Distributed Deflect – project review

This is the fifth year of Deflect operations and an opportune time to draw some conclusions from the past and provide a round of feedback to our many users and peers. We fought and won several hundred battles with various distributed denial of service and social engineering attacks against us and our clients, expanding the Deflect offerings of open source mitigation solutions to also include website hosting and attack analytics. However, several important missteps were taken to arrive here and this post will concentrate on lessons learned and the way forward in our battle to reduce to prevalence of DDOS as an all too common technique to silence online voices.

Our reflections and this post were motivated by an external evaluation report of the Distributed Deflect service, which you can read in this PDF. The project itself was a technical long shot and an ambitious community building exercise. Lessons learned from this endeavor are summarized within. Its about a 10 minute read :)

During peak times on Deflect throughout 2012-2016 we were serving an average of 3 million unique daily readers and battling with simultaneous DDoS attacks against several clients. The network served websites continuously for the entire 3 1/4 years of project duration, recording less than 30 minutes of down time in total. The project had direct impact on over four hundred independent media, human rights and democracy building organizations.

final_report_graphWhat we did

eQualit.ie released 10 open source libraries, toolkits and frameworks including tools for network management and DDoS mitigation; a WordPress managed hosting framework; classification and analysis of malicious network behaviour; the Bundler library for website encryption and delivery across an untrusted network, which was also reused in the Censorship.NO project for circumventing Internet filtering infrastructure.

Over three hundred and fifty websites passed through the Deflect protection service. These websites ranged in size and popularity, receiving anything between a dozen daily readers to over a million. Our open door policy meant that websites who had changed their mind about Deflect protection were free to leave and unhindered in any way from doing so. Over the course of the project, we have mitigated over four hundred DDoS attacks and served approximately 1% of Internet users each calendar year (according to our records correlated against Internet World Statistics). Our work also appeared in topical and mainstream media.

Aside from the DDoS protection service, we trained numerous website administrators in web security principles, worked with several small and medium ISPs to set up their own Deflect infrastructure and enabled Internet presence for key organizations and movements involved in national and international events, including the ’13 election in Iran, ’14 elections in Ukraine, Iguala mass kidnapping, Panama papers, and Black Lives Matter among others.

Distributed Deflect

As attacks grew in size, we debated the long-term existence of the project, deciding to prototype an in-kind DDoS mitigation service, whereby websites receiving free protection and any volunteers could join and expand the mitigation network’s size and scope. We wanted to create a service run by the people it protected. The hypothesis envisioned the world’s first participatory botnet infrastructure, whereby the network would be sustained with around a hundred servers run by the Deflect project and several thousand volunteer nodes. Our past experience showed that the best way to mitigate a botnet attack was with a distributed solution, utilizing the design of the Internet to nullify an attack that any single end point/s could not handle by itself. Distributed Deflect brought together people of various background and competencies, blending software development and technical service provision, customer support and outreach, documentation and communications. We designed, prototyped and brought into production core components of a distributed volunteer infrastructure, only to realize that the hypothesis behind our proposal could not scale if we were to maintain the privacy and security of all participants in our network.

ddeflect

An infrastructure that would accept voluntary (untrusted) network resources had to introduce checks for content accuracy and confidentiality, otherwise a malicious node could not only see who was doing what on the Deflect network but delete or change content as it passed through their machine. Our solution was to encrypt web pages as they left the origin server and deliver them to readers as an encrypted bundle, with an additional authentication snippet being sent by another node for verification. Volunteer nodes would only be caching encrypted information and would not be able to replace it with alternative content.

bundler

All necessary infrastructure design and software tools to implement this model were built to specification. However, once ready for production and undergoing testing, we realized the error in hypothesis made at the onset. Encrypted bundles grew in size, as all page fonts and various third-party libraries – that make up the majority of web pages today and are usually stored in the browser’s cache – had to be included in each bundle.

This increased network latency and could not scale during a DDoS attack. We were worsening the performance of our infrastructure instead of improving it. Another important factor driving our deliberation was the low cost of server infrastructure. By renting our machines with commercial providers, and using their competitive pricing to our advantage, we have managed to maintain infrastructure costs below 5% of our overall monthly expenditure. Monetary support for a worldwide infrastructure of Deflect servers was not significant when compared with the resources required to service the network. By concentrating development efforts on encrypting and delivering website content from our distributed cache and performance load balancing on a voluntary node infrastructure, we held back work on improving network management and task automation. This meant that the level of entry to providing technical support for the network was set quite high and excluded the participation of technically minded volunteers protected by Deflect.

ddeflect-headers-response

After several months of further testing, deliberation and consultation with our funders, we decided to abandon the initiative to include voluntary network resources, in favour of continuing the existing mitigation platform and improving its services for clients. As attack mitigation became routine and Deflect successfully defended its clients from relentless DDoS offensives, the team began to look at the impunity currently enjoyed by those launching the attacks. Beginning with a case of a Vietnamese independent media website targeted by bots originating from a state-regulated and controlled Vietnamese ISP, we understood that a story could be extracted from the forensic trail of an attack, that may contain evidence of motivation, method and provenance. If this story could be told, it would give huge advocacy power to the target and begin to peel away at the anonymity enjoyed by its organizers. The cost for attacking Deflectees would raise as exposure and media attention around the event upended the attackers’ goals.

We began to develop an infrastructure that would capture a statistically relevant segment of an attack. Data analysis was achieved through machine-led technology for profiling and classifying malicious actors on our network, visualization tools for human-led investigation and cooperation with peer organizations for tracing activity in our respective networks. This effort became Deflect Labs and in its first twelve months we published three detailed reports covering a series of incidents targeting websites protected by Deflect, exposing their methodology and profiling their networks. Doing some open source intelligence and in collaboration with website staff, we identified a story in each attack exposing possible motivations and identity of the attackers. Following publication and media attention created by these reports, attacks against one of the websites reduced significantly and ceased altogether for the other one.

Bot behavior follows a certain pattern inside the seven dimensional space create by Bothound analytics

Bot behavior follows a certain pattern inside the seven dimensional space create by Bothound analytics

Challenges

Many difficulties and problems could be expected with running a high-impact, 24/7 security service for several million daily readers. Fatigue, lack of time for developing new features, round-the-clock emergency coverage and numerous instances of high-stress situations led to burnout and staff turnover. The resources invested in the Distributed Deflect model set back development considerably for other project ambitions.
At around the same time as Deflect was gaining popularity, free mitigation offerings from Cloudflare and Google were introduced in tandem with outreach campaigns targeting independent media and human rights organizations. This led to more options for civil society organizations seeking website protection but made it harder for us to attract the expected number of websites. We started a campaign to define differences in our distinctive approaches to client eligibility, respect for their privacy and clear terms of service, trying a variety of communications and outreach strategies. We were disappointed nonetheless to not have received more support from within our community of peers, as open source solutions and data ownership did not figure highly as criteria for NGOs and media when selecting mitigation options.

… we carry on

Deflect continues to operate and innovate, gradually growing and solidifying. Our ongoing ambitions include offering our clients broader hosting options and coming up with standards and systems for responsible data sharing among like-minded ISPs and mitigation providers. Look out for pleasant graphic user interfaces in our control panels and documentation platforms. We are also prototyping several different approaches to generating revenue in order to sustain the project for the foreseeable future. The goal is to get better without losing track of what we came here to do in the first place. As always, we are here to support our clients’ mission and their right to free expression. We are heartened by their feedback and testimonials.

Read More

eQualit.ie at the Internet Freedom Festival

The Internet Freedom Festival (IFF), the Global Unconference of the Internet Freedom Communities, will take place in Valencia, Spain, from the 1st to the 6th March 2017. With over 1000 participants from more than 100 countries, and with 40% of women registered in the event, the IFF focuses on inclusivity and skill sharing and will host more than 200 sessions and self-organized events.

This year eQualit.ie is among the official supporters of the Internet Freedom Festival, and our staff will host 3 sessions and a night event, the Tools & Tech Showcase.

Our first session will focus on community-driven DDoS self-defence and will take place on Tuesday, March 7th, at 12.15. Another session scheduled on Tuesday, March 9th, at 17.00pm will be dedicated to our brand-new multiparty chat encryption protocol (n+1)sec and will consist of a workshop with software developers, security experts, designers, usability specialists, and communications systems engineers on how to make an encrypted multi-party chat protocol as usable as possible. On Thursday, March 9th, at 12.30, our outreach coordinator Floriana will be co-leading a session presenting a training prototype for partitioning one’s social domains as an introduction to Qubes OS.

eQualit.ie will also host the Tools & Tech Showcase on Tuesday 7th March starting from 19.30. Come and explore all the awesome tools and services that are helping the Internet freedom community join forces to fight censorship and surveillance.

See you soon in Valencia!
Read More

Distributed Denial of Women – a general strike

It’s a well-known problem: the tech industry, be it proprietary or open source, hasn’t managed to tackle inequality in its ranks despite several proactive efforts and millions of dollars invested to diversify their staff. There are many explanations and critiques of these approaches, but in the end what counts is that technology is still developed and maintained by a homogeneous population of mainly English-speaking cisgender white men.
That’s why on the 23rd February 2017 women and non-binary people in tech are called to join a general strike, the Distributed Denial of Women.

 

We are calling on all women and non-binary people to stand in solidarity and pledge to stay offline, organize or join public gatherings, or stay home in protest of being constantly overlooked, undervalued, underpaid, and downright attacked for daring to demand basic dignity and respect.

 

The organizers of the Distributed Denial of Women acknowledge that not all women and non-binary people have the privilege to participate in this strike, and offer several ways of joining the protest, also through social media. As women working at eQualit.ie, we have decided to join the strike in solidarity with women and non-binary people in tech who regularly face exclusion, microaggressions or abuse. We will participate in the protest with a proactive attitude, so that the Distributed Denial of Women is not a one-off event but a step in a wider process aiming at inclusion and at creating a safer space within our working place, even though it is a virtual and geographicallydistributed one.
For example, in the coming weeks we have committed, as a team, to set aside dedicated time to tackle (or continue developing) our hiring and recruitment processes (with a focus on actively pursuing diversity and standardising assessments); reviewing material we publish for exclusionary language; and opening dialogues within the team about adopting a code of conduct that reflects the kind of balanced environment we want to work in.
We realize that gender gaps exist across all sectors. In Canada, where eQualit.ie was founded, women earn on average 66.7 cents for every dollar men earn, according to the most recent national statistics. The field of tech particularly exemplifies this disparity, with qualified female candidates often passed over in favour of male candidates, and women earning less money and being hired more often than men in non-technical roles. This is in addition to the harassment regularly directed at women in the workplace.
In showing that we actively stand against discrimination we believe, as a first step, that the DDoW campaign being organised on February 23rd is a positive way to bring attention to these important issues. Furthermore, eQualit.ie pledges to develop and keep defining standards of fairness and diversity as we move forward, to keep taking necessary steps to show that despite statistics and biased industry standards, we are committed to living up to our name and doing our work in an inclusive environment.
Are you or your organisation taking part in the Distributed Denial of Women campaign? Let us know!
Read More

Who bytes your bits? – digital security training in Toronto

On the 9th February eQualit.ie’s director Dmitri Vitaliev will lead a digital security training for high-risk journalism hosted by journalist Susana Ferreira as part of #OffAssignment Toronto, a series of workshops and talks for freelance journalists and independent media-makers in Toronto, and organized with the support of CJFE at the DAIS Tkaronto Gallery in Toronto from 6:00 PM to 9:00 PM EST.

