Archives for 2016

You are browsing the site archives by date.

Deflect Labs report #3

Botnet attack analysis of Deflect protected website blacklivesmatter.com

Seamus Tuohy and eQualit.ie

View the report with 3D rendering (5mb)

This report covers attacks between April 29th and October 15th, 2016. Over this seven-month period, we recorded more than a hundred separate denial-of-service incidents against the official Black Lives Matter website. Our analysis shows a variety of technical methods used in attempts to bring down this website and the characterization of these attacks point to a “mob” mentality of malicious actors jumping on board in response to callouts made on social media and covert channels. Our reporting highlights the usage of no-questions-asked-hosting and booter services used by malicious actors to carry out these attacks. We describe the ever growing trend of Internet vandals who, searching for a little bit of infamy, launch denial-of-service attacks against the Black Lives Matter (BLM) website. Our analysis documented attacks that could be accomplished for as little as $1 and, with access to public documentation and malicious software within easy reach, only required basic technical skill. Some of the larger attacks against BLM generated millions of connections without relying on huge infrastructure. Instead, traffic was “reflected” from legitimate WordPress and Joomla sites. We compare public attribution for some of the attacks with the data coming through our networks, and present the involvement of purported members of the Ghost Squad Hackers crew in these events.

Contents:

Introduction

“Black Lives Matter, a May First/People Link member that is supported by the Design Action Collective, is a central organization in the response movement against police abuse, brutality and misconduct.” The BLM website has been protected by Deflect since April 15th, 2016, following a spate of DDoS and hacking attacks.

In early July we published a prima facie bulletin expecting to write a comprehensive report of the attacks soon after. Since then the BLM website faced an increasing number of sizable attacks that we decided to include in our analysis and delayed publication. This report will explore these attacks, correlating open source research and publicly stated attribution with what we saw in the data.

The Deflect Labs infrastructure allows us to capture, process and profile each attack, analyzing unique incidents and intersecting findings with a database of profiled botnets. We define the parameters for anomalous behavior on the network and then group (“cluster”) malicious IPs into botnets using unsupervised machine learning algorithms.

 

Attacks & attribution

As a DDoS mitigation solution for blacklivesmatter.com, Deflect has access to all legitimate and malicious requests made to this website. However in almost all cases, attacks come via infected machines or as reflection attacks from unsuspecting websites. A semi-experienced attacker knows how to obfuscate and disguise their traces on the Internet. It is therefore incredibly difficult to attribute an action to a particular person or IP address with confidence. We rely on our analytic tooling, peers in the mitigation industry and social media research to test our hypotheses. Assumptions arising out of OSINT are then verified against the data on our systems and vice versa.

Technical analysis and social media research indicated that actions against the BLM website were launched by multiple attackers frequently acting in concert. Some methods, like Joomla & WordPress reflection attacks, appear to have been coordinated, whilst in other cases it was clear that many actors jumped on the bandwagon of a more powerful attack to claim some of the credit. These small, loosely organized mobs appear minutes to hours after the start of the original attack and lob a hodge-podge of various attack methods, often to no effect. These actions are often accompanied by a flurry of queries from various website downtime monitoring solutions, as attackers try to collect trophies for their participation in the mob. Furthermore, we noticed a sophisticated actor who was able to generate malicious traffic on a level beyond anyone else that we documented targeting BLM. Using bulletproof hosting to coordinate their attacks, they did not go to great lengths to obfuscate their identity, creating instead a complicated web of social media accounts, possibly fake public attribution claims, and general intrigue about their motivations and purpose.

The ‘Ghost Squad’

The first, and only, publicly attributed attacks began in late April, as _s1ege, a professed member of the Ghost Squad Hackers crew, began tweeting screenshots showing site defacement and reports from website up-time checkers that the BLM site was no longer reachable. The action was part of #OPAllLivesMatter, likely in response to the #AllLivesMatter slogan (and then hashtag) created in 2015. On May 2nd, 2016, a YouTube video uploaded by @anonymous_exposes_racism contained a warning from a group identifying themselves as Anonymous to leaders of the Black Lives Matter movement, asking them to also denounce anti-white racism.

This first set of attacks against BLM, beginning on April 29th, lasted a mere 30 minutes. They came from six IP addresses and generated a little under 15,000 connections. A single method of attack and very few resources were brought into play, making this small action only temporarily effective at best. That evening five different IP addresses conducted another attack against the BLM website that topped off at over 158,000 connections over a period of an hour.

Timelion expression tracking malicious connections, by attack method, on April 29th

During this attack @_s1ege posted Twitter comments taking credit. Alongside photos that showed the Black Lives Matter website had been temporarily taken down by this attack, _s1ege posted a photo of the software he was using, “BlackHorizon”.

Timelion expression tracking malicious connections, by attack method, on April 29th

During this attack @_s1ege posted Twitter comments taking credit. Alongside photos that showed the Black Lives Matter website had been temporarily taken down by this attack, _s1ege posted a photo of the software he was using, “BlackHorizon”.

BlackHorizon is a clone of a piece of HTTP DoS software called GoldenEye, which was written by Jan Seidl in 2014. It was itself an expansion on the 2012 HULK project by Barry Shteiman. Unlike Seidl’s thoughtful adaptation and expansion of HULK, the BlackHorizon codebase mainly changes the ASCII art and the author’s name. When examined, it was clear that the functional components of the code were almost entirely unaltered from GoldenEye.

Several media publications rushed to interview _s1ege, with the @ghostsquadhack Twitter and GhostSquadHackers Facebook account referencing these publications. Around 30 minutes after the second attack Waqas Amir published an article on HackRead describing both incidents alongside his conversation with a GSH member. Later that evening one member of the GSH came back reusing an earlier bot and creating an attack that generated well under 700 connections, before giving up after less than 20 minutes.

Shortly after the tweets and HackRead publication, we witnessed an increase in attack frequency and variety. Only a portion of these had a similar behavioral profile on the network to those attributed by _s1ege to GSH. The attackers were using well-known software and may have called out to others on the Internet to follow suit. On May 10th, @_s1ege announces @bannedoffline as a new member in the Ghost Squad crew and two days later stops tweeting from this account altogether.

Maskirovka

BLM began to face larger scale attacks on May 9th. The first one lasted a little over 90 minutes and consisted of 1,022,981 connections from legitimate WordPress websites. This was not the first WordPress pingback attack against the BLM website, but it was an indication that we were beginning to face adversaries prepared to deploy much greater resources than before.The level of severity and aggression continued to mount and on July 9th we witnessed a WordPress pingback attack that generated over 34 million connections to BLM in a single day. The attackers did not seem to be interested in obfuscating their provenance, allowing us to track these activities over the next few months. The attacks were coordinated from machines hosted at a “bulletproof” provider – so called because they offer servers for rent on a no-questions-asked basis. The incidents associated with these attacks were the largest faced by BLM during the reporting period.

