Online security

Downdetector: How the Popular Site Outage Tracker Helps Improve Web Security

“Minutes matter, and being able to get that extra feed can give infosec teams the edge”

When a company goes offline, its customers are inconvenienced and its operators lose money. The outage could also be evidence of a cyberattack.

Monitoring web services and identifying what failed and why is far from straightforward. Organizations may think all is well according to their own newspapers, while their customers see an entirely different picture.

Crowding outage data is a way to find out what’s really going on – and it’s this thinking that led to the creation of Downdetector, the outage monitoring service.

Go down

Downdetector was founded just under 10 years ago in the Netherlands by Tom Sanders, a former journalist, and Sander van der Graaf. The original idea was to gather information for journalists covering e-commerce and Internet services.

“It all started with a few people working together in a newsroom. They continued to see examples of outages or issues with internet-hosted businesses,” said Luke Deryckx, CTO of Downdetector’s parent company, Ookla. The daily sip.

“The journalists they were working with didn’t really have a lot of information or data on what was wrong.

“Their idea was to create a tool, website or app to help the community or user base track outages or issues with services hosted on the internet.”

Luke Deryckx (left) and Brennen SmithLuke Deryckx (left) and Brennen Smith

By externalizing data from the web services’ own users, Downdetector was able to create a more accurate and faster picture of outages.

The value of this for consumers is clear: losing access to the Internet or an online service is frustrating, and not all organizations are transparent about outages.

By looking at Downdetector or other crowdsourced data, users can at least begin to determine if the problem is their local connection, at the service provider, or somewhere in between.

Over the years, however, Downdetector has also been adopted by online businesses themselves, feeding data into their network operations centers.

Learn about the latest network security news

This is especially useful in a world where companies rely on complex networks of content delivery networks, mirrors, peering and ISPs to deliver their services to users.

In one example, a flaw in a bank’s peering agreements with a telecom operator meant that the telecom operator’s customers were unable to access services despite the bank’s own logs claiming that everything was fine.

“Users were able to report on Downdetector that there was clearly a problem,” Downdetector VP of Technology Brennen Smith said.

“It helps provide that early warning signal that will effectively help with those investigations and help companies understand that they need to do a root cause analysis that something is wrong.”

This is also of increasing interest to the cybersecurity industry. Sometimes the cause of a failure is clear – more often it is not.

Early warning signal

Using crowdsourced data can help determine if a problem is due to hackers, a technology failure, or some other cause. Aggregating this data across businesses and industries can help security operations centers and emergency response teams focus their response.

“At the end of the day, I will say that this product was not directly for security,” Smith says.

“However, there are many cases where it could be applicable. Ultimately, it is a form of threat intelligence. It’s a form of getting that early warning signal.

He doesn’t see Downdetector as replacing conventional threat intelligence feeds, but rather as working alongside other data sources to quickly flag incidents.

“Minutes count, and being able to get that extra stream of users saying, ‘Hey, I see this weird certificate error or hey, I see this weird issue’ and it’s localized to a geographic area or country particular, it can give infosec teams the edge they need to catch something before it becomes a mainstream event.

MAINTENANCE We are “firefighters” for the victims of armed conflicts

Even data from members of the public with little technical knowledge can provide valuable red flags to security teams, Deryckx says. He thinks Downdetector provides contextual information that is not easily discovered otherwise.

“One of the things the NOC teams [network operations center] are always looking for any sort of signal around security incidents or security issues. Again, it’s not that Downdetector positions itself as an entirely security-focused tool.

“But we know that there are many, many content providers watching Downdetector dashboards in real time, around the clock.

“If there were to be a security-related incident that is highlighted as an issue on Downdetector, it would absolutely be something that this team would see and be able to investigate sooner than they otherwise would. context,” he explains.

Overcome obstacles

Downdetector has the potential to fill a void between consumer-facing security emails, which tend to be overwhelmed by spam, and “hyper-technical” vulnerability alerts from security researchers or bug bounty programs. .

One obstacle could be opposition from the companies the service monitors. In the early years of Speedtest, owned by Downdetector parent company Ookla, some ISPs criticized a service that exposed their performance.

“We’ve had a lot of pushback from the industry about being measured by a third party,” admits Deryckx. “Not everyone was entirely comfortable with us being this objective, third-party measurement tool that empowers consumers.”

Similar reservations applied to Downdetector – at least in its early days.

Deryckx explained, “Some organizations feel like they have a complete picture of the performance and availability of their services. And they want to own the end-to-end client interface and messaging.

“Our view is that it does a disservice to the consumer, when the content provider owns that message and may or may not update the status page or even maintain a status page, for example.

“That doesn’t always answer the questions consumers have.” Mature organizations, on the other hand, appreciate the value of an “unfiltered” consumer perspective.

READ Unpatched plugins threaten millions of WordPress websites

The company strives to make its service “two-way”, allowing organizations to upload messages about outages or other issues to the Downdetector site, rather than forcing users to wade through status pages.

Another area that Downdetector wants to develop is fault correlation. Again, although not specific to security, sharing information between service providers should give infosec teams more accurate information on whether it’s their service, a third party, or even a larger entity such as a national infrastructure, which is attacked.

“Many services are centrally hosted on a few cloud platforms or using a few CNDs,” says Deryckx. “And so, it’s a lot more common now than when there’s an incident, it affects a lot more departments than in the past.

“Downdetector is truly the only real-time voice [that is] able to communicate that to customers and, frankly, to the engineers responsible for the affected products so that we all know what’s going on. »

YOU MIGHT ALSO LIKE Fall behind? New study highlights weaknesses in open source patching process