If you document or investigate sensitive subjects, knowing how to protect your contacts, your data, and your communications is crucial.

The training will focus on the following topics:

  • Introduction: Defining risk in the digital age
  • Network surveillance and profiling
  • Introductions to secure communications
  • Standard disk encryption options for your computer and phone

 

Slides for download

Read More

Deflect in 2016 – an overview

In 2016, Deflect set some records and helped defend online voices against some record breaking attacks. Throughout the year, Deflect served a bit less than 2% of the population connected to the Internet in 2016, published 3 DDoS analytic reports, mitigated the strongest DDoS attack that ever targeted our network, renewed its funding and began to look for new revenue-generating opportunities, and added some excellent people to the team, including more sysops to offer 24/7 support and a business development manager to make sure that our infrastructure will keep existing also in the long term.

In 12 months, the Deflect network received 8.7 billion hits from 64.4 million users. At the same time, Deflect mitigation tools banned 259,514 unique bot IPs, scoring 6.3 million banning events. Visitors of Deflected websites originated primarily from Ukraine (41.13%), Mexico (23.24%), the United States (19.94%), the Russian Federation (7.98%), and Turkey (7.72%).

In March we published the first Deflect Labs report, covering attacks against Kotsubynske, a Ukrainian independent media outlet battling corruption at the local council. This was a first test of the software and infrastructure we had developed over six months. As we would find out later, Deflect was pivotal in making sure that one of the directors of Kotsubynske got re-elected to his town council to continue asking questions and weeding out the truth. The group’s efforts are now being replicated in a dozen different towns across Ukraine. It confirmed our initial hypothesis turning the tables on our clients’ adversaries by shining a light on their methods and provenance, and improving advocacy for the target website.

 

In April we released the world’s first free, secure and open source WordPress hosting framework, called eQPress and available for free to any group that meets Deflect’s eligibility criteria. In another moment of inspiration, we compiled our sysadmin knowledge into a set of Ansible recipes, allowing anyone to provision a secure communications server, in a project called Caislean.

In June Deflect Labs published its second report, covering attacks against the BDS movement and correlating the behaviour of a particular botnet to incidents involving other organizations working in the region. As could be expected, the topic of the Israel-Palestine conflict generated a lot of media coverage, which helped promote the ideas and tools proposed by the project.

In late June, the Deflect project received a much needed funding top-up, allowing us to keep doing our work and further improve our infrastructure and tool set. This time we focused on usability: starting in late summer and throughout the autumn, the Deflect Dashboard underwent a major overhaul, including automation of processes, a streamlining of communications with users, new statistics in the Deflect Dashboard, and a new TLS/SSL system that allows us to create Let’s Encrypt certificates to secure connections to Deflected websites, while our users can keep their server certificates private.

In late September the team gathered in the mountains of Quebec for a company retreat. During this week people who are normally scattered all over the planet got to meet each other in person, relax together, refine our workplan and discuss strategies. One of the results of the retreat we are particularly proud of is the final version of the Deflect Terms of Service and Privacy Notice.

In October Richard, our technical project manager, presented Deflect at the Freedom Online Coalition, outlining Deflect’s positive impact on the work of civil society.

Six months of research and analytic work finally resulted in the publication of our third and most detailed Deflect Labs report covering attacks against the Black Lives Matter movement. Published on the 13th December, the report was covered by a feature in Ars Technica and articles in other media. This coincided with the release of our botnet behavioural classification library, Bothound. We will follow up with a set of standards for responsible data sharing among mitigation providers in 2017.

The challenges in the sphere of web security are never-ending, and last year we saw DDoS attacks grow stronger and stronger, reaching an unprecedented peak of 1.2 terabits per second and taking down important web services in entire world regions. But as Deflect Labs’ 3rd report shows, DDoS attacks don’t need to be huge or to rely on advanced techniques to be successful – silencing online voices has become so easy and cheap that Brian Krebs is talking about a “democratization of censorship”. To fight this alarming trend, and safeguard freedom of speech, we need to join forces with as many actors as possible within the civil society and the community of web security and mitigation experts. Creating a wide network defending a free internet, and sharing resources to offer a better protection is our hope for this year. Get in touch if you’d like to contribute!

Read More

Deflect Stats December 2016

In December 2016 the Deflect network recorded a slight increase in the number of total hits as compared to the previous month, with a comparable number of unique visitors and banning events. Overall, our edges served 635.4 million pages to 9.6 million unique visitors and banned 36,681 bots.

 

Hits recorded by the Deflect network in December, divided by country: last month, Deflect served pages mainly to Ukraine, the United States and the Russian Federation, with Turkey often peaking to the second position.

Countries of origin of visitors of deflected websites in December 2016: Ukraine (27.61%), Turkey (16.89%) and the U.S. (9.98%) are as usual the first 3 countries from which requests originate, closely followed by Russia (8.56%), Saudi Arabia (8.52%), and the Syrian Arab Republic (7.75%).

Statistics on bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from the Deflect network, followed by Russia and Turkey.

The following pie charts offer some more details on Deflect’s cache response and our visitors’ operating systems.

In December over 80% of the requested content was cached in the Deflect network and promptly served to visitors. Only 18.95% of the resources had to be retrieved from the origin servers hosting the websites.

From what we can see in the pie chart on visitors’ operating systems, mobile devices are getting established as web browsing tools. In December 44.79% of our visitors were using a mobile device and 44.17% were using a pc. By the way, 6.67% of our visitors are still using Windows XP although its support has ended.

December attacks

In December the Deflect network mitigated automatically all DDoS attempts targeting deflected websites, including a couple of stronger incidents on the 14th and the 24th.

Graph of banning events in December, with a notable spike on the 14th.

Dividing the above graph by country, we can see that most banning events on the 14th December spike were triggered by requests originating from Germany.

Number of unique IPs banned last month with a clear peak of banned bots on the 24th December.

In this graph on banned unique IPs by country, we can see that the bots targeting a deflected website on the 24th December originated in great part from the United States, with a large proportion from Germany and the Russian Federation too.

Let’s have a closer look at December’s DoS incidents starting from this graph, which shows that “WordPress” is losing favour among DDoSers and botherders as a user agent name, while “Firefox”, “Chrome” and “Safari” are becoming more frequent.

Nevertheless, we can see a spike in “WordPress” user agents in the graph on banned unique IPs, probably suggesting that the DDoS attempt on the 24th December was using a WordPress Pingback reflective attack.

A closer look at the incidents recorded on the 14th and 24th December explains why the first is more visible in the graph on banning events, while the second emerges especially in the graph on banned unique IPs:

On the 14th December a limited number of IPs, mostly located in Germany, was repeatedly banned over several hours.

On the 24th December over 1,600 bots, located in great part in the United States, were banned during a brief attempt at DDoSing a deflected website.

The bots used in the 24th December DDoS attack were using a “WordPress” user agent. This was probably a WordPress Pingback attack, exploiting a known vulnerability of WordPress.

Read More

Deflect Stats November 2016

In November the Deflect network served pages to many legitimate visitors interested in breaking news reported by deflected websites, and mitigated automatically some intense attacks.

november_metrics

During the month, Deflect served 585 million pages to 9.8 million visitors, with a slight increase of unique IPs as compared to our October statistics, suggesting a rise in the number of our legitimate visitors despite the decrease in the total number of requested resources. This is also reflected by the statistics on banned bots, which dropped from 50,323 in October to 38,740 in November.

nov_hits_by_country

Daily hits on the Deflect network, by country: in November, visitors of websites protected by Deflect originated from Ukraine, the USA and Turkey, closely followed by Russia, which became the second country of origin of requests on the 22 November.

nov_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia, which rises to the second position on the 22 November.

nov_uniqueips_by_country

November statistics on unique visitors of websites protected by Deflect are topped by Turkey, Ukraine and the United States. On the 22 November the Russian Federation topped the statistics rising to the first position.

As in August, the peak in legitimate requests we recorded last month was linked to news from Uzbekistan, which also explains why we can clearly see a higher number of hits from a country where the internet, and most of the websites protected by Deflect, are censored for common citizens (but probably not for members of government and connected people).

Beyond the number of unique visitors and requests, here are two pie charts describing Deflect’s cache response and our visitors’ operating systems.

nov_cache_result_pie

In November, nearly 80% of the pages we served were cached in the Deflect edges. We had to get a copy from origin web servers for less than 20% of the requests we received.

nov_osname_pie

The pie chart on operating systems used by visitors of deflected websites in November shows that the trend we observed last month is unchanged: with Android at 37.03, iOS at 8.7% and Windows at 39.29%, mobile devices (45.73% total) are apparently being used as much as, if not more than PCs (43.38%) to browse sites protected by Deflect.

November attacks

In November Deflect mitigated automatically all DDoS incidents targeting our network, including one major attempt on the 15th November that didn’t last long, possibly because it was being blocked by our edges.

 

Bots used in these attacks originated mostly from the US, Germany and the Russian Federation. One detail sets apart last month’s statistics from what we observed in the previous months — WordPress doesn’t appear among the most used user agents in botnets, which suggests a change in attack methods.

November stats on the countries of origin of bots are mostly unchanged in comparison to previous months. A singular detail is the “Anonymous Proxy” that can be spotted in the list of countries.

During the short but intense attack Deflect mitigated on the 15th November, what triggered the bans were mostly a user agent string that is known to be used in botnets and a high number of GET requests sent to the root directory of the targeted website.

User agents used by banned bots in November: WordPress is not one of the most frequent user agents in DDoS attacks, where we observe a prevalence of browser user agent names.

Read More

Deflect Stats October 2016

In October Deflect’s metrics kept following the trend we had seen in September, with comparable figures in terms of unique visitors (9.3 million) and a slight increase in total hits (632.8 million requests reaching our edge servers), but with almost twice as many bots identified and banned by Deflect’s banning system – 50,323 bots against 27,238 in September. This means that deflected websites attracted a lot of legitimate visitors, but that we also had to mitigate stronger DDoS attacks.

october_metrics

Looking at some more detailed graphs dividing Deflect’s metrics by country of origin of our visitors, we can see that while Ukraine and the United States keep topping the scores as in previous months, the peak of visits originating from Russia in August and September has been subsiding in favour of Turkey.

oct_hits_country

In October, requests received by the Deflect network originated mostly from Ukraine, the US and Turkey.

oct_bandwidth_country_pie

October bandwidth usage on the Deflect network: Ukraine and the USA keep their first and second position respectively, with Turkey rising back to the third place as in the summer months, though still closely followed by Russia.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria peaking above Turkey in some occasions.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria rising above Turkey in the first half of the month.