On July 25th we received a subscription for Deflect protection from a “John Smith” asking us to enlist http://ghostsquadhackers.org. We traced this request and further conversation with this user to @bannedoffline on Twitter and Facebook, as well as the owner of the following domains: ghostantiddos.com; ghostsquadsecurity.com; bannedoffline.xyz; www.btcsetmefree.org, among others.

Our analysis of actions run from the “bulletproof” hosting provider identified several IP addresses that were used for command and control. These addresses were correlated by a peer mitigation provider who had dared @bannedoffline on a hackers forum to DDoS them and recorded the resulting activity. Two IP addresses, one belonging to the DMZhosting provider mentioned further on in this report and a Digital Ocean machine, were identified in our individual records – and correlated to eight separate incidents in our study.

  • 191.96.249.80 Dmzhost Limited https://dmzhost.co
  • 178.62.152.134 DigitalOcean https://www.digitalocean.com

It is hard to say with any certainty why there were no more public attributions for attacks on BLM after the first week of May, considering that the severity and sophistication increased several-fold. @bannedoffline deleted all of their social media postings in late September, just before we recorded the biggest attack against the BLM website. bannedoffline was also linked to a 665gbps attack (the largest attack of its time, before the Mirai botnets) against the Krebs on Security website. The Ghost Squad did not attribute or deny @bannedoffline’s continued participation in their crew. Attacks attributable to bannedoffline and _s1ege, who could very well be the same person, made up less than 20% of recorded DDoS activity against BLM.

Technical Analysis Of Attacks

Incidents using a similar attack method were distinguished through an iterative process of identifying possible behavioral characteristics that distinguish one type of attack from others. First we identified combinations of behaviors and features that distinguished possible attacks from normal traffic. These profiles were then matched to existing types of attacks by looking for signatures from other reports and known codebases of these attacks to create an attack method profile. At this point secondary characteristics of the attack were examined to see if they distinguished individual attacks. This ranged from the hosting provider used for botherders, to the collection of innocent websites used as reflectors, and the methods used to check the status of the website, among others. If one or more of these characteristics overlapped for a specific set of attacks, those attacks were flagged for further investigation. Once we clustered these attacks, we looked across the entire set of attacks and attempted to reject any characteristic that could clearly differentiate that subset of attacks from similar attacks.

The most common category of attacks against the BLM website has been “application level” (layer 7) HTTP flood attacks. These bots mimic human behavior by connecting to a website and requesting a large amount of content until the server crashes for lack of resources. In this report we will only be looking at this type of attacks.

The capability of individual attackers has ranged greatly. As the BLM website faced more resourced and effective attackers, the mob became a persistent background noise.

Attack type (including variants and clones) April May June July Aug Sept Oct
WordPress pingback 5 6 4 4 5
Joomla pingback 1 6 6 4 3 3
Slow Loris 2 5 3 1
Fully Randomized NoCache Flood 6 14 11 5 7 2 4
Cache Bypass flood 1 1 2 2
Python script flood 2 2

You can view the entire attack portfolio on Google Docs


Slowloris

Aliases/Tools Slowloris, Pyloris, Torloris
Attack Type Layer 7 Denial of Service
Exploits Connection exhaustion
Obfuscation None
Attack Class Single-source
Attack Rate Low

The first attack identified against the Black Lives Matters website occurred on April 18th, just a few days after it had switched over to Deflect. A single address made between 5 and 30 connections per second to the main BLM web page. This lasted for 28 seconds. In total it made only 168 connections. Usually, this type of behavior would not raise any flags. But in this case, the user agent of this client matched the user agent used in the original proof of concept code for “Slowloris – the low bandwidth, yet greedy and poisonous HTTP client!”

Slowloris is a DoS tool that was originally released in 2009. It is unique among the other Layer 7 attacks we will be discussing in this report because it does not focus on flooding the network with traffic. Instead, it attempts to use up all the connections to a web server leaving none left for legitimate users. This low number of connections allows Slowloris to attack a website without drawing the same attention that a flood of traffic would. There have been 12 identified attacks using the original Slowloris codebase since the BLM website has been protected by Deflect. All but one of these attacks were under 1000 connections. The largest Slowloris attack occurred on July 10th from 0:50 to 3:20 and from 6:00 to 7:20, making over 40,542 connections and clearly misusing this tool or not understanding its original purpose.

In the initial code release Slowloris used a single user agent. Today, many of the custom versions of Slowloris have changed the user agent [pyloris.py] or added source client obfuscation by randomly picking from a list of user agents [slowloris.py]. It is not surprising to see someone using an unmodified version of such an arcane tool even when the server used on the BLM website is protected against that attack. Many of the actors conducting DoS attacks are not building upon existing tools. While Slowloris was elegant at the time, the DoS space is dominated by attackers using simplistic measures. This is because one does not need a highly complex tool to take down most sites on the Internet.

Slowloris attacks on the BLM website have a tendency to overlap with or occur around the time of two low-skill “basic HTTP flood” attacks: [Blank] and [Python], as well as (Blank+WordPress) WordPress attacks.

HTTP Floods

HTTP floods are easy to implement and hard to identify attacks. Generally, they attempt to exhaust a system’s application resources or the network bandwidth. They do this by either creating a large amount of connections to the website or by continuously downloading a large amount of files. Because they only require an attacker to create many legitimate connections to a server, HTTP floods are quite easy to implement. Since these connections are legitimate, it can be very difficult for a defender to differentiate these connections from those of real users.

Simple HTTP Flood

Aliases/Tools None
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Single-source
Attack Rate Low

A simple example of this type of attack can be seen on April 30th. For just under ten minutes one lone address conducted a low sophistication HTTP GET request attack against the Black Lives Matter website. Over a five-minute period this attacker made 1503 connections from a single address using an Internet Explorer user agent. The BLM website only received a few of these connections as the attacker was banned within a second.

 


Basic Python

Aliases/Tools None
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Single-source
Attack Rate Low

Just a few hours after the previous HTTP Flood concluded, two different attacks started and subsided. They missed each other by just two minutes. The first was a “Fully Randomized NoCache Flood” and connected 2,000 times in its two minutes of attack. The second was a test run of an even simpler HTTP Flood attack than the previous example. The code behind this attack was written without any attempt to make it look like a legitimate user. Over the six minute attack, this script made around 400 connections. There were also 23 connection from a Chrome browser at the same IP address during this period, as the attacker frantically refreshed the web page to check on their impact. As in the previous attack, it took under a second for this IP address to be banned.

