Facebook: DDoS attacks don't down the site, our screw-ups do

Facebook explains how it deals with its flaws
Facebook explains how it deals with its flaws

TechRadar met up with a number of Facebook engineers today, who explained the changes that were happening with the site in terms of implementing HTML 5 and how they work with the daily challenges of keeping the site upright.

One of the things mentioned was how the company works to curtail DDoS attacks, which according to Facebook happen very rarely.

"As far as I know, we have only had one or two DDoS attacks on the site," explained David Recordon, senior open programmes manager, at Facebook.

"You would need a pretty big botnet to attack us and I don't think they would want to put all their effort into downing the site and expose their ways.

"When we have site blips people think we are having an attack – it's not, it is usually us screwing up but it's fixed within an hour."

Facebook attack

To keep Facebook and its API free from attack, the site does have a number of teams in place that monitor the site for security flaws and try and fix them ad hoc.

Recordon explained that there is a "site integrity team" in place whose sole job it is to check the site for imperfections and there are other techniques being used.

"We use a combination of technology and the systems that we have built from scratch," said Recordon.

Simon Cross, the first UK-based Facebook platform engineer, told to TechRadar that there are other security measures in place, one of which is protecting its Like button functionality from click jackers.

"We have click-jacking prevention techniques that we don't talk about and we try and stop it within our code, but we also speak to browser vendors," said Cross.

LIke

"Click-jacking is a very clever hack that people are doing. There is an on-going dialogue across the whole industry to prevent this, though."

Security response

Jason Sobel, engineering manager at Facebook, explained to TechRadar that there were internal security procedures in place if the site is compromised, but there is also a reliance from external sources to let them know what is going on.

"We have a number of levels of security response," explained Sobel.

"We have a security incident team, and we get reports from white hat hackers who are trying to help us out which is great.

"We have other security glitches that aren't reported to us directly but we try and fix them within hours of them happening.

"We also have a team of internal white hats who find security holes before they are made public and this again is a massive help."

Code red

Interestingly, problems with Facebook that come from the site's code are ultimately down to the person who created it.

So an engineer, no matter how low down the chain he is, could expect a midnight call if things on the site go awry and it is their code that is causing the problems.

"There are 24/7 engineers who watch all the monitoring data we have and make sure that if there is something that crashes or there are unusual trends on the site, we can fix them," said Sobel.

"If they don't know how to fix it, then we have app operations who know how to solve a vast number of problems. But the last resort is that we phone the engineer who created the code in the middle of the night to sort it."

Cross, who recently came back from a Facebook boot camp where he created some code for the site's photo section, explained a bit more about the situation.

"The developer has ultimate responsibility for the code, from its inception up until it is superseded.

"So it is scary if you are that developer, but what that makes you do is write code in the right way.

"It is all about relationship and accountability."

Marc Chacksfield

Marc Chacksfield is the Editor In Chief, Shortlist.com at DC Thomson. He started out life as a movie writer for numerous (now defunct) magazines and soon found himself online - editing a gaggle of gadget sites, including TechRadar, Digital Camera World and Tom's Guide UK. At Shortlist you'll find him mostly writing about movies and tech, so no change there then.

Latest in Cyber Crime
A person scanning a QR code on a smartphone
Quishing is the new QR code scam you need to watch out for – here's how to stay safe
Ransomware on the rise: how small and medium-sized businesses can achieve cyber resilience during turbulent times
Ransomware on the rise: how small and medium-sized businesses can achieve cyber resilience during turbulent times
Text Phishing Scams
Do not fall for this dangerous Amazon shopping scam
Cyber-security
Safeguarding against next-gen cyber risks
The North Face jacket
Thousands of North Face customers accounts hacked, personal data stolen
Smartphone hacked with data flow in the background
9 signs your phone has been hacked
Latest in News
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
An Nvidia GeForce RTX 4060 on a table with its retail packaging
Nvidia RTX 5060 GPU spotted in Acer gaming PC, suggesting rumors of imminent launch are correct – and that it’ll run with only 8GB of video RAM
Indiana Jones talking to a friend in a university setting with a jaunty smile on his face
New leak claims Indiana Jones and the Great Circle PS5 release will come in April
A close up of the limited edition vinyl turntable wrist watch from AndoAndoAndo
This limited-edition timepiece turns the iconic Technics SL-1200 turntable into a watch, and I want one