 

oct_cache_result_pie

In October 78% of the requested contents was cached in Deflect’s edge servers. We had to retrieve a copy of your pages for around 20% of the requests we received.

oct_osname_pie

Among the changes we have seen in October’s statistics, probably the most interesting is this pie chart on operating systems used by visitors of deflected websites. For the first time, we see Android overtaking Windows, even if by few decimals. With a 37.5% slice of Android users and an 8.5% slice of iOS users, there are nearly as many mobile devices as there are personal computers accessing the websites protected by Deflect.

 

October attacks

Deflect mitigated some major attacks around mid-October. Two websites were targeted in particular, and the method was most probably a common WordPress pingback reflective attack.

 

oct_bans_country

Number of banning events by country. The peak of banned bots originating from the USA corresponds to the intense attacks Deflect mitigated between the 13th and 15th October

 

oct_banjax_uaname_pie

Most bots identified and banned by Deflect during the month of October were characterized by a “wordpress” user agent – this is common in WordPress pingback reflective attacks

 

The most intense DDoS attempt this month targeted the official Black Lives Matter website, which has been under attack for months, as we will describe in the new Deflect Labs report that will soon be published.

As we have often seen in DDoS attacks against Black Lives Matter, the botnet originated in great part from the United States, and was characterized by a large number of bots masquerading themselves with a “spider” user agent device and a “wordpress” user agent name.

blm_ddos_131016_bans_country

Between the 13th and 14th October, most bots banned by Deflect originated from the US

The banning events connected to the DDoS attack against Black Lives Matter were masquerading with a "wordpress" user agent name and a "spider" user agent device

The bots used in the DDoS attack against Black Lives Matter were masquerading with a “wordpress” user agent name and a “spider” user agent device

blm-banjax_uaname-trigger

What triggered the banning events in the two peaks of the attack were mainly WordPress user agents

Towards the end of the month, we were struck by news of another DDoS attack elsewhere on the internet. On the 21st October a record-breaking DDoS attack against the domain name provider Dyn caused an outage that made important websites like Twitter, Reddit or Spotify unreachable for several hours on the East Coast of the United States and in Japan. As in the September attack against KrebsOnSecurity, this attack exploited Internet of Things devices through malware called Mirai that had just been released to the public. As Bruce Schneier concludes in his post on this episode and the lessons we can learn from it, DDoS attacks are likely to become stronger and stronger. If you defend human rights, fight for social justice or produce independent media, consider protecting your website under Deflect!

Read More

Deflect Stats September 2016

In September, Deflect metrics grew as new websites joined the service and a popular Syrian website rejoined Deflect to ensure an uninterrupted news stream on the regional conflict. In other news, the Internet witnessed the largest ever DDoS attacks, surpassing 600gbps and then 1 terabyte of traffic per second. These events followed the leaks of an online DDoS service, called vDOS. We ingested and visualized the leaked database, presenting some findings below for your perusal :)

september_metricsOverall, the Deflect network served 623.2 million pages to 9.3 million unique visitors and our banning mechanism banned 27,238 bots. Let’s break up these statistics to put the figures in context and give them meaning:

 

sept_deflect_uniqueips_by_country

While Ukraine is as usual the first country of origin of unique visitors of deflected websites, in September the United States lost their top second position in favour of Turkey.

sept_hits_by_country

As regards daily hits on the Deflect network, the rise in requests from the Russian Federation we had observed at the end of August continued in September, when Russia became the third country of origin, after Ukraine and the USA.

sept_deflect_bandwidth_by_country

September’s statistics on bandwidth usage match the trend we have observed in the graph on daily hits: Ukraine and the USA are as usual the first two countries, followed by Russia.

In September we also observed an improvement in our cache response: as you can see in the pie chart below, around 82% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 17% of the requests we received.

sept_cache_response

Our stats on the operating systems used by visitors of deflected websites suggest that the usage of Android is spreading, from around 25% in the last few months to nearly 35%, while the quantity of Windows users has shrunk from around 50% to 39.34%. We are glad to see that the slice of pie corresponding to the obsolete Windows XP is getting smaller and smaller (6.42% last month) — we hope it will soon disappear altogether from our graphs!

sept_deflect_os_name

September attacks

Last month Deflect mitigated automatically several DDoS attempts targeting especially three websites.

sept_bans_by_country

A vast majority of the bots banned by Deflect in each of the three incidents appears to have originated from the United States.

sept_bans_by_country_1

sept_bans_by_country_2

sept_bans_by_country_3

A split visualization of the major incidents targeting three deflected websites divided by country of origin of the bots shows that in each case the main country of origin was the United States. Another common feature we have observed in most of these DDoS attempts is the method used to launch the attack – the common WordPress Pingback reflective attack method we have often reported about lately.

sept_bans_ua_name

Another attack gave us a lot of food for thought in September. Although it wasn’t targeting the Deflect network, it marked a turning point in the history of DDoS attacks and online censorship. The attack targeted independent journalist Brian Krebs’ website KrebsOnSecurity, an important source of digital security news that had recently reported on the hack of a DDoS-for-hire business known as vDOS. One of our clients appeared in the vDOS target list. Otherwise we saw that the most common method of attack requested was DNS (likely reflection) and the majority of clients were from China, attacking websites that were also from China.

target_countryvsclient_country

attack-type

client_cityvstarget_isp

What made this attack particularly concerning was its unseen intensity: 620 gigabits per second of data were constantly thrown at the website for hours, until Akamai, a network provider that was supplying KrebsOnSecurity DDoS mitigation services for free, decided that it was unsustainable for them and their clients to keep protecting Krebs’ website from that onslaught.

Read more about the attack on KrebsOnSecurity in this article, which also explains how its huge botnet was made of Internet of Things devices: common routers, printers, CCTV cameras and the like. The code used to create that botnet has now been released, and similar attacks will probably become more and more frequent. As Brian Krebs himself has noted in this readworthy post, we are witnessing an alarming trend towards an all-pervasive internet censorship. In the future DDoS attacks are foreseen to become more and more violent. Any website could be targeted, especially if they cover news from an independent point of view or support a hard-fought cause. DDoS mitigation is much more effective if a website gets protected in advance. If you defend Human Rights, run a civil society organisation or produce independent media, consider registering your website on Deflect now :)

 

 

Read More

Deflect Stats August 2016

“No news is good news” in the DDoS mitigation game, and this is what we were hoping for in August 2016. We decided to capitalize on this opportunity and focus the team on new developments supporting free Let’s Encrypt certificates for all Deflect clients, as part of the TLS/HTTPS system.

Then, on the 29th everything changed, as one of our oldest clients, Ferghana News, was the first media to report on the death of the president of Uzbekistan, several days before the official announcement. The bottom line is that Deflect’s statistics for August 2016 show what happens when no important DDoS attack hits our edges and at the same time some of the websites we protect get a lot of traffic from human visitors who are interested in news they have published.

aug_metrics

In comparison with the previous month, in August we recorded a decrease in our total metrics, falling even below the figures we saw in the uneventful month of June, but at the end of the month we experienced a sudden peak, that made our monthly statistics bounce back to the latest trends. Overall, Deflect served 474 million pages to 7,7 million visitors. Meanwhile Banjax, our banning system, banned 20,294 unique IPs.

aug_uniqueips_by_country

August statistics on unique visitors of websites protected by Deflect are topped as usual by Ukraine, followed by the United States and by the Russian Federation, which peaks above every other country towards the end of the month

aug_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia as in July. The peak at the end of the month corresponds to an increase in bandwidth usage by Russian IPs.

aug_hits_by_country

Daily hits on the Deflect network, by country: visitors of websites protected by Deflect originate as usual from Ukraine, the USA and Turkey, but at the end of the month connections from the Russian Federation rise above all the others

Dividing Deflect hits by requested websites, we can see that a large part of this increase is connected to Ferghana News, one of the most popular news outlets dealing with Central Asian countries, which was reporting about the death of the president of Uzbekistan in those same days.

aug_hits_uzb1

August total requests for Ferghana News

aug_fergana_by_country

Connections to Ferghana News in August divided by country

 

Analysing this peak of connections by country of origin, it appears clear that the news published on Ferghana News attracted a lot of attention from Central Asian countries, including Uzbekistan, where actually the website is blocked for common citizens (but apparently not for government officers and powerful people). This is a common occurrence in censoring countries, where citizens are stopped from accessing information but rulers know very well how much value can be brought by an open internet.

aug_fergana_russia

Connections to Ferghana News from the Russian Federation in August

aug_fergana_uzbekistan

Connections to Ferghana News from Uzbekistan in August

aug_fergana_kyrgyzstan

Connections to Ferghana News from Kyrgyzstan in August

aug_fergana_tajikistan

Connections to Ferghana News from Tajikistan in August

Finally, here’s our monthly pie chart on our visitors’ operating systems. Fortunately, the usage of Windows XP keeps falling (7.58% against 8.13% last month), but overall statistics on the operating systems used by our visitors are unchanged, with about half the connections originating from a Windows system, a quarter from Android devices, less than 10% from iOS devices and just a tiny fraction of users choosing Linux or even Mac.

aug_os_name

August attacks on the Deflect network

In August, Deflect didn’t experience any noteworthy attacks on its network, and all DDoS attempts were mitigated automatically.

aug_banjax_uniqueips_host

Number of banned IPs in attacks against single websites protected by Deflect

Even at their peaks, the attempts at attacking websites protected by Deflect didn’t involve more than a couple thousand bots, and from their most common user agents and from the elements triggering our banning system, we can conclude that the most common method used these days to launch DDoS attacks is the WordPress Pingback reflective attack, which we have been describing in each one of our reports in the last few months.

aug_ddos1_trigger

Triggers that activated Deflect’s banning system in August

aug_ddos1_uaname

User Agents used by bots banned by Deflect in August

aug_ddos2_uaname

In one of the attempts at attacking a website protected by Deflect in August, a vast majority of bots masqueraded themselves as a “wordpress” User Agent.