While a DoS attack does not need much sophistication to be effective, we mention it here because its unique signature shows that this attack was written by an inexperienced programmer. To explain how basic this attack is, the Deflect Labs researchers have recreated a working version of it below.

import urllib
while True:
   urllib.urlopen("http://www.blacklivesmatter.com")

This attacker came back again after a few hours using a different address. As in many single-source attacks, they were likely using a proxy to disguise the original IP of their attacks as they conducted these test runs. Before running the python script, they ran the same “Fully Randomized NoCache Flood” attack for about a minute and then quickly switched back to their python script. The python script made another 429 connections during the approximately six minute long attack. It was, like before, stopped within seconds.

This testing behavior continued over the next few days. With another small attack on the morning of May 1st that made up to 700 connections in just under 10 minutes and one with just over 1000 connections in just under 20 minutes. By the end of that week this attacker had concluded their experiment in attempting to build their own script. Its simple nature made it automatically blocked almost as soon as it connected. At its peak, it could only create a hundred or so connections per minute, which is far too little for a machine conducting a DoS attack.

HTTP Flood DDoS

Aliases/Tools None
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Multi-Source
Attack Rate High

The HTTP floods we have described so far in this section have only come from a single source. In this section we will explore how a botnet can leverage thousands of machines to conduct a distributed HTTP Flood and how we can identify these floods among regular traffic.

HTTP floods that involve many sources (DDoS attacks) are difficult to identify because they can look very similar to regular traffic. But because the BLM website, like every other, has traffic patterns that show the general behavior of their usual readership, there are some clear examples of DDoS HTTP Floods that we can explore.

Unsurprisingly, people in the US visit the BLM website far more often than other groups. This also impacts traffic patterns to the site. Traffic to the BLM website follows a daily cyclical pattern. There is a peak in its traffic between 12:00 and 14:00 EST. (The numbers in our screenshots reflect UTC+0 timestamps.) After that, the traffic slows until around 07:00 EST, when it spikes for the evening and then slows for the night.

Between August 5th and August 9th the hourly pattern changed from a smooth usage pattern like the above into this.

That week between 11:00 and 13:00 EST there was a surge of traffic from China, Indonesia, Turkey, and Slovenia. While the Deflect Labs team is not surprised that BLM receives international attention, it is a bit odd to see it occurring during the same period worldwide. When looking for HTTP Floods that have multiple sources, knowing these usage patterns can make it far easier to identify possible attacks like this one.

The anomaly we can see above was an HTTP POST Flood attack on August 8th. Based upon the dozens of countries per minute that are seen making higher than average connections, it seems plausible that this attack was using a botnet of infected machines.

Over a period of just over an hour, 11,514 machines attempted to upload (POST) a series of large files to the BLM website. This created a flood of large content-length requests that the BLM website had to process.

 



Fully Randomized NoCache Flood

Aliases/Tools Hulk, GoldenEye, BlackHorizon
Attack Type Layer 7 Denial of Service
Exploits KeepAlive, NoCache
Obfuscation Source Client Obfuscation, Reference Forgery
Attack Class Multi-Source
Attack Rate High

Websites that are protected by DDoS mitigation services – such as Deflect – use a “caching” system to store commonly requested pages and provide them to users so the protected website’s server does not have to. This “cache” of recently requested web pages allows Deflect to further limit the requests made to the protected server. Even if simple bots, like those in the last section, evade blocking, they often are just receiving responses from Deflect’s caches of recently requested URLs and not impacting the origin server at all.

DoS providers responded to the use of caching by creating a bot that tricks the cache into thinking that they are requesting a page that was never requested before. These “Cache-bypass” HTTP Floods are bots that add a randomized query at the end of their requests. These randomly generated queries cause a cache to view each request as a new request, even though the bots we are examining in this report only ever requested the main BLM URL “blacklivesmatter.com”.

GoldenEye is a Layer 7 DoS tool. It allows a single computer to open up multiple connections to a website, each of which pretends to be a different device. To do this, GoldenEye provides a different user agent string for each connection. Over the combined hour and a half of attacks, these 11 bots pretended to be hundreds of different types of users to avoid detection.

 

Later in the evening of April 30th another attack consisting of just under 11,000 connections was attempted. This attack used an improved “Fully Randomized NoCache Flood.” While the attack starts with 9 bots using something similar to the code used by GSH, a single address joins a minute into the attack and quickly dwarfs the other attackers in both number of connections and variety of user agents that it employs.

If it were not for the variety of intensity and method used by the individual addresses, attacks like this would look like they involved a single actor. But as is common for attacks against the BLM website, this attack starts slowly with one or two initial actors, who are then joined by a small mob of “bandwagon bullies.” As was seen in the early GSH attacks, they share the tools used in their attacks with the other attackers. Whoever this late attacker is, they are clearly not just another member of the team. This attacker has considerably different network resources and likely software that allows them to have far more impact than all the participating GSH team members.

Reflection DDoS

Joomla! Reflection DDoS

Aliases/Tools DAVOSET, UFONet
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Reflected
Attack Rate High

In 2013 a series of vulnerabilities were discovered in a Google Maps plugin for the Joomla! CMS. One of them made it possible for anyone to request a Joomla! site to make an HTTP request to remote websites. By June 2013 this vulnerability had already been weaponized and included in an existing DDoS framework called DAVOSET (DDoS attacks via other sites execution tool). In 2014 this same vulnerability was included in the UFOnet DDoS framework.

Each of these DDoS frameworks have easy-to-use web-based point-and-click interfaces and a built-in list of vulnerable Joomla! websites. This makes them ideal for a low-resourced or unsophisticated attacker looking to amplify another attack. Of the 23 WordPress attacks made against the BLM website, only 7 of them were not paired with a Joomla! attack.

Initially, it was difficult to identify Joomla! attacks because most of the connections do not provide a user agent string. Empty user agents are somewhat common on the Internet. Many non-malicious, but quickly made, bots do not provide a user agent. As such, when we initially saw these spikes of traffic, we assumed that they were from another sloppily made DoS bot.

After we saw this bot accompanying attacks from a variety of different attackers, we investigated further and noticed a fingerprint hidden in the traffic that led us to the Joomla! attack. Although most of the user agents used by Joomla! sites to make these requests are blank, a small subset of these machines include the version of PHP language that was used to run the request. While blank user agents are somewhat common, many of the attacks that included them were combined with user agents that contained PHP versions. Given the relative rarity of PHP, we realized that the odd increase in empty user agents alongside other attacks was because they were being combined with Joomla! attacks.

