Distributed Denial of Service Attacks Against Human Rights Sites

Distributed Denial of Service Attacks Against Human Rights Sites

Distributed Denial of Service Attacks
Against Human Rights Sites
Hal Roberts
Berkman Center for Internet & Society
at Harvard University
source: wired.com
source: Arbor Networks
Application Attacks: syns, slowlorises, and searches
Network Attacks: volunteers, bots, and amplifiers
DDoS Defenses
* server optimization and hardening
* overcapacity
* dynamic capacity growth
* packet filtering / rate limiting
* scrubbing
* source mitigation
* dynamic rerouting
What we wanted to find out:
* How prevalent are DDoS attacks against ind media?
* What types of DDoS attacks are used against ind media?
* What are the impacts of these attacks against ind media?
* How can ind media defend against these attacks?
What we did:
* media research
* ind media survey
* ind media interviews
* working meeting
What we learned:
* DDoS attacks against ind media are prevalent
* ind media are particularly vulnerable on the edge of the Internet
* ind media suffer from a range of other attacks as well
* application attacks have some good answers, net attacks have fewer
* net attacks likely require moving ind media sites closer to the core
* help local tech experts work with core Internet organizations
pm.gov.au, joewilsonforcongress.com, untiny.com, filaty.com, tunisiawatch.rsfblog.org, Several Polish government websites, moncefmarzouki.net, citizenzouari.wordpress.com, atheistconvention.org.au,
atheistfoundation.org.au, thehotjoints.com, nawaat.org, samibengharbia.com, kitab.nl, Boxun.com, fra.se, polisen.se, shaolin.org.cn, newsyemen.net, charter97.org, twitter.com, vedomosti.ru, voteconnor.com,
bogatoe.info, Dozens or hundreds of Shiite sites (as well as collateral damage), talawas.org, bachuna.net, doshdu.ru, crd-net.org, msguancha.com, canyu.org, chinesepen.org, newcenturynews.com, charter97.org,
novayagazeta.ru, ahmadinejad.ir, fdog.wordpress.com, radiozamaneh.com, amconmag.com, bauxitevietnam.info, boxitvn.net, boxitvn.org, boxitvn.info, dcvonline.net, x-cafevn.org, doi-thoai.com,
caotraonhanban.com, danluan.org, vanganh.multiply.com, ingushetiyaru.org, angusht.com, magas.ru, ingushetia.org, ingnews.ru, ri-online.ru, kadyrov2012.com, mahkamah.gov.my, academydelphi.com, acgc.com.my,
al-faizeen.com.my, anarkalihairdye.com, astree.com.my, auto-charge.net, bagsmalaysia.com, berjayabintangtimur.com.my, bionet-int.com, venkat-transport.com.my, and many others, as-ansar.com, ansarnet.info,
hanein.info, atahadi.0vr.net, ansaaar.com, alemarah.info, de.ansar1.net, www.alqimmah.net, as.ansar.com, 68.15.56.91/Temp/Jihad, islamicawakening.com, islam4uk.com, salaattime.com, watchislam.com,
jihadunspun.com, gawaher.com, cabinda.org, islamicnetwork.com, president.ir, radicalislam.org, almaghrib.org, 195.216.243.39, 208.64.123.225, 213.155.12.120, 217.107.35.35, 217.17.158.55, 217.20.163.4,
62.149.24.2, 72.20.34.140, 80.93.54.57, 82.146.43.3, 89.108.126.2, 94.198.51.216, angusht.com, angusht.com index.php, angusht.com personal subscribe subscr_edit.php, antiddos.org, asterios.tm, asterios.tm
index.php, asteriys.com index.php?f=stat&act=online&server=0, attackers.ru, bachuna.net, bankunet.com, barbars.ru, blud.net, carderfix.ru, carder.info, carder.info index.php, carder.info,l2.theonline.ru, carder.su,
carder.su showgroups.php, ddef.ru, do-finance.com, fan-age.ru,l2.exsade.com,forum.exsade.com,final-zone.ru, filebase.to, forum.notebook812.ru, forum.timesgame.ru,timesgame.ru, internet-guard.net index.php,
kadyrov2012.com, kadyrov2012.com, kadyrov2012