Read More

Deflect Stats July 2016

From what we can conclude from our statistics, during the month of July bot controllers must have come back from their holidays, since the traffic on the Deflect network has started to increase again and we have witnessed one of the most intense bursts of DDoS attacks we had observed so far. This series of incidents slightly increased our metrics in terms of total hits (652.8 millions vs. 514.1 millions in June) and unique visitors (8.8 millions vs. 7.8 millions in June), but in terms of banned IPs the increase was significant, with 601,219 total banning events, against 33,637 bans in June, and with 52,034 unique IPs banned, against 2,915 unique IPs banned during the previous month.

metrics_julyA notable increase was recorded also in our bandwidth usage, which peaked to 18.7TB from an average monthly usage of about 13.6TB reached in the previous quarter.

bandwidth_usage_july

bandwidth_may-jul

Daily bandwidth usage on the Deflect network between May and July

Setting aside malicious events, trends in our statistics are mostly unchanged, with a majority of connections originating from Ukraine, the United States and Turkey.

uniqueIPs_by_country

In July, unique visitors of websites protected by Deflect connected mostly from Ukraine, followed by Turkey and Germany

hits_by_country

Daily hits on the Deflect network, by country: also in July, the main country of origin of visitors of deflected websites was Ukraine, followed by the USA and Turkey. The peak on the 10th of July confirms that the DDoS attacks we helped mitigate on that day originated mostly from the United States

bandwidth_by_country1

Bandwidth usage by country of requesting IP. Once again, Ukraine and the USA are the first two countries requesting resources from deflected websites. Note the peak of requests originating from the United States on July 10th

Looking at visitors’ user agents, we can see that Windows is still the most used operating system, covering at least 46.1% of all connections, followed by Android with 24.63% and by iOS with 9.28%. The amount of connections from Windows XP has luckily reduced from 10.18% last month to 8.13% in July, but still the same recommendations we gave in the post on June statistics apply to anyone who’s still running Windows XP on their computers: update your system to a newer version of Windows or, better, switch to Linux!

UAOS_pie_chart

From the statistics on requested resources, we can also visualize what kinds of contents are being requested, with over half of the connections requesting text and images from websites.

content_pie_chart

July attacks on the Deflect network

Among the DDoS attacks Deflect helped mitigate, there were some of the most intense bursts we ever observed on our network, targeting the Black Lives Matter official website on the 10th July, and a series of smaller attacks against an independent media website between the 18th and 19th July.

bans__jul

Banning events during the month of July on the Deflect network

bans_by_host_jul

Banning events by host: this month 2 deflected websites were targeted in particular

bans_by_country

Banning events divided by country. The peaks corresponding to the main attacks we mitigated, on the 10th and on the 18th-19th July, all originated mostly from the USA

As we noted in the post on the attack on Black Lives Matter, the 10th July incidents were based on the frequent WordPress Pingback reflective attack method. This can be seen in the graph on the user agent declared by banned bots in the peak corresponding to the attack, where the “wordpress” UA makes up the majority of connections. The same user agent is also clearly visible in the peak of banning events observed on the 18th and 19th July.

A similar pattern can be observed in the count of all connections to the Deflect network, where Google Chrome is the most used browser for regular connections to deflected websites, but a peak of “WordPress” UAs can be seen on the 10th July – those are clearly malicious requests coming from bots.

bans_UAname

Banning events by user agent name: bots used in the attacks were declaring a “wordpress” UA

UA_name

Total hits to the Deflect network divided by user agent: while most of the connections to deflected websites originate from Google Chrome browsers, during the attack we observed a peak of “WordPress” UAs

UA_name_WP

Total hits to the Deflect network divided by user agent: the peak of “WordPress” UAs observed during the attacks is highlighted

The main incident observed on the 10th July against the Black Lives Matter website triggered a dramatic increase in banning events by our banning tool Banjax, which recognized the malicious requests from their Old WordPress UA, despite the fact that bots were masquerading themselves as “spiders“.

BLM_july_trigger

What triggered our system to ban bots during the 10th July attack was mainly an old WordPress UA

BLM_july_UAdevice

Bots taking part in the WordPress pingback attack against the BLM website were identifying themselves with a “spider” user agent device

Read More

Deflecting cyber attacks against the Black Lives Matter website

Last week and throughout the weekend, Deflect helped mitigate several DDoS attack bursts against the official Black Lives Matter website. At current estimates over 12,000 bots pounded the website just over 35 million times in 24 hours. An unusual trait of this attack was the prevalence of  malicious connections originating from the US. An in-depth analytic report will follow this prima facie bulletin.

 

hits_BLM

Hits against the BLM site

unique_ip_country

All unique visitors (IP) by country

unique_bots_by_country

Unique bots (IP) by country

The Black Lives Matter website had already been attacked in May using a similar method of a WordPress Pingback reflective attack and similarly an unusually high percentage of bots from the US.

unique_ip_banned_ddosrule

Deflect banning rules triggered by the attacks

Despite its intensity, the attack has been successfully contained by Deflect, and the Black Lives Matter website is functional and accessible throughout much of the weekend. Black Lives Matter has released an official statement on this incident together with eQualit.ie, Design Action Collective and May First/People Link:

Keeping a website available when attackers are seeking to take it off-line is essential for many reasons. The most obvious is the importance of protecting the fundamental right to human communication. But the specific targeting that characterizes recent DDOS attacks (on networks supporting reproductive rights, Palestinian rights and the rights of people of color) highlights this type of on-line attack as part of the arsenal being used to quash response and social change movements.

DDOS attacks will increase as our protests and organizing increases and so must our movements’ ability to resist them and stay on-line. The collaborative work that spawned the response to this attack is both an example of this protective effort and yet another step in improving it and making it stronger.

Our organizations work in different areas with different programs but we are united in our  commitment to vigorously preserving our movements’ right to communicate and defeating all attempts to curtail that right. Without the ability to communicate freely, we can’t organize and, if we can’t organize, our world can never be truly free.

Read the Statement on the Recent Attacks on Black Lives Matter’s Website.

We are in the process of studying and classifying these attack using Deflect Labs technology and aim to publish the results in our next Deflect Labs report.

Read More

Deflect Stats June 2016

If any conclusion can be drawn in comparing this month’s statistics with the rest of the year, it’s probably that hot weather is also discouraging to those bot controllers launching DDoS attacks! The month was rather uneventful on the malicious side of things, but the team worked in earnest to improve our mitigation mechanisms, including threat detection and banning systems… because, you know, winter is coming.

june_metric

During the month of June, Deflect served almost 8 million unique visitors. Our DDoS mitigation system identified 2,885 bot IPs identified as bots, with a significant decrease as compared to previous months.

Overall, the distribution of visitors and bandwidth usage by country has not changed much in comparison to last month.

june_hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protected by Deflect was Ukraine, followed by the USA and Turkey

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

june_unique_visitors_by_country

Unique visitors of deflected websites connect mostly from Ukraine, this month followed by Germany and by a tie between the USA and Turkey

Hits during this month by the most popular content type requested

Hits during this month by the most popular content type requested

A more careful look at our visitors’ user agents shows a regular pattern in the usage of operating systems: as usual, Windows is the most used OS, followed by Android with everything else trailing well behind.

june_deflect_uaOS

The real conundrum is illustrated by the following pie chart: how is it possible that in 2016, more than 2 years after its support ended, so many of our visitors still use Windows XP? If you are using it, we strongly recommend to update your system to a newer version of Windows or to switch to Linux (also to make our pie charts a bit more varied!).

june_deflect_uaOS_winXP

June attacks on the Deflect network

This month the Deflect network didn’t face major incidents, and the few DDoS attack that targeted deflected websites were mitigated automatically.

june_banjax_by_country

Banning events on the Deflect network divided by country

Bots captured this month as identified by the rules they violated

Bots captured this month as identified by the mitigation rules they violated

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Bots this month as sorted by those requesting content (GET) and sending content (POST)

Bots this month as sorted by those requesting content (GET) and sending content (POST)

The main incident was observed on the 2nd June. It lasted few hours and was caused by a smaller botnet made up of around 300 bots that attacked a Ukrainian website. As usual, the method was a WordPress Pingback reflective attack.

2june_ddos_ua_name

The main user agent name used by the bots involved in the 2nd June DDoS attack was “wordpress”

This method, which we often observe in our everyday activity, exploits the WordPress Pingback feature to attack websites, and any WordPress-based site can be affected unless it is adequately secured.

To check if your WordPress website has been used to attack others, you can use this tool. But if your website runs on WordPress, what’s most important is to secure it against this kind of attacks. It isn’t difficult: what you need is just to install a plugin called Disable XML-RPC Pingback in your website. This will make it impossible for attackers to exploit the WordPress Pingback feature to attack others.

If you want to secure your WordPress-based website against any kind of attacks, Deflect can help: eQPress is our secure hosting platform based on WordPress, where you can either migrate your website or create one from scratch. Visit eQPress’ website for more details.

Read More

Deflect Stats May 2016

May 2016 was an interesting month for Deflect. We began the month with two intense attacks that required our team’s intervention right in the middle of May Day. After this, the month unrolled with a series of smaller attacks against the same websites, which were by then automatically mitigated by the Deflect network without requiring further effort. Traffic figures were comparable to those recorded in April.

 

metrics

During the month of May, Deflect served 600 million pages to 8.7 million unique visitors. Our DDoS mitigation system also banned 14,579 IPs identified as bots

 

 

hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protect by Deflect was Ukraine, followed by the USA and Turkey

 

 

bandwidth_by_country

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

 

 

UA_OS

Windows remains the most common operating system among Deflect readers this month too, closely followed by Android devices. We still see a substantial amount of Windows XP users several years after Microsoft pulled support for this operating system.

As shown in the pie chart below,  also in May, as in April, around 70% of the pages we served were cached in our servers, while we had to get a copy from our users’ websites for approximately 20% of the requests we received.

cache_response

Deflect’s caching system responses for the month of May

May attacks on the Deflect network

On May Day Deflect mitigated two strong attacks that required our staff’s intervention.

DDoS_by_host

DDoS attacks mitigated by Deflect in May 2016 targeted mainly two websites

Several incidents observed during the month were using the WordPress Pingback reflective attack method, which is very common and we often encounter in our day-to-day work. This is the method used in one of the strong attacks we mitigated on the 1st May, when thousands of bots attacked the targeted website for the most part of the day, up to midnight. Although we have seen much larger botnets attacking our protected websites, this one hit with short peaks of high intensity, forcing us to intervene manually in order to trigger an earlier blockage of these requests and make sure they couldn’t reach the origin server, as well as to reduce the load on our servers. Since the WordPress Pingback attack uses any WordPress website available anywhere on the web to create a botnet, it was impossible for us to identify a main country of origin for this attack.

By deploying the Banjax Challenger, we eliminated all the bots requesting these pages.

WPattack

Among the UAs used by bots in May 1st attacks, a large number identified themselves with a “wordpress” user agent name

One of the websites targeted by the May Day DDoS attacks was blacklivesmatter.com, which was attacked again during the rest of the month, in particular on the 9th and 21st May. These attacks were based on  different methods: while in the latter cases a common WordPress pingback attack method was used, on May 1st the attackers flooded the site with GET requests to its root path (“/”), coming from various locations across the world. Deflect automatically mitigated the second and third attacks, but the first one, which lasted 2 hours with a fairly steady level of 8000 hits per minute, managed to take the server down despite a lot of content being served by Deflect’s edge servers. We will be investigating these attacks in more detail with the aim of publishing our analysis in a Deflect Labs report.