 


Introduction to WordPress XMLRPC Floods

Aliases/Tools WordPress Pingback
Attack Type Layer 7 Denial of Service
Exploits NoCache
Obfuscation Spoofing
Attack Class Reflected
Attack Rate High

By default, WordPress has a “pingback” feature that was built to allow WordPress sites to alert other blogs when they linked to their content. On a high level, this works similarly to a mention in Twitter. When a WordPress site publishes a post that links to another website, it sends out a “pingback” to that site with a link to the post containing the original link. If the receiving site is also based on WordPress, it responds to the original site to confirm that it received the pingback.

Pingbacks have been a part of WordPress sites since Version 1.5, which came out in 2005. It wasn’t until 2012 that Christian Mehlmauer released a working implementation of code that took advantage of this feature to ask WordPress sites to verify “pingbacks” from spoofed URLs. Two years later, in March 2014, Akamai released a post that described a “pingback” attack consisting in over 162,000 WordPress sites. In September 2015 they announced that WordPress pingback attacks made up 13% of all Layer 7 attacks they faced.

At 22:00 on May 1st a WordPress pingback attack began targeting the Black Lives Matter website. In just 13 minutes it made 181,301 connections. As this WordPress attack subsided, a Joomla! attack took its place. The moment the WordPress attack started, the second attacker began to use free online services dozens of times a minute to check if the Black Lives Matter website had gone down. As the second attack began, the attacker increased the frequency at which they monitored the state of the website. Four minutes into the attack, when it had obviously succeeded, the attacker stopped checking the site. Altogether, this attack consisted of around 350,000 connections in a period of less than an hour.

 

As was mentioned in the original bulletin, the most intense attacks against the Black Lives Matter website have been WordPress pingback attacks. The first large-scale attack against the BLM website was a WordPress attack on May 9th. This attack made over 1,130,000 connections in just under three hours. It was a mix of over 1,000,000 connections from a WordPress pingback attack alongside 100,000 connections from a “Fully Randomized NoCache Flood.”

 

The following WordPress sections will provide some illustrative examples to show how we explored the relationships between these bots. But we will not examine every attack. Nor will we try to attribute attacks to their source.

WordPress pingback & Botherder Addresses

While WordPress attacks work similarly to Joomla! attacks they are far easier to identify. These attacks clearly list their WordPress version as their user agent. Because these attacks started to become more widespread, a new feature was released in version 3.9 of WordPress. This version updated pingbacks to include the IP address that made the original pingback request.

WordPress/4.6; http://host.site.tld; verifying pingback from 127.0.0.1

We call these IP addresses “botherder” addresses. Some of these addresses correspond to globally addressable IP addresses that one can reach over the Internet. Others are addresses that should never appear on the public Internet. These bogon addresses are private/reserved addresses and netblocks that have not been assigned to a regional Internet registry. The bogon address seen in the example above is called localhost. It’s the IP address used by a computer to refer to itself.

While adding the address of the botherder was implemented to de-anonymize the true source of an attack, most attackers are very adept at concealing their true IP address through the use of spoofed packets, proxies, virtual private servers (VPSs), and the use of compromised machines to conduct the original requests. When we started looking into the botherder addresses, we assumed that we would only find spoofed addresses. To our surprise, the botherder addresses exposed far more than we expected them to. By clustering the botherder IPs exposed in an attack, we were able to develop behavioral profiles that helped us link different attacks together to understand which attacks were likely conducted by the same attacker.

The first thing we looked at were the botherder IPs used in WordPress attacks against the BLM website. Our exploration of bogon addresses showed clear relationships between the attacks that could be exposed by looking at the botherder addresses.

The large blue ball of shared IP addresses on the left side of the bogon graph above surrounds two small incidents that occurred on August 8th and 9th. This massive ball of shared IP addresses consists of over 500 addresses from the private IP address spaces. Specifically, they include 382 addresses from the 172.16.0.0/12 address range and 177 addresses from the 10.0.0.0/8 address range. Private address ranges are not entirely uncommon for WordPress pingback attacks. They can appear when the botherder is on the same hosting provider as the WordPress sites they are exploiting and can also be created when a botherder is spoofing random addresses. What is unusual is how clearly the overlapping bogon IP addresses link these two attacks.

There were also globally addressable botherder IP addresses that linked each of the individual attacks against BLM together. It is likely that areas of sparse overlapping IPs exist because many botherders were clearly spoofing IP addresses. But the areas with many connections showed relationships that were worth exploring.

One commonality between all the attacks was that while every attack has hundreds of spoofed botherder addresses that appear only once or twice, there are also a small number of botherder addresses that account for a majority of the bots herded for the attack. In the August 8th and 9th attacks, which can be seen at the bottom of the globally addressable IP graph, three IP addresses accounted for 95% (13,963 / 14,585) of the WordPress connections that identified a botherder.

Because Deflect’s primary purpose is DDoS mitigation, Deflect Labs’ investigations often happen days or weeks after the fact. This means that we often have to rely on our logs and open source intelligence. In this case one of the first things we looked at was who owned the three primary botherder IP addresses. These IP addresses belong to Digital Ocean, a VPS provider based in New York. Digital Ocean does not provide multiple IP addresses per machine, and so we know that this attack was herded by three separate Digital Ocean “droplets.” Hourly pricing for Digital Ocean droplets runs between $0.007 USD/hour and $0.119 USD/hour. With each of these attacks lasting under half an hour, the cost to run this attack was well below a single dollar.

 


“Bulletproof” Hosting

By far the largest cluster of associated WordPress attacks occurred between July and October. This set of attacks includes the five largest attacks over that four-month period.

Among the 206 globally addressable IPs used by those attacks, 5 botherder IP addresses make up 65% (41,030 / 62,488) of the botherder IPs identified in the attack. Each of these botherders were hosted on an “offshore” hosting provider called DMZHOST. The two most connected botherder IPs in our attacks are mentioned countless times on a variety of IP address reputation websites, forums, and even blog posts as the source of a variety of similar attacks.

“Bulletproof hosting” providers like DMZHOST provide VPSs that advertise themselves as outside of the reach of Western law enforcement. DMZHOST offers its clients “offshore” VPSs in a “Secured Netherland datacenter privacy bunker” and “does not store any information / Log about user activity.” At the same time, DMZHOST’s terms of service are just as concise. “DMZHOST does not allow anything (related) to the following content: – DDos – Childporn – Bank Exploit – Terrorism – NO NTP – NO Email SPAM”.

Conclusion

Silencing online voices is becoming ever easier and cheaper on the Internet. The biggest attacks presented in this report did not require expensive infrastructure, they were simply reflected from other websites to magnify their strength. We are beginning to see authorities pursue and shut down “bulletproof” hosting and booter services that enable a lot of these attacks, yet more needs to be done. In the coming age of IoT botnets, when we begin to witness attacks that can generate over a terabyte of traffic per second, the mitigation community should not guard their intelligence on malicious activity but share it, responsibly and efficiently. Deflect Labs is a small project laying the groundwork for open source community-driven intelligence on botnet classification and exposure. We encourage you to get in touch if you would like to contribute.


