedly have architected their internet connectivity to do just that.”

Think of DDoS targets as wells and data as water. The smaller the well, the less water you need to overflow it. To flood Facebook, you’d need to drain Lake Erie.

That’s why truly disruptive DDoS attacks have focused on boring infrastructural corners of the internet. A 2016 blast that shut down the internet for much of the East Coast didn’t hit individual sites but, rather, a company called Dyn, which handles the relatively data-light chore of DNS services. (It was also part of a Minecraft-related scheme. No, really.)

None of the network security experts WIRED spoke with had seen any evidence of DDoS activity related to Wednesday’s outage, or to similar issues Google services faced yesterday. Dobbins suggests that the real problem could be any number of things, including a "nontrivial" disruption of internet routing that occurred Wednesday afternoon, of which Facebook may have been collateral damage. ThousandEyes suggests it was likely an internal issue. Either way, as with every other time Facebook has gone down, it wasn’t hackers.

The knee-jerk assumption that it is, though, has potentially corrosive effects. “When stuff like this happens, affecting large infrastructure organizations like Facebook, it’s going to be prone to conspiracy theories,” Mursch says. “That kind of stuff is frustrating when we’re trying to establish or present something that’s factual, when you see social media spread that disinformation.”

The idea of nation-state hackers taking down the world’s biggest social network has plenty of appeal, both for its easy explanation of a prolonged inconvenience and for the touch of schadenfreude. But jumping to that conclusion only muddles an already confusing issue. Hackers will continue to target Facebook. DDoS attacks will continue to take down sites. But those two truths are much further from intersecting than the more paranoid corners of the internet would have you believe.


More Great WIRED Stories