BLM_trigger

The triggers that alarmed our botnet detection system during the DDoS attack on Black Lives Matter’s website

Read More

Deflect Labs Report #2

Botnet attack analysis of Deflect protected website bdsmovement.net

This report covers attacks between February 1st and March 31st of six discovered incidents targeting the bdsmovement.net website, including methods of attack, identified botnets and their characteristics. It provides detailed technical information and analysis of trends with the introduction of the Bothound library for attack fingerprinting and botnet classification. We cluster malicious behaviour on the Deflect network to identify individual botnets and employ intersection analysis of their activity throughout the documented incidents and further afield. Our research includes discovered patterns in the selection of targets by the actors controlling these attacks.

Deflect is a website security project working with independent media, human rights organizations and activists. It offers DDoS mitigation, secure hosting and attack analytics, free of charge to qualifying organizations. All of our tools are open source and we operate according to principles promoting the privacy of our clients. Deflect is a project of eQualit.ie, a Canadian not-for-profit organization working to promote and defend human rights in the digital age.

Navigation links: Attack Profile; Botnet profile; Botnet target selection; Botnet behaviour comparison; In-depth incident analysis; Report conclusions

General Info

The Boycott, Divestment and Sanctions Movement (BDS Movement, bdsmovement.net) is a Palestinian global campaign, initiated in 2005. The BDS movement aims to nonviolently pressure Israel to comply with international law and to end international complicity with Israel’s violations of international law. Their website has been protected by Deflect since late 2014 and has frequently been attacked.

Graph 1. Timelion graph showing the average hits per day in the period of February 1 to March 31 (in red) and the moving average + 3 standard deviation (in blue).

Graph 1. Timelion graph showing the average hits per day in the period of February 1st to March 31st (in red) and the moving average + 3 standard deviation (in blue).

Attack Profile

During February and March of 2016, there were 6 recorded incidents against the target website. The Deflect Labs infrastructure allows us to capture, process and profile each attack, analysing unique incidents and intersecting findings with a database of profiled botnets. We define the parameters for anomalous behaviour on the network and then group (“cluster”) malicious IPs into botnets using unsupervised machine learning algorithms.

Graph 2. Total hits to the website, by country of origin. The spikes represent attacks investigated in this report

Graph 2. Total hits to the website, by country of origin. The spikes represent attacks investigated in this report

Graph 3. Prevalence of WordPress pingback attacks during the six incidents

Graph 3. Incidents where the WordPress pingback attack is used against the target site

We define each incident by wrapping it inside a given time frame, record the total number of hits that reached the website during this time and use our analytic tool set to separate malicious requests made by bots from genuine everyday traffic.

Table 1. Attacks Summary, including start/end date, duration, size of the incident, size and number of the botnets detected

id Incident Start Incident Stop Duration Total hits Unique IPs No. of bots identified Identified botnets
29 2016-02-10 21:00 2016-02-11 01:00 ~5hrs 879,634 14,773 12,921 3
30 2016-02-11 10:30 2016-02-11 12:30 ~2hrs 321,203 11,108 9,023 3
31 2016-03-01 15:00 2016-03-01 19:30 ~6h30 3,597,689 5,918 3,243 3
32 2016-03-02 12:30 2016-03-02 16:00 ~3h30 13,559,169 19,851 2,748 2
33 2016-03-04 09:00 2016-03-04 09:30 ~30min 2,058,710 9,613 8,844 1
34 2016-03-08 14:20 2016-03-08 16:40 ~2h20 5,017,045 7,937 7,151 1

The number of unique bots and their grouping into specific botnets is the result of clustering work by BotHound. This toolkit classifies IPs by their behaviour, and allows us to determine the presence of different botnets in the same incident (attack).

Botnet profile

Using BotHound, we have calculated the percentage of unique IPs (classified as bots) that recur in separate incidents. A substantial percentage of previously seen bots would be one way to identify whether a botnet was re-used for attacking the same target. It would reveal a trend in botnet command and control behaviour. This intersection of botnet IPs also creates an opportunity to compare activity between several target websites, whether protected by Deflect or on one of our peers’ networks. Taken together, we begin to build a profile of activity for each botnet, helping us make assumptions about their motivation and target list.

Table 2. Intersection of identical bots across the incidents

Incident #

No. of identical bots
in both incidents

The portion of identical bots
(of the smallest incident)

29, 30 6,928 76.8%
31, 32 1,450 91.0%
33, 34 4,249 59.4%
32, 33 438 17.9%
Graph xx. Hits from bots, by the identified botnet, by the country of origin

Graph 4. Hits from bots and their country of origin, grouped by identified botnets. Update your software and malware cleaners please!

Table 3. Identified botnets and the incidents they appear in

Botnet ID Seen in incident Unique bots Top 10 countries of bot origin Attack method
1 29, 30 13,857 Russian Federation; Ukraine; China; Lithuania; Germany; Switzerland; Gibraltar; United Kingdom; Netherlands; France POST
2 29, 30 8,913 Russian Federation; China; Ukraine; Germany; Lithuania; United States; Switzerland; United Kingdom; France; Gibraltar POST
4 31, 32 2,589 United States; Germany; United Kingdom; Netherlands; China; Japan; Singapore; Ireland; France; Spain; Australia Pingback
5 31, 32 772 United States; United Kingdom; Germany; Netherlands; Italy; France; Russian Federation; Singapore; Canada; Japan; China Pingback
6 31 971 United States; China; Germany; Japan; United Kingdom; Singapore; Netherlands; France; Ireland; Canada; Australia Pingback
7 33, 34 11,746 United States; United Kingdom; Germany; France; Netherlands; China; Canada; Russian Federation; Ireland; Spain; Turkey Pingback

Botnet target selection

Deflect protects a large number of qualifying human rights and independent media websites the world over. Our botnet capture and analytic tool set allows us to investigate attack characteristics and patterns. We consider the presence (intersection) of over 30% of identical bots as originating from a similar botnet. During our broader analysis of the time period covered by this report, we have found that botnet #7, which targeted the bdsmovement.net website on March 3rd, also hit the website of an Israeli Human Rights organisation under our protection on April 5th and April 11th. In each incident, over 50% of the botnet IPs hitting this website were also part of botnet #7 analysed in this report. Furthermore, a peer website security organization reviewed our findings and concluded that a substantial amount of IPs belonging to this botnet were targeting another Israeli media website under its protection, on April 7th and April 12th. Organisations targeted by this botnet do not share a common editorial or are in any way associated with each other. Their primary similarities can be found in their emphasis on issues relevant to the protection of human rights in the Occupied Territories and exposing violations in the ongoing conflict. Our analysis shows that these websites may have a common adversary — the controller or renter of botnet #7 — that their individual work has aggrieved. We will present our findings on this investigation in more detail in an upcoming report.

Botnet behaviour comparison

BotHound works by classifying the behaviour of actors on the network (whether human or bot) and clustering them according to a set of pre-defined features. Malicious behaviour stands out from the everyday trend of regular traffic. On the picture below the RED spots refer to attacker sessions, while BLUE spots refer to all other (regular traffic). The graphic displays all the 6 incidents combined. We chose the following 3 dimensions to visually represent a projection from a 7-dimensional space (where BotHound clustering is calculated):

  • HTTP request depth
  • Variance of HTTP request interval
  • HTML to image ratio

Graph 5. Clustering of bot behaviour from the six incidents covered in this report. The graphic illustrates that malicious behaviour, no matter the botnet characteristics, follows a determined pattern which resembles automated machine-driven properties of a botnet attack.

In-depth incident analysis

We have captured, analysed and now profiled each botnet witnessed in the 6 incidents. We break down incidents into three groups, by similarity of attack characteristics and the time of occurrence.

Incidents #29 & #30

Date: February 10-11, 2016
Duration: approximately 28 hours
Identified botnets: 2 (botnet id: #1 #2)
IP intersection between botnets: 76%
Attack type: HTTP POST


image11

Attack analysis

After doing extensive cluster analysis to separate “good” from “bad” IPs based on their behaviour during the incident time frame, we applied a novel secondary clustering method which identified two different patterns of behaviour spanning both incidents. The first attack pattern was using bots to hit the target very fast, with similar characteristics (session length, request intervals, etc.). The second botnet was hitting slower, but more consistently. The session length was varying, likely to evade our mitigation mechanisms. However, the request interval between hits was zero, which helped us identify them. It is easy to distinguish two different botnets from the graphs below.

Identified botnet #1
Members: 13,857
Observations:

  • Session length = 314 sec
  • Payload average = 521 byte
  • Hit rate = 0.04 /minute
  • Requests: 500,000
  • Host header: accurate
  • Method: POST (> 99.9%)
  • URI path: / (> 99.9%)
  • UA: low variation, with most major UAs represented

Deflect Response: Moderate blocking success, origin was affected.


Identified botnet #2
Members: 8,913
Observations:

  • Session length = 429 sec
  • Payload average = 447 byte
  • Hit rate = 0.05 /minute
  • Requests: 600,000
  • Host header: accurate
  • Method: POST (> 99.9%)
  • URI path: / (> 99.9%)
  • UA: low variation (slightly higher than botnet 1), most major UAs represented

Deflect Response: Moderate blocking success, origin was affected.

Attacks results primarily in response code 502 (bad gateway) and 504 (gateway timeout) codes.

The botnet utilises several hundred unique IPs and a few dozen rotating user agents

The botnet attacks with several hundred unique IPs (purple) and rotates through a few dozen user agents (yellow)

The botnet attacks with several hundred unique IPs and rotates through a few dozen user agents. Graph tallies at 15 second intervals.

IP geo-reference

The IP address requesting a site can be geo-located. Another way we visualize botnet behavior is by cross-referencing the country of bot origin. We can easily see attack intensity (number of hits) versus bot distribution (unique IPs) in the diagrams below.

Graph 6. Hits against target website, by their geographic origin.

Graph 6. Hits against target website, by their geographic origin.

Graph 7. The same timespan as per the previous graph, only this time showing a count of unique IPs, per country geoIP

Graph 7. The same timespan as per the previous graph, only this time showing a count of unique IPs, per country geoIP

User agent and device

Every website request usually contains a header with identifying information about the requester. This can be faked, of course, but in any case stands out from the general pattern of traffic to the website. These incidents had a high consistency of “Generic Smartphone” and “Other” devices – describing the hardware unit from which the request was supposedly made. It is common for botnets to spoof a user agent device or, at least, share a common one.