 

Deflect is a website security project working with independent media, human rights organizations and activists. It offers DDoS mitigation, secure hosting and attack analytics, free of charge to qualifying organizations. All of our tools are open source and we operate according to strict terms of service and principles promoting the privacy of our clients. Deflect is a project of eQualit.ie, a Canadian not-for-profit organization working to promote and defend human rights in the digital age.

Deflect Stats November 2016

In November the Deflect network served pages to many legitimate visitors interested in breaking news reported by deflected websites, and mitigated automatically some intense attacks.

november_metrics

During the month, Deflect served 585 million pages to 9.8 million visitors, with a slight increase of unique IPs as compared to our October statistics, suggesting a rise in the number of our legitimate visitors despite the decrease in the total number of requested resources. This is also reflected by the statistics on banned bots, which dropped from 50,323 in October to 38,740 in November.

nov_hits_by_country

Daily hits on the Deflect network, by country: in November, visitors of websites protected by Deflect originated from Ukraine, the USA and Turkey, closely followed by Russia, which became the second country of origin of requests on the 22 November.

nov_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia, which rises to the second position on the 22 November.

nov_uniqueips_by_country

November statistics on unique visitors of websites protected by Deflect are topped by Turkey, Ukraine and the United States. On the 22 November the Russian Federation topped the statistics rising to the first position.

As in August, the peak in legitimate requests we recorded last month was linked to news from Uzbekistan, which also explains why we can clearly see a higher number of hits from a country where the internet, and most of the websites protected by Deflect, are censored for common citizens (but probably not for members of government and connected people).

Beyond the number of unique visitors and requests, here are two pie charts describing Deflect’s cache response and our visitors’ operating systems.

nov_cache_result_pie

In November, nearly 80% of the pages we served were cached in the Deflect edges. We had to get a copy from origin web servers for less than 20% of the requests we received.

nov_osname_pie

The pie chart on operating systems used by visitors of deflected websites in November shows that the trend we observed last month is unchanged: with Android at 37.03, iOS at 8.7% and Windows at 39.29%, mobile devices (45.73% total) are apparently being used as much as, if not more than PCs (43.38%) to browse sites protected by Deflect.

November attacks

In November Deflect mitigated automatically all DDoS incidents targeting our network, including one major attempt on the 15th November that didn’t last long, possibly because it was being blocked by our edges.

 

Bots used in these attacks originated mostly from the US, Germany and the Russian Federation. One detail sets apart last month’s statistics from what we observed in the previous months — WordPress doesn’t appear among the most used user agents in botnets, which suggests a change in attack methods.

November stats on the countries of origin of bots are mostly unchanged in comparison to previous months. A singular detail is the “Anonymous Proxy” that can be spotted in the list of countries.

During the short but intense attack Deflect mitigated on the 15th November, what triggered the bans were mostly a user agent string that is known to be used in botnets and a high number of GET requests sent to the root directory of the targeted website.

User agents used by banned bots in November: WordPress is not one of the most frequent user agents in DDoS attacks, where we observe a prevalence of browser user agent names.

TA3M, December 19th – the Cryptmas edition

Our techno activism 3rd Mondays events are back! This time with a focus on mobile security and anonymity. As recent reporting highlighted once again the dangers to personal privacy from modern day surveillance, we are offering an overview of current possibilities for improving your mobile privacy, just in time for Christmas! We will discuss:

– Surveillance on cellular and data networks
– Tools for secure and anonymous communications
– Communicating without the network
– Smartphone security
– Android without Google

As usual this will be an informal presentation with a lively discussion and refreshments. This is a public event but please RSVP as space will be limited.

Location: 5445 de Gaspé, suite 602

When? December 19th, 18:00-20:00

Yes, I want to come! Please RSVP below…

  • TA3M Montreal - Dec '19




To see a history of past TA3M Montreal events please refer to our archive.

Deflect Stats October 2016

In October Deflect’s metrics kept following the trend we had seen in September, with comparable figures in terms of unique visitors (9.3 million) and a slight increase in total hits (632.8 million requests reaching our edge servers), but with almost twice as many bots identified and banned by Deflect’s banning system – 50,323 bots against 27,238 in September. This means that deflected websites attracted a lot of legitimate visitors, but that we also had to mitigate stronger DDoS attacks.

october_metrics

Looking at some more detailed graphs dividing Deflect’s metrics by country of origin of our visitors, we can see that while Ukraine and the United States keep topping the scores as in previous months, the peak of visits originating from Russia in August and September has been subsiding in favour of Turkey.

oct_hits_country

In October, requests received by the Deflect network originated mostly from Ukraine, the US and Turkey.

oct_bandwidth_country_pie

October bandwidth usage on the Deflect network: Ukraine and the USA keep their first and second position respectively, with Turkey rising back to the third place as in the summer months, though still closely followed by Russia.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria peaking above Turkey in some occasions.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria rising above Turkey in the first half of the month.

 

oct_cache_result_pie

In October 78% of the requested contents was cached in Deflect’s edge servers. We had to retrieve a copy of your pages for around 20% of the requests we received.

oct_osname_pie

Among the changes we have seen in October’s statistics, probably the most interesting is this pie chart on operating systems used by visitors of deflected websites. For the first time, we see Android overtaking Windows, even if by few decimals. With a 37.5% slice of Android users and an 8.5% slice of iOS users, there are nearly as many mobile devices as there are personal computers accessing the websites protected by Deflect.

 

October attacks

Deflect mitigated some major attacks around mid-October. Two websites were targeted in particular, and the method was most probably a common WordPress pingback reflective attack.

 

oct_bans_country

Number of banning events by country. The peak of banned bots originating from the USA corresponds to the intense attacks Deflect mitigated between the 13th and 15th October

 

oct_banjax_uaname_pie

Most bots identified and banned by Deflect during the month of October were characterized by a “wordpress” user agent – this is common in WordPress pingback reflective attacks

 

The most intense DDoS attempt this month targeted the official Black Lives Matter website, which has been under attack for months, as we will describe in the new Deflect Labs report that will soon be published.

