DDoS on X was avoidable, but inevitable

The DDoS attack on X.com this week provided a certain amount of schadenfreude for people less than enamored by Elon Musk. It also rang alarm bells in the cybersecurity community as that style of attack seems to be making a comeback, and not for financial gain. All indications are corporations, and, in particular, government institutions are not ready to repel attacks motivated by political revenge.

Security intelligence company Fletch this week identified multiple ongoing attacks around the world targeting corporations for a variety of political positions, depending on which side the entities supported. Issues include the Ukraine/Russia war, Palestine/Israel, immigration, tariffs and just plain political leanings.

Musk blamed Ukrainian hackers for the attack on X (aka Xitter) but because DDoS attacks use multiple servers around the globe it is difficult to identify a particular source. However, Fletch and other analysts identify pro-Russian and pro-Chinese hacktivist groups behind most of the attacks using tried-and-true botnets.

Cheap and easy

Mithilesh Ramaswamy, a senior security engineer at Microsoft, said the cost of compute and cloud infrastructure are cheap now, creating a low barrier to entry. “Even renting a botnet or using a DDoS-for-hire service is relatively simple and inexpensive.”

Dependency on cloud services also make organizations vulnerable when they rely heavily on third-party services or microservices architectures, he explained, allowing attackers to exploit integration weak points and unleash large-scale disruptions with targeted floods of traffic.

Cloudflare reported blocking a record-breaking 5.6 Tbps DDoS attack carried out by a Mirai-variant botnet. The significant increase in DDoS attacks in 2024, with a 53% rise from the previous year, underscores the growing threat. Fletch reported that the BadBox botnet infected over one million Android devices in 2024 “Despite efforts to disrupt it, the botnet continued to grow, indicating the persistent and evolving nature of DDoS threats.”

A pro-Palestinian hacktivist group known as Dark Storm claimed responsibility for attack on X.com, which caused major outages on the platform over the course of 48 hours. But that claim has not been verified.

Lax security

Ian Thornton-Trump, a well-respected security expert and current CISO for the Inversion6, blamed lax security standards at X.com for the breach. He pointed out that the section of the X.com servers the was hit was not covered by their Cloudflare subscription. Cloudflare is primarily a third-party service that provides a robust protection against DDoS attacks. The rise of these services helped drive the popularity of the attacks down over the past few years, but an organization still has to turn on the protection as they implement new data services. X apparently did not do that.

“This attack was completely foreseeable,” he stated. “All the cuts and the craziness of back-to-work probably demoralized a lot of the folks that were working at X, quite possibly in IT. Some infrastructure for X was not, in fact, behind Cloudflare… and that’s what got hammered.”

Layers upon layers

Akash Mahajan, founder & CEO at Kloudle, largely agreed with Thornton-Trump but went a bit further

“DDoS protection isn’t the existence of a firewall—it’s multi-layered, adaptive security. If it’s true that X is not taking full advantage of Cloudflare configurations, it could mean falling short on real-time protection, broken rate limiting, or ineffective filtering of bot traffic. Other organizations need to learn from this—the biggest mistake organizations make is believing one security vendor can solve everything. Instead, defenses against DDoS attacks need to include a combination of network-layer filtering, behavioral analysis, and AI-managed traffic control.

“Why X would not use these defenses to full effect? There are a few possible explanations,” he continued. “One is cost and control because Cloudflare and the like are expensive on the scale at which X operates, and Musk’s insistence on in-house solutions might have meant cutting back on third-party ones. Regardless, it illustrates an important lesson for every business: good security is proactive, not reactive.”

“But let’s give some context,” Thorton-Trump added. “This all happened before Elon hitched his bus to the Trump machine and no one, I think, did a new risk assessment for X.com. Because it is so close, essentially associated with the Trump presidency, Twitter became a political target. There are any number of groups that would want, at this point, to pick a fight. And I would say, from an activist perspective, you can certainly count those groups.”

He listed pro-Ukrainian hacktivists protesting the new US position on Ukraine, African supporters who relied on USAID to deliver critical programs, and US citizens who believe the right to protest is being taken away.

More to come

X could also be setting themselves up for additional attacks because of their intentional use of bots to boost user numbers and the sheer number of bots already posing as real users from third parties. Some experts think that as much as 20 percent of the traffic is generated by bots, which leads to an interesting cybersecurity question about potential bot exploitation. Here’s how it could potentially work:

An attacker compromises existing bots on the platform through security vulnerabilities, credential theft, or by infiltrating the organizations controlling these bots. The bots are repurposed to make multiple requests to a target website or service, overwhelming it with traffic. The requests come from seemingly legitimate accounts that X approved rather than obviously malicious sources, making them harder to detect and filter.

Social media security weaknesses

This would be facilitated if basic security measures were not in place. Social media bots are often distributed across different IP addresses and infrastructure, making them harder to block as a group compared to traditional botnets.

In Foreign Policy in February, security expert Bruce Schneier predicted that changes to the federal databases initiated by Musk’s DOGE team have left the US government open to the same kind of attack that X.com has experienced this week.

DOGE’s actions have introduced significant vulnerabilities into federal databases, potentially making the US government susceptible to various cyber threats, including DDoS attacks, Schneier wrote. “What makes this situation unprecedented isn’t just the scope, but also the method of attack. Foreign adversaries typically spend years attempting to penetrate government systems such as these, using stealth to avoid being seen and carefully hiding any tells or tracks.” But Musk and his team have done it in a few weeks.

Decentralization

While lapses at other social media sites make them just as vulnerable to attacks, decentralized social networks like Bluesky and Mastodon have inherent advantages that could potentially help blunt DDoS attacks compared to centralized platforms like X.com.

Distributed architecture — Since Mastodon consists of many independent servers (instances) and Bluesky uses the AT Protocol with multiple Personal Data Servers (PDS), an attacker would need to target multiple systems rather than a single point of failure.
Traffic distribution — User traffic is naturally spread across different servers, making it harder to overwhelm the entire network at once.
Instance isolation If one instance/server is attacked, others can continue functioning. The attack’s impact is contained rather than affecting the entire platform.
Geographic diversity — Servers in decentralized networks are often hosted in different locations globally, making coordinated attacks more difficult.

However, there are also limitations. Individual Mastodon instances or Bluesky PDS providers with fewer resources might be more susceptible to attacks than a well-resourced centralized platform. The connections between instances could become bottlenecks if targeted. Security quality varies across independently operated servers, potentially creating weak points. Responding to attacks might be slower without centralized security teams and infrastructure.