Graph 8. Shows the devices used in the February botnet attack. As we can see, the majority comes from “Generic Smartphone” or “Other” device. Such consistency shows that these are part of an attack, rather than regular visitors.

Graph 8. Shows the devices used in the February botnet attack. As we can see, the majority comes from “Generic Smartphone” or “Other” device. Such consistency shows that these are part of an attack, rather than regular visitors.

Conclusions on incident #29 and #30 attacks
  • These attacks were distinguished by the relatively large number of participating bots, but were smaller in intensity (number of hits on target) compared to incidents #31-34. Three attacks were launched during the period of these incidents, requesting the same url ( /- ), as well as using the same “device” in the user agent of the request.
  • There were two and possibly three botnets in these incidents. They can be differentiated by the geographic location of their bots and hit rates during attack. What is interesting is that the attack method between the different botnets and attack times is the same. Also the two botnets share a high percentage of intersecting bot IPs (76.8%). This may be an indication that they are subnets of a larger malicious network and are being controlled by the same entity.

Incidents #31 & #32

Date: March 1-2, 2016
Duration: approximately 21.5 hours
Identified botnets: 3 (botnet id: #4 #5 #6 )
IP intersection between botnets: 91%
Attack type: Reflection – WordPress Pingback[1]

Attack Analysis

Attackers utilised the same botnet (91% intersection) during incidents #31 and #32 within a time range of 22 hours. Incident #32 is the biggest in terms of hits out of the entire period covered by this report – counting over 13.5 million total hits in 6 hours. These incidents have a very similar UA (device) characteristic, the majority of which are identified as “Spider” (we are making an intersectional analysis on the UA further down in this report).

Identified botnet #4

Members: 2,589
Observations:

  • Session length = 2,971 sec
  • Payload average = 8,217 byte
  • Hit rate = 1.7 /minute
  • Requests: 10.8 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA: high variation, all WordPress pingback

Deflect Response: Successfully blocked. 91% of responses to botnet processed by edge within 20ms

Comparison of unique IPs versus unique user agent strings at 30 second intervals

Comparison of unique IPs versus unique user agent strings at 30 second intervals

Identified botnet #5
Members: 772
Observations:

  • Session length = 3,587 sec
  • Payload average = 10,221 byte
  • Hit rate = 0.48 /minute
  • Requests: 3 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA: high variation, all WordPress pingback

Deflect Response: Successfully blocked. 85% of responses to botnet processed by edge within 20ms

Comparison of unique IPs versus unique user agent strings at 30 second intervals. Note the probing attack before escalation

Comparison of unique IPs versus unique user agent strings at 30 second intervals. Note the probing attack before escalation

Identified botnet #6
Members: 971
Observations:

  • Session length = 583 sec
  • Payload average = 31,317 byte
  • Hit rate = 0.49 /minute
  • Requests: 145,000
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA variation: high variation, all WordPress pingback

Deflect Response: Relatively small incident – some attackers did not trigger our early detection with around 15% getting through to origin (22,000 requests returned an HTTP 200). Successfully blocked.

Error codes showing blocked request versus those that got to the origin site in incident #31

Error codes showing blocked request versus those that got to the origin site in incident #31

User agent and device

The “UA” parameter in our logging system identifies the user agent string in the request header made to the target website. It usually represents the signature (or version) of the program used to query the website, for example “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” means that the request was made from Internet Explorer version 11, running on the Windows 7 operating system [2]. The “device” parameter in our logging system identifies the hardware (device) the user agent is running on, for example “iOS Device” or “Nexus 5” or “Windows 7”. In this case, the vast majority of IP addresses hitting the site were categorised as “spiders”. A spider, or web crawler, is software used by search engines to index the web. User agent strings are just text and can be changed (faked) to say anything – including copying a user agent string commonly used by some other software.

Graph 9. Hit count from various devices throughout incidents 31-32

Graph 9. Hit count from various devices throughout incidents 31-32

Graph 10. Unique IP count from various devices throughout incidents 33-34

Graph 10. Unique IP count from various devices throughout incidents 33-34

Conclusions on incident #31 and #32 attacks
  • These incidents stand out for their common attack and attacker characteristics, with an intersection of 91% of bots used in both instances (of the smaller incident). Botnet #4 and #5 behaviour differs only in their hit rate. Botnet #5 and #6 have a similar number of bots and an almost identical hit rate. Interestingly, they differ greatly in the number of hits each one of them launched at the target site. It seems that all three botnets had strong presence on computers in the United States. All botnets used the same attack method – WordPress pingback – in both incidents.
  • The similarities between bot IP addresses and the attempts to vary the attack pattern from very similar botnets indicates human lead efforts to adapt their botnet to get past Deflect defences. It appears that the botnets used in these two incidents have the same controller behind them.

Incidents #33 & #34

Date: March 4, March 8, 2016
Duration: 30 mins, 2 hours and 20 minutes
Number of bots: 8,844 and 7,151
Identified botnets: 1 (botnet id: #7)
Attack type: Reflection – WordPress Pingback[1]


Identified botnet #7
Members: 11,746
Observations:

Graph XX. Comparable values of unique IPs and unique UAs. We see a huge difference from other botnets in this report

Graph 11. Comparable values of unique IPs and unique UAs. We see a huge difference from other botnets in this report

  • Session length = 2,665 sec
  • Payload average = 15,572 byte
  • Hit rate = 0.30 /minute
  • Requests: 7.9 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA variation: high variation, mostly WordPress pingback (92%)

Deflect Response: Moderate blocking success. 75% of requests dealt with in <200ms, 5% origin read timeouts

Graph 10. Unique IP count from various devices throughout incidents 33-34

Graph 12. Unique IP count from various devices throughout incidents #33-34

Conclusions on incident #33 and #34 attacks
  • Incident #33 comes across as a probe (or a first attempt) before a much stronger attack with similar characteristics is launched in incident #34. This is backed up by the use of a single botnet in both incidents.
  • Botnet #7 appears in other attacks against Israeli websites, on our network and on the network of one of our peers. The attack pattern used in these incidents is similar to the previous two incidents, and we have found a 17.9% intersection between bots used in incidents #32 and #33, possibly linking #31-34 together. Along with the prevalence of bots originating from the United States, there is some justification that botnets 4-7 originate from a similar larger network.

Report conclusions

Attempts to bring down the bdsmovement.net website were made using several (at least two distinct and relatively large) botnets and varied in their technical approach. This shows a level of sophistication and commitment not generally seen on the Deflect network. The choice of attack method allowed us to see which website was being targeted, which may have been a conscious decision. However, we did not find anything linking attacks in incidents #29-30 with attacks in incidents #31-34. Relative success with affecting the origin in the first two incidents was not built upon in the next four. Furthermore, other effective methods to swarm the network with traffic or overwhelm our defence mechanisms could have been used, had the attackers had enough resources and dedication to achieve their aims.

The creation of historical profiles for botnet activity and the ability to intersect our results with peer organizations will lead to better understanding of trends, across a greater swath of the Internet. Adapting botnet classification tooling to automated defense mechanisms will allow us to notify peers about established and confirmed botnets in advance of an attack. By slowly chipping away at the impunity of botnet controllers, we hope to reduce the prevalence of DDoS attacks as a method for suppressing online voices.

eQualit.ie is inviting organizations interested in this collaboration to reach out.

 



[1] A WordPress pingback attack uses a legitimate function within WordPress, notifying other websites that you are linking to them, in the hope for reciprocity. It calls the XML-RPC function to send a pingback request. The attacker chooses a range of WordPress sites and sends them a pingback request, spoofing the origin as the target website. This feature is enabled by default on WordPress installations and many people run their websites unaware of the fact that their server is being used to reflect a DDoS attack.
[2] http://www.useragentstring.com/index.php

Read More

Deflect Stats April 2016

April 2016 was noticeable for the amount of attacks launched against Deflect protected websites. Most of them were using the WordPress Pingback reflective attack method. Ukrainian readers topped our statistics this month, with readers from the United States, Ecuador and Russia also generating several million daily hits.

april-16-stats

 

Daily hits on the Deflect network, by country

Daily hits on the Deflect network, by country

 

april-16-bandwidth-country

Bandwidth, measured hourly and summed by country of requesting IP

 

april-16-OS-pie

Windows 7 is the most common operating system among Deflect readers this month

An interesting set of data regards our cache response: as shown in the pie chart below,  in April around 70% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 20% of the requests we received.

 

Deflect's caching system responses for the month

Deflect’s caching system responses for the month of April

 

Attacks on the Deflect network in April 2016

Around a dozen separate incidents were recorded on the network in April.  It’s important to note that the statistics represented here are from requests that triggered our banning mechanisms. In reality there may have been many more malicious requests. As per last month’s stats, the majority of bots were originating from the United States.

april-16-swabber-by-country

 

The majority of botnets captured by Deflect were using the WordPress Pingback attack mechanism, masquerading themselves with a “spider” user agent device. The “Ua_Device” parameter is a finding by our system, which recognises the user-agent strings used by many different devices, and categorises traffic accordingly. In this case the vast majority of IP addresses hitting the site were categorised as “spiders”. A spider, or web crawler, is software used by search engines to index the web. In order to index pages, however, a spider would usually visit each page of a website only once. In this case each IP address claiming to be a “spider” was requesting pages a very large number of times. User-agent strings are just text and this can be changed by clients to anything they like – including copying a user-agent string commonly used by some other software. We conclude that this was malicious traffic from a botnet masquerading as web-crawler traffic.

april-16-swabber-by-ua-device

Bots taking part in a WordPress pingback attack identifying themselves with a “spider” user agent device

 

april-16-swabber-ua-spider

Most of the “spider” bots were originating from the United States

 

 

Read More

TA3M May ’16 – “Who Am I” Film Screening

Join us for the next TA3M for a screening of the German hacker film Who Am I.

After the screening we will host a group discussion led by Gabriella Coleman (Professor at McGill University who works on computer hackers) and Thomas Geffroyd (Ubisoft, Content Director for the Hacker game Watchdogs) about the film and the role popular culture plays in heroizing or demonizing hackers.

 

Location: McGill Arts Building
Room: ARTS 260

When? May 16th, 18:00-20:00
We will be starting the movie by 18:15, so please try to arrive on time.

Yes, I want to come! Please RSVP below…

To see a history of past TA3M Montreal events please refer to our archive.

Read More

Deflect stats March 2016

This is the first in a monthly series of posts sharing and discussing statistics on the Deflect network. March 2016 was a busy month for us. We began to publish analytic reports on DDoS attacks against some of the clients we protect on the network. Our aim is to help the target’s advocacy efforts and begin strip away at the impunity currently enjoyed by botnet operators. As our analytic tooling and understanding of these attacks improve, so will the reports.

In terms of people served and traffic on the network, this was our busiest month to date. We averaged around 20 million daily hits, a significant percentage of which came from readers in Mexico. Around ten separate DDoS incidents were recorded during the month, of various strength and sophistication.