As we have often seen in DDoS attacks against Black Lives Matter, the botnet originated in great part from the United States, and was characterized by a large number of bots masquerading themselves with a “spider” user agent device and a “wordpress” user agent name.

blm_ddos_131016_bans_country

Between the 13th and 14th October, most bots banned by Deflect originated from the US

The banning events connected to the DDoS attack against Black Lives Matter were masquerading with a "wordpress" user agent name and a "spider" user agent device

The bots used in the DDoS attack against Black Lives Matter were masquerading with a “wordpress” user agent name and a “spider” user agent device

blm-banjax_uaname-trigger

What triggered the banning events in the two peaks of the attack were mainly WordPress user agents

Towards the end of the month, we were struck by news of another DDoS attack elsewhere on the internet. On the 21st October a record-breaking DDoS attack against the domain name provider Dyn caused an outage that made important websites like Twitter, Reddit or Spotify unreachable for several hours on the East Coast of the United States and in Japan. As in the September attack against KrebsOnSecurity, this attack exploited Internet of Things devices through malware called Mirai that had just been released to the public. As Bruce Schneier concludes in his post on this episode and the lessons we can learn from it, DDoS attacks are likely to become stronger and stronger. If you defend human rights, fight for social justice or produce independent media, consider protecting your website under Deflect!

Deflect Stats September 2016

In September, Deflect metrics grew as new websites joined the service and a popular Syrian website rejoined Deflect to ensure an uninterrupted news stream on the regional conflict. In other news, the Internet witnessed the largest ever DDoS attacks, surpassing 600gbps and then 1 terabyte of traffic per second. These events followed the leaks of an online DDoS service, called vDOS. We ingested and visualized the leaked database, presenting some findings below for your perusal :)

september_metricsOverall, the Deflect network served 623.2 million pages to 9.3 million unique visitors and our banning mechanism banned 27,238 bots. Let’s break up these statistics to put the figures in context and give them meaning:

 

sept_deflect_uniqueips_by_country

While Ukraine is as usual the first country of origin of unique visitors of deflected websites, in September the United States lost their top second position in favour of Turkey.

sept_hits_by_country

As regards daily hits on the Deflect network, the rise in requests from the Russian Federation we had observed at the end of August continued in September, when Russia became the third country of origin, after Ukraine and the USA.

sept_deflect_bandwidth_by_country

September’s statistics on bandwidth usage match the trend we have observed in the graph on daily hits: Ukraine and the USA are as usual the first two countries, followed by Russia.

In September we also observed an improvement in our cache response: as you can see in the pie chart below, around 82% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 17% of the requests we received.

sept_cache_response

Our stats on the operating systems used by visitors of deflected websites suggest that the usage of Android is spreading, from around 25% in the last few months to nearly 35%, while the quantity of Windows users has shrunk from around 50% to 39.34%. We are glad to see that the slice of pie corresponding to the obsolete Windows XP is getting smaller and smaller (6.42% last month) — we hope it will soon disappear altogether from our graphs!

sept_deflect_os_name

September attacks

Last month Deflect mitigated automatically several DDoS attempts targeting especially three websites.

sept_bans_by_country

A vast majority of the bots banned by Deflect in each of the three incidents appears to have originated from the United States.

sept_bans_by_country_1

sept_bans_by_country_2

sept_bans_by_country_3

A split visualization of the major incidents targeting three deflected websites divided by country of origin of the bots shows that in each case the main country of origin was the United States. Another common feature we have observed in most of these DDoS attempts is the method used to launch the attack – the common WordPress Pingback reflective attack method we have often reported about lately.

sept_bans_ua_name

Another attack gave us a lot of food for thought in September. Although it wasn’t targeting the Deflect network, it marked a turning point in the history of DDoS attacks and online censorship. The attack targeted independent journalist Brian Krebs’ website KrebsOnSecurity, an important source of digital security news that had recently reported on the hack of a DDoS-for-hire business known as vDOS. One of our clients appeared in the vDOS target list. Otherwise we saw that the most common method of attack requested was DNS (likely reflection) and the majority of clients were from China, attacking websites that were also from China.

target_countryvsclient_country

attack-type

client_cityvstarget_isp

What made this attack particularly concerning was its unseen intensity: 620 gigabits per second of data were constantly thrown at the website for hours, until Akamai, a network provider that was supplying KrebsOnSecurity DDoS mitigation services for free, decided that it was unsustainable for them and their clients to keep protecting Krebs’ website from that onslaught.

Read more about the attack on KrebsOnSecurity in this article, which also explains how its huge botnet was made of Internet of Things devices: common routers, printers, CCTV cameras and the like. The code used to create that botnet has now been released, and similar attacks will probably become more and more frequent. As Brian Krebs himself has noted in this readworthy post, we are witnessing an alarming trend towards an all-pervasive internet censorship. In the future DDoS attacks are foreseen to become more and more violent. Any website could be targeted, especially if they cover news from an independent point of view or support a hard-fought cause. DDoS mitigation is much more effective if a website gets protected in advance. If you defend Human Rights, run a civil society organisation or produce independent media, consider registering your website on Deflect now :)

 

 

Deflect Stats August 2016

“No news is good news” in the DDoS mitigation game, and this is what we were hoping for in August 2016. We decided to capitalize on this opportunity and focus the team on new developments supporting free Let’s Encrypt certificates for all Deflect clients, as part of the TLS/HTTPS system.

Then, on the 29th everything changed, as one of our oldest clients, Ferghana News, was the first media to report on the death of the president of Uzbekistan, several days before the official announcement. The bottom line is that Deflect’s statistics for August 2016 show what happens when no important DDoS attack hits our edges and at the same time some of the websites we protect get a lot of traffic from human visitors who are interested in news they have published.

aug_metrics

In comparison with the previous month, in August we recorded a decrease in our total metrics, falling even below the figures we saw in the uneventful month of June, but at the end of the month we experienced a sudden peak, that made our monthly statistics bounce back to the latest trends. Overall, Deflect served 474 million pages to 7,7 million visitors. Meanwhile Banjax, our banning system, banned 20,294 unique IPs.

aug_uniqueips_by_country

August statistics on unique visitors of websites protected by Deflect are topped as usual by Ukraine, followed by the United States and by the Russian Federation, which peaks above every other country towards the end of the month

aug_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia as in July. The peak at the end of the month corresponds to an increase in bandwidth usage by Russian IPs.

aug_hits_by_country

Daily hits on the Deflect network, by country: visitors of websites protected by Deflect originate as usual from Ukraine, the USA and Turkey, but at the end of the month connections from the Russian Federation rise above all the others

Dividing Deflect hits by requested websites, we can see that a large part of this increase is connected to Ferghana News, one of the most popular news outlets dealing with Central Asian countries, which was reporting about the death of the president of Uzbekistan in those same days.

aug_hits_uzb1

August total requests for Ferghana News

aug_fergana_by_country

Connections to Ferghana News in August divided by country

 

Analysing this peak of connections by country of origin, it appears clear that the news published on Ferghana News attracted a lot of attention from Central Asian countries, including Uzbekistan, where actually the website is blocked for common citizens (but apparently not for government officers and powerful people). This is a common occurrence in censoring countries, where citizens are stopped from accessing information but rulers know very well how much value can be brought by an open internet.

aug_fergana_russia

Connections to Ferghana News from the Russian Federation in August

aug_fergana_uzbekistan

Connections to Ferghana News from Uzbekistan in August

aug_fergana_kyrgyzstan

Connections to Ferghana News from Kyrgyzstan in August

aug_fergana_tajikistan

Connections to Ferghana News from Tajikistan in August

Finally, here’s our monthly pie chart on our visitors’ operating systems. Fortunately, the usage of Windows XP keeps falling (7.58% against 8.13% last month), but overall statistics on the operating systems used by our visitors are unchanged, with about half the connections originating from a Windows system, a quarter from Android devices, less than 10% from iOS devices and just a tiny fraction of users choosing Linux or even Mac.

aug_os_name

August attacks on the Deflect network

In August, Deflect didn’t experience any noteworthy attacks on its network, and all DDoS attempts were mitigated automatically.

aug_banjax_uniqueips_host

Number of banned IPs in attacks against single websites protected by Deflect

Even at their peaks, the attempts at attacking websites protected by Deflect didn’t involve more than a couple thousand bots, and from their most common user agents and from the elements triggering our banning system, we can conclude that the most common method used these days to launch DDoS attacks is the WordPress Pingback reflective attack, which we have been describing in each one of our reports in the last few months.

aug_ddos1_trigger

Triggers that activated Deflect’s banning system in August

aug_ddos1_uaname

User Agents used by bots banned by Deflect in August

aug_ddos2_uaname

In one of the attempts at attacking a website protected by Deflect in August, a vast majority of bots masqueraded themselves as a “wordpress” User Agent.

Deflect Stats July 2016

From what we can conclude from our statistics, during the month of July bot controllers must have come back from their holidays, since the traffic on the Deflect network has started to increase again and we have witnessed one of the most intense bursts of DDoS attacks we had observed so far. This series of incidents slightly increased our metrics in terms of total hits (652.8 millions vs. 514.1 millions in June) and unique visitors (8.8 millions vs. 7.8 millions in June), but in terms of banned IPs the increase was significant, with 601,219 total banning events, against 33,637 bans in June, and with 52,034 unique IPs banned, against 2,915 unique IPs banned during the previous month.

metrics_julyA notable increase was recorded also in our bandwidth usage, which peaked to 18.7TB from an average monthly usage of about 13.6TB reached in the previous quarter.

bandwidth_usage_july

bandwidth_may-jul

Daily bandwidth usage on the Deflect network between May and July

Setting aside malicious events, trends in our statistics are mostly unchanged, with a majority of connections originating from Ukraine, the United States and Turkey.

uniqueIPs_by_country

In July, unique visitors of websites protected by Deflect connected mostly from Ukraine, followed by Turkey and Germany

hits_by_country

Daily hits on the Deflect network, by country: also in July, the main country of origin of visitors of deflected websites was Ukraine, followed by the USA and Turkey. The peak on the 10th of July confirms that the DDoS attacks we helped mitigate on that day originated mostly from the United States

bandwidth_by_country1

Bandwidth usage by country of requesting IP. Once again, Ukraine and the USA are the first two countries requesting resources from deflected websites. Note the peak of requests originating from the United States on July 10th

Looking at visitors’ user agents, we can see that Windows is still the most used operating system, covering at least 46.1% of all connections, followed by Android with 24.63% and by iOS with 9.28%. The amount of connections from Windows XP has luckily reduced from 10.18% last month to 8.13% in July, but still the same recommendations we gave in the post on June statistics apply to anyone who’s still running Windows XP on their computers: update your system to a newer version of Windows or, better, switch to Linux!

UAOS_pie_chart

From the statistics on requested resources, we can also visualize what kinds of contents are being requested, with over half of the connections requesting text and images from websites.

content_pie_chart

July attacks on the Deflect network

Among the DDoS attacks Deflect helped mitigate, there were some of the most intense bursts we ever observed on our network, targeting the Black Lives Matter official website on the 10th July, and a series of smaller attacks against an independent media website between the 18th and 19th July.

bans__jul

Banning events during the month of July on the Deflect network

bans_by_host_jul

Banning events by host: this month 2 deflected websites were targeted in particular

bans_by_country

Banning events divided by country. The peaks corresponding to the main attacks we mitigated, on the 10th and on the 18th-19th July, all originated mostly from the USA

As we noted in the post on the attack on Black Lives Matter, the 10th July incidents were based on the frequent WordPress Pingback reflective attack method. This can be seen in the graph on the user agent declared by banned bots in the peak corresponding to the attack, where the “wordpress” UA makes up the majority of connections. The same user agent is also clearly visible in the peak of banning events observed on the 18th and 19th July.

A similar pattern can be observed in the count of all connections to the Deflect network, where Google Chrome is the most used browser for regular connections to deflected websites, but a peak of “WordPress” UAs can be seen on the 10th July – those are clearly malicious requests coming from bots.

bans_UAname

Banning events by user agent name: bots used in the attacks were declaring a “wordpress” UA

UA_name

Total hits to the Deflect network divided by user agent: while most of the connections to deflected websites originate from Google Chrome browsers, during the attack we observed a peak of “WordPress” UAs

UA_name_WP

Total hits to the Deflect network divided by user agent: the peak of “WordPress” UAs observed during the attacks is highlighted

The main incident observed on the 10th July against the Black Lives Matter website triggered a dramatic increase in banning events by our banning tool Banjax, which recognized the malicious requests from their Old WordPress UA, despite the fact that bots were masquerading themselves as “spiders“.

BLM_july_trigger

What triggered our system to ban bots during the 10th July attack was mainly an old WordPress UA

BLM_july_UAdevice

Bots taking part in the WordPress pingback attack against the BLM website were identifying themselves with a “spider” user agent device

Deflecting cyber attacks against the Black Lives Matter website

Last week and throughout the weekend, Deflect helped mitigate several DDoS attack bursts against the official Black Lives Matter website. At current estimates over 12,000 bots pounded the website just over 35 million times in 24 hours. An unusual trait of this attack was the prevalence of  malicious connections originating from the US. An in-depth analytic report will follow this prima facie bulletin.

 

hits_BLM

Hits against the BLM site

unique_ip_country

All unique visitors (IP) by country

unique_bots_by_country

Unique bots (IP) by country

The Black Lives Matter website had already been attacked in May using a similar method of a WordPress Pingback reflective attack and similarly an unusually high percentage of bots from the US.

unique_ip_banned_ddosrule

Deflect banning rules triggered by the attacks

Despite its intensity, the attack has been successfully contained by Deflect, and the Black Lives Matter website is functional and accessible throughout much of the weekend. Black Lives Matter has released an official statement on this incident together with eQualit.ie, Design Action Collective and May First/People Link:

Keeping a website available when attackers are seeking to take it off-line is essential for many reasons. The most obvious is the importance of protecting the fundamental right to human communication. But the specific targeting that characterizes recent DDOS attacks (on networks supporting reproductive rights, Palestinian rights and the rights of people of color) highlights this type of on-line attack as part of the arsenal being used to quash response and social change movements.