 

Total hits this month, unique IPs we banned; unique IPs we served

Total hits this month, unique IPs we banned; unique IPs we served

 

Daily hits on the Deflet network

Daily hits on the Deflect network

 

Daily count of unique IPs by country of origin

Daily count of unique IPs by country of origin

 

This month's share of unique IPs by country of origin is a tortilla!

This month’s share of unique IPs by country of origin is a tortilla!

 

Most popular operating systems on the network

 

Attacks on the Deflect network in March 2016

Around a dozen separate incidents were recorded on the network in March. It’s important to note that these are requests that triggered our banning mechanisms. In reality there may have been many more malicious requests.

IP-Bans_by_country_date_histogram

Daily unique IP bans by country

 

Geographical bot distribution

Geographical bot distribution

We are also beginning to track botnets as anomalies on the network. Herein a graph built using the Timelion toolkit for ElasticSearch. It consists of time-series based representation of total hits on the network (red line) and a moving average (blue line) – specific browsing patterns as generated by readers behavior week upon week. We then multiply the blue line values by 3 so we can clearly see when an anomaly is happening on the network. Most of the time, although not every-time, the anomaly represents a spike in traffic or hits on websites – an attack.

timelion

We have also been contributing towards the development of a tool called GreyMemory. It is an anomaly detection tool which accepts any multi-dimensional time series as input, then predicts the next state of the system, measures the error of prediction and generates an anomaly rate. It uses predictive algorithms to evaluate what might happen next on the network, and compares this evaluation with the eventual result. If the quality of prediction drops, it alerts the anomaly. On the following diagram GRAY is the ratio of successful HTTP requests divided by the total # HTTP requests; BLUE is the anomaly rate, as calculated by GreyMemory and ORANGE is the anomaly Alert, where we should create incidents. Alerts are triggered when anomaly rate exceeds a threshold, which is currently on 95%

GreyMemoryReportMarch2016_2

Read More

Deflect Labs Report #1

Botnet attack analysis covering reporting period February 1 – 29 2016
Deflect protected website – kotsubynske.com.ua

This report covers attacks against the Kotsubynske independent media news site in Ukraine, in particular during the first two weeks of February 2016. It details the various methods used to bring down the website via distributed denial of service attacks. The attacks were not successful.

General Info

Kotsubynske is a media website online since 2010 created by local journalists and civil society in response to the appropriation and sale of public land (Bylichaniski forest) by local authorities. The website publishes local news, political analysis and exposes corruption scandals in the region. The site registered for Deflect protection during an ongoing series of DDoS attacks late in 2015. The website is entirely in Ukrainian. The website receives on average 80-120 thousands daily hits, primarily from Ukraine, the Netherlands and the United States.

 

image1

Attack Profile

Beginning on the 1st of February, Deflect notices a rise in hits against this website originating primarily from Vietnamese IPs. This may be a probing attack and it does not succeed. On the 6th of February, over 1,300,000 hits are recorded against this website in a single day. Our botnet defence system bans several botnets, the largest of which comprises just over 500 unique participants (bots).

Using the ‘Timelion’ tool to detect time series based anomalies on the network, such as those caused by DDoS attacks, we notice a significant deviation from the average pattern of visitors to the Kotsubynske website (on the diagram below, hits count on the website are in red, while the blue represents a 7-day moving average plus 3 times standard deviation, yellow rectangles mark the anomalies). The fact that the deviation from the normal is produced over a week (Feb 1 to Feb 8) points to the attack continuing over several incidents. This report attempts to figure out whether these separate attacks are related and display attack characteristics and makes assumptions about its purpose and origin.

 

Illustration 1: Timelion graph showing a prolonged attack

Illustration 1: Timelion graph showing a prolonged attack period between February 1 and 8

February 06, 2016 Attack profile

This incident lasted 1h 11min and was the most intensive attack during this period, in terms of hits per minute.

Incident statistics
Here are listed part of the incident statistics that we get from the deflect-labs system. They show the intensity of the attack, the type of the attack (GET/POST/Wordpress/other), targeted URLs, as well a number of GEOIP and IP information related to the attacker(s):

  • client_request host:”www.kotsubynske.com.ua”
  • Hits between 24000 and 72000 per minute
  • Total hits for the attack period: 1643581
  • Attack Start: 2016-02-06 13:34:00
  • Attack Stop: 2016-02-06 14:45:00
  • Type of attack: GET attack (bots requested page from website)
  • Targeted URL: www.kotsubynske.com.ua
  • Primary botnet request: “http://www.kotsubynske.com.ua/-”
Illustration 2: Geographic distribution of bots

Illustration 2: Geographic distribution of bots

The majority of hits on this website came from Vietnam, Ukraine, India, Rep of Korea, Brazil, Pakistan. Herewith are the stats for the top five countries starting with the most counts and descending:

geoip.country_name Count
Vietnam 817,602
Ukraine 216,216
India 121,405
Romania 70,697
Pakistan 61,201

 

Cross-incident analysis

We’ve researched three months of incidents on the Kotsubynske website, namely from January to March 2016. We have detected five incidents between February 01 – 08 and present a detailed analysis of botnet characteristics and the similarities between each incident. The point is to figure out if the incidents are related. This may help us define whether the actors behind this attack were common between all incidents. For example, we see relatively few IPs appearing in more than one incident, while each incident shares a similar botnet size and attack pattern.

 

Illustration 3: GeoIP location of bots over the 5 incidents

Illustration 3: GeoIP location of bots over the five recorded incidents

 

Table 1. Identical IPs across all the incidents

We identify, in sequence of incidents, botnets IPs which re-appeared from a previous attack.

ID Incident start Incident end Duration botnet IPs Recurring botnet IPs Attack type Attack pattern (URL request)
1 2016-02-02 12:0700 2016-02-02 12:21:00 14 min 224 GET 163224 hits: /-
2 2016-03-02 08:27:00 2016-03-02 08:31:00 4 min 120 22 GET 35991 hits: /-
3 2016-05-02 21:10:00 2016-05-02 22:00:00 50 min 99 0 GET 49197 hits : /-
23 hits: /wp-admin/admin-ajax.php
4 2016-06-02 13:34:00 2016-06-02 14:45:00 1h 11 min 484 0 GET 1557318 hits: /-
5 2016-08-02 12:20:00 2016-08-02 16:40:00 4 h 20 min 361 0 GET 392658 hits: /-

 

Table 2. Pairs of incidents with significant numbers of identical IPs banned by Deflect

Here we correlate each incident against all other incidents to see whether any common botnet IPs reappear and present the incident pairs where there is a match

incident id banned IPs incident id banned IPs recurring IPs % of recurring botnet IPs
in the smaller incident
1 224 2 120 22 18.3%
3 99 4 484 15 15.2%

Analysis of the five attacks shows thats very few botnet IPs were reused in subsequent attacks. The presence of any recurring IPs however suggests that they either belong to a subnet of the same botnet or are victims whose computers have been infected by more than one botnet malware. Furthermore, each botnet’s geoIP characteristics and behaviour is almost identical. For example, whilst traffic during this period followed the normal trend, both in terms of number of visitors and their geographic distribution, banned IPs were primarily from Vietnam, India, Pakistan and other countries that do not normally access kotsubynske.com.ua

This is a reliable indicator of malicious traffic and a transnational botnet.

  • 71.1% of banned IPs come from Vietnam, India, Iran, Pakistan, Indonesia,Saudi Arabia, Philippines, Mexico, Turkey, South Korea.
  • 99.9% of banned IPs have identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”.
  • The average hit rate of IPs with the exact identical user agent string is significantly higher: 61.9 hits/minute vs 4.5 hits/minute for all other traffic.
Illustration 4: Banned machines from 'unusual' countries

Illustration 4: Banned machines from ‘unusual’ countries for kotsubynske.com.ua

The user agent (UA) string seems to be identical in all five incidents, when comparing banned and legitimate traffic. In the diagram below, Orange represents the identical user agent string, whilst blue represents IPs with other user agent strings. The coloured boxes contain 50% of IPs in the middle of each set and the lines inside the boxes indicates the medians. The markers above and below the boxes indicate the position of the last IP inside 1.5 height of the box (or inside 1.5 inter quartile range).

Illustration 5: Hit rate distribution for the IPs with the same identical user agent string

Illustration 5: Hit rate distribution for the IPs with the same identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”

Even though there are not many identical botnet IPs across all of the 5 incidents, the behaviour of botnet IPs from different incidents is very similar. The figure below illustrates some characteristics of the botnet (different colours) in comparing with regular traffic (blue colour).

Scatter plot of sessions in 3-dimensional space:

  • Request interval variance
  • Error rate
  • HTML to image ratio

image7

Report Conclusion

On the 2nd of February, the Kotsubynske website published an article from a meeting of the regional administrative council where it stated that members of the political party ‘New Faces’ were interfering with and trying to sabotage the council’s work on stopping deforestation. The party is headed by the mayor of the nearby town Irpin. Attacks against the website begin thereafter.

Considering the scale of attacks often witnessed on the Deflect network, this was neither strong nor sophisticated. Our assumption is that the botnet controller was simply cycling through the various bots (IPs) available to them so as to avoid our detection and banning mechanisms. The identical user agent and attack pattern used throughout the five attacks is an indication to us that a single entity was orchestrating them.

This is the first report of the Deflect Labs initiative. Our aim is to strip away the impunity currently enjoyed by botnet operators the world over and to aid advocacy efforts of our clients. In the near future we will begin profiling and correlating present-day attacks with our three year back log and with the efforts of similarly minded DDoS mitigation efforts.

Read More

TA3M MARCH ’16 “WHO BYTES YOUR BITS”

We’re all familiar with the idea of a search warrant — but how else can the government access your private information in Canada? This informal TA3M workshop will explore this question—whether in the context of a criminal investigation or otherwise. We’ll also discuss the implications for businesses and organizations that hold private data for their clients, and the circumstances in which they might be forced to hand over records about their clients, users or communities. Together, we’ll think about how to mitigate risk and work through questions like:

  • How can law enforcement and intelligence agencies access private information about you? Do they always need a warrant? Should activists and community groups be particularly concerned?
  • If you’re hosting data for others, or holding private information that belongs to your users, what are your obligations as custodian of that data?
  • What are the situations in which you might be required to share or disclose data about others? What are your responsibilities to your users and clients in these situations?

Following a brief talk, attendees will be invited to bring share their own thoughts, experiences and questions. Presenters are happy to answer questions in English and French.

Presenters

Lex Gill is a researcher for the Canadian Civil Liberties Association’s Privacy, Surveillance and Technology Project and an affiliate to the Berkman Center for Internet and Society. She studies at McGill’s Faculty of Law.

Jillian Friedman is a technology lawyer. Her views on privacy law, and other technology law issues have been published in legal, academic and news media. Jillian has spoken before the Senate Committee on Banking, Trade and Commerce where she testified about digital currency, consumer protection and pseudo-anonymity. She is currently writing a book on financial technology law.

Location

We have moved!! Tonight’s TA3M will be held at GareMTL

When? March 21st, 18:00

Yes, I want to come! Please RSVP below…

To see a history of past TA3M Montreal events please refer to our archive.

Read More

IFF Tool Showcase: the projects

During the Internet Freedom Festival, which will take place in Valencia, Spain, from the 1st to the 6th March 2016, eQualit.ie will host a tool showcase and award ceremony on Thursday 3rd March, starting from 7 pm.

During the showcase, 15 tools will be introduced with a short presentation to the entire room and then be assigned to their own tables for a continuing discussion with the audience, who will then vote their favourite projects for three different categories – “You did whaaaat?”, “Wish I’d thought of that!”, and “You get a biscuit”.

Here is the complete list of the presented projects, with a link to the posts we have dedicated to each of them:

  • CENO – an innovative approach to censorship circumvention, based on P2P storage networks.
  • CGIProxy – a clientless web proxy that supports Javascript and Flash, enabling access even to the most complex websites.
  • Code of Conduct builder – an interactive tool for building a Code of Conduct for a community’s offline and online spaces.
  • CoyIM – a safe and secure Jabber/XMPP client with built-in support for Tor, OTR and TLS.
  • FreedomBox – a free software stack that can be installed in inexpensive hardware to turn it into a personal server that protects your privacy.
  • NetAidKit – a pocket size, USB powered router that connects everything to everything, designed specifically for non-technical users.
  • OnionShare – a desktop application to share files anonymously and securely using the Tor network.
  • Peerio – a tool to send encrypted messages and files, developed with the aim of making encrypted communications attractive and accessible.
  • Psiphon – a widely-used free censorship circumvention tool.
  • Qubes OS – a free and open source security-oriented operating system that implements security by compartmentalization.
  • SecurePost – an Android App that allows a group to share a Twitter account or Facebook page without sharing the account password.
  • StingWatch – a tool enabling ordinary people to monitor and map police use of IMSI-Catchers, aka Stingrays.
  • StoryMaker – an open source app helping anyone learn to make great multimedia stories and safely produce and publish them with their mobile device.
  • Umbrella – a free and open source Android app to help journalists and activists manage their security on the move.
  • uProxy – an open source browser extension for Chrome and Firefox that lets users share their route to the Internet with each other.
Read More

Internet Freedom Festival: Tool showcase

The Internet Freedom Festival, which will take place in Valencia, Spain, from the 1st to the 6th March 2016, is a common space where diverse communities working against and affected by censorship and surveillance can come together to teach, plan and act.

Internet Freedom Festival logo

The rich schedule of the festival includes sessions on 8 different tracks and also night events. For the night events, eQualit.ie will host a tool showcase and award ceremony on Thursday 3rd March, starting from 7 pm.

THE TOOL SHOWCASE

During the showcase, 13 tools will be introduced with a short presentation to the entire room and then be assigned to their own tables for a continuing discussion with the audience. You can learn and get to see demos for Android apps carrying security advice and instructions for activists; routers and servers that enhance connection security; censorship circumvention systems; tools for encrypted communication; IMSI-catcher detectors and much more: there will be solutions for every taste and need. Here’s the complete list of the tools that will be presented at the showcase:

 

At the end of the event, the public will be invited to pick their favorite tool for the following unofficial IFF categories:

  • You did whaaaat?
  • Wish I’d thought of that!
  • You get a biscuit.

No one will leave empty handed! There are prizes for winners, drinks for participants and eQualit.ie will interview and blog about each of the contestant’s tools. And if we still have time, a vodka tasting workshop may follow!

 

Read More

Activists can run independent and secure online services with Caisleán

Small non-profit organizations, civil rights groups and activist clusters use online tools to work collaboratively. Unfortunately, too many rely on centralized platforms that are actively exploiting private data lucratively. It is crucial for these organizations to switch to self-hosted solutions to keep control of their data and protect users. A system administrator then has to be responsible for maintaining and securing the server on which the services run.

System administration is however not an easy task. Installation, maintenance and user support become more time-consuming and prone to mistakes as the number of services increases: from an e-mail exchanger to a VPN, all have their own configuration specificities and must be functional, while following security best practices.

We are developing Caisleán to address this issue: it aims at quickly installing such services without having to tweak each of their configuration details. Among other services, multi-user e-mail, VPN, XMPP and file-sharing platform can be set up within minutes on a bare Debian system. They are automatically configured according to security best practices, thus helping to provide confidentiality, integrity and authenticity of communications to users.

By decreasing the cost for setting up these tools, Caisleán can help activists and organizations increase their independence, efficiency and security. It comes as a set of Ansible recipes, a software that allows the state of a whole system to be described, notably through the use of template configuration files.

Caisleán’s collaborative tools and services

The following services are provided by Caisleán:

  • an e-mail address for every user thanks to Postfix and Dovecot, with access through webmail (using Roundcube) or e-mail client software such as Thunderbird and K-9 Mail;
  • the Prosody XMPP server for instant messaging;
  • web-based file hosting and sharing thanks to Owncloud and the Nginx web server;
  • a blogging platform thanks to WordPress;
  • a VPN service thanks to OpenVPN, to help users evade surveillance or censorship as well as reduce their traceability when browsing the web.

All these services support multiple users thanks to the OpenLDAP backend.

Of course, administrators are free to use only a subset of these services, depending on users’ needs.

Turned towards best security practices

We have made every effort to ensure that the configuration templates follow what we see as best security practices.

To this end, Caisleán firstly improves the security of a bare Debian system, with measures such as:

  • SSH configuration hardening;
  • firewall with iptables and ufw;
  • rootkit and filesystem alteration checking with chkrootkit and rkhunter;
  • e-mail notifications to the administrator when system packages need to be upgraded.

In addition, each service was given time and attention to make sure its configuration provides good security measures to protect users’ privacy and data confidentiality. This includes, for instance:

  • good TLS cipher list on Nginx, Postfix, and all TLS-enabled services;
  • meticulous privilege separation for web-based services and associated PHP processes.

Finally, it bears stating that Caisleán is free and open-source and uses software that is also free and open-source, a well-known mandatory condition to ease peer-reviewing and improvement. Far from pretending that Caisleán is bug-free, we hope this will help detecting and fixing bugs as well as improving the whole system.

Simple to install thanks to Ansible

The use of Ansible allows the setup of all desired services at once without having to configure each of them separately. This helps avoid mistakes and saves precious time.

Installing the services provided by Caisleán on a fresh Debian server consists in these steps:

  • write a few configuration files to tell Ansible which servers Caisleán should be pushed to and which services are desired;
  • perform the manual operations needed as pre-requisites, such as creating TLS private keys or setting up your DNS to allow your server to be an e-mail exchanger for your domain;
  • finally, run Ansible to automatically set up and configure all services.

The Caisleán repository provides sample configuration files as well as full documentation of the parameters or manual operations that certain services require.

Save time and energy for other security-related issues

System administrators should remember that a system that is presented as “secure” still always requires mindful behavior in order to preserve security and privacy of data and users.

Saying that Caisleán is secure means that we try as much as possible to provide software configuration that minimizes the attack surface.

In doing so, we hope that system administrators will be able to focus on other crucial responsibilities: keeping servers up to date, keeping important passwords safe, staying on top of installed WordPress plugins, raising users’ awareness about their personal password policy, etc.

Give it a try

Take a look and give it a try now by fetching Caisleán’s sources from its GitHub repository.

If you have questions or comments, feel free to contact us and/or submit a GitHub issue.

Read More

Moving Your Site to HTTPS

HTTPS (adding an S for “secure” to HTTP) is an internet communication protocol that protects your users’ connections to your website. Data sent using HTTPS is secured in that HTTPS provides 3 layers of protection:

  1. Encryption: while the user is browsing a website, nobody can see their conversations, track their activities in the website, or steal their information.
  2. Integrity: data cannot be tampered with as it travels from your website to the user’s computer and vice versa.
  3. Authentication: ensuring that your users are really communicating with your website. This layer of protection prevents man-in-the-middle attacks and stops attempts at attracting your users to connect to a fake site or to download falsified files.

While the purpose of enhancing security is certainly a very good reason to move your website to HTTPS, consider that this could also slightly improve your website’s ranking.

TL;DR – How to activate HTTPS on eQPress

If you already have generated an HTTPS certificate for your website, you can install it via the Deflect dashboard. By following the procedure to install your TLS certificate, your website will be accessible on HTTPS.

If you don’t have an HTTPS certificate yet, you can contact us through the Deflect dashboard or send us an email and we will generate it for you.

Keys and Certificates

For TLS (formerly SSL) to work, you need a private key and a public key. After the public key is signed by a certificate authority, your public key becomes your certificate. The private key and the certificate need to live on the server that your website is hosted on, so the web server software that sends your web pages to your visitors can also create the secure (TLS) connection to the browser to secure the link. If you know how, you are free to generate your keys and then send them to us through the Deflect dashboard. Otherwise, we are happy to generate the key pair for you.

Certificate Authority

To generate a free certificate signed by a certificate authority, the easiest way is to use Let’s Encrypt, a free, automated, and open certification authority run for the public’s benefit.

If you prefer to have your HTTPS certificate signed by a different certification authority, here’s a short list of services that will sign it for you:

RapidSSL
NameCheap

Analytics and Tracking

If you use analytics tools like Google Analytics, you will want to update the URL that you are tracking from HTTP to HTTPS. Make sure you do this both in analytics and Google Webmaster Tools.

Read More

Choosing a Canonical Website Address

Canoni-what?

Canonical is the word used to describe the one address that you want the world to go to when they look you up. The typical choices are whether to use www in front of your domain or not. The classic example follows:

http://www.example.com/

or

http://example.com/

Choosing what your canonical website address (URL) will be is totally up to you. It’s a preference and there’s no right answer. As you can see by looking up at your browser’s location bar now, eQualit.ie has chosen a URL without www. If you start taking notice of the other websites you visit, you’ll probably see that there’s no regular pattern. Google chooses www. The wordpress.org team chooses non-www. It really doesn’t matter. What does matter is making that choice early and sticking with it.

Considering the Apex

One unique factor (with respect to hosting on) in your decision-making process is whether or not your domain will be hosted by a DNS company that supports pointing the non-www (officially called the apex record) address to a CNAME. If your DNS host does not support this feature, we recommend you choose www to be your canonical website address.

References

Here’s an article at Google Webmaster Tools called Use Canonical URLs that will help you to learn more about their view of canonical URLs.

Also, Matt Cutts provides some very helpful insight and a FAQ about SEO and URL canonicalization.

Read More