DDOS attacks will increase as our protests and organizing increases and so must our movements’ ability to resist them and stay on-line. The collaborative work that spawned the response to this attack is both an example of this protective effort and yet another step in improving it and making it stronger.

Our organizations work in different areas with different programs but we are united in our  commitment to vigorously preserving our movements’ right to communicate and defeating all attempts to curtail that right. Without the ability to communicate freely, we can’t organize and, if we can’t organize, our world can never be truly free.

Read the Statement on the Recent Attacks on Black Lives Matter’s Website.

We are in the process of studying and classifying these attack using Deflect Labs technology and aim to publish the results in our next Deflect Labs report.

Deflect Stats June 2016

If any conclusion can be drawn in comparing this month’s statistics with the rest of the year, it’s probably that hot weather is also discouraging to those bot controllers launching DDoS attacks! The month was rather uneventful on the malicious side of things, but the team worked in earnest to improve our mitigation mechanisms, including threat detection and banning systems… because, you know, winter is coming.

june_metric

During the month of June, Deflect served almost 8 million unique visitors. Our DDoS mitigation system identified 2,885 bot IPs identified as bots, with a significant decrease as compared to previous months.

Overall, the distribution of visitors and bandwidth usage by country has not changed much in comparison to last month.

june_hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protected by Deflect was Ukraine, followed by the USA and Turkey

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

june_unique_visitors_by_country

Unique visitors of deflected websites connect mostly from Ukraine, this month followed by Germany and by a tie between the USA and Turkey

Hits during this month by the most popular content type requested

Hits during this month by the most popular content type requested

A more careful look at our visitors’ user agents shows a regular pattern in the usage of operating systems: as usual, Windows is the most used OS, followed by Android with everything else trailing well behind.

june_deflect_uaOS

The real conundrum is illustrated by the following pie chart: how is it possible that in 2016, more than 2 years after its support ended, so many of our visitors still use Windows XP? If you are using it, we strongly recommend to update your system to a newer version of Windows or to switch to Linux (also to make our pie charts a bit more varied!).

june_deflect_uaOS_winXP

June attacks on the Deflect network

This month the Deflect network didn’t face major incidents, and the few DDoS attack that targeted deflected websites were mitigated automatically.

june_banjax_by_country

Banning events on the Deflect network divided by country

Bots captured this month as identified by the rules they violated

Bots captured this month as identified by the mitigation rules they violated

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Bots this month as sorted by those requesting content (GET) and sending content (POST)

Bots this month as sorted by those requesting content (GET) and sending content (POST)

The main incident was observed on the 2nd June. It lasted few hours and was caused by a smaller botnet made up of around 300 bots that attacked a Ukrainian website. As usual, the method was a WordPress Pingback reflective attack.

2june_ddos_ua_name

The main user agent name used by the bots involved in the 2nd June DDoS attack was “wordpress”

This method, which we often observe in our everyday activity, exploits the WordPress Pingback feature to attack websites, and any WordPress-based site can be affected unless it is adequately secured.

To check if your WordPress website has been used to attack others, you can use this tool. But if your website runs on WordPress, what’s most important is to secure it against this kind of attacks. It isn’t difficult: what you need is just to install a plugin called Disable XML-RPC Pingback in your website. This will make it impossible for attackers to exploit the WordPress Pingback feature to attack others.

If you want to secure your WordPress-based website against any kind of attacks, Deflect can help: eQPress is our secure hosting platform based on WordPress, where you can either migrate your website or create one from scratch. Visit eQPress’ website for more details.

Deflect Stats May 2016

May 2016 was an interesting month for Deflect. We began the month with two intense attacks that required our team’s intervention right in the middle of May Day. After this, the month unrolled with a series of smaller attacks against the same websites, which were by then automatically mitigated by the Deflect network without requiring further effort. Traffic figures were comparable to those recorded in April.

 

metrics

During the month of May, Deflect served 600 million pages to 8.7 million unique visitors. Our DDoS mitigation system also banned 14,579 IPs identified as bots

 

 

hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protect by Deflect was Ukraine, followed by the USA and Turkey

 

 

bandwidth_by_country

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

 

 

UA_OS

Windows remains the most common operating system among Deflect readers this month too, closely followed by Android devices. We still see a substantial amount of Windows XP users several years after Microsoft pulled support for this operating system.

As shown in the pie chart below,  also in May, as in April, around 70% of the pages we served were cached in our servers, while we had to get a copy from our users’ websites for approximately 20% of the requests we received.

cache_response

Deflect’s caching system responses for the month of May

May attacks on the Deflect network

On May Day Deflect mitigated two strong attacks that required our staff’s intervention.

DDoS_by_host

DDoS attacks mitigated by Deflect in May 2016 targeted mainly two websites

Several incidents observed during the month were using the WordPress Pingback reflective attack method, which is very common and we often encounter in our day-to-day work. This is the method used in one of the strong attacks we mitigated on the 1st May, when thousands of bots attacked the targeted website for the most part of the day, up to midnight. Although we have seen much larger botnets attacking our protected websites, this one hit with short peaks of high intensity, forcing us to intervene manually in order to trigger an earlier blockage of these requests and make sure they couldn’t reach the origin server, as well as to reduce the load on our servers. Since the WordPress Pingback attack uses any WordPress website available anywhere on the web to create a botnet, it was impossible for us to identify a main country of origin for this attack.

By deploying the Banjax Challenger, we eliminated all the bots requesting these pages.

WPattack

Among the UAs used by bots in May 1st attacks, a large number identified themselves with a “wordpress” user agent name

One of the websites targeted by the May Day DDoS attacks was blacklivesmatter.com, which was attacked again during the rest of the month, in particular on the 9th and 21st May. These attacks were based on  different methods: while in the latter cases a common WordPress pingback attack method was used, on May 1st the attackers flooded the site with GET requests to its root path (“/”), coming from various locations across the world. Deflect automatically mitigated the second and third attacks, but the first one, which lasted 2 hours with a fairly steady level of 8000 hits per minute, managed to take the server down despite a lot of content being served by Deflect’s edge servers. We will be investigating these attacks in more detail with the aim of publishing our analysis in a Deflect Labs report.

BLM_trigger

The triggers that alarmed our botnet detection system during the DDoS attack on Black Lives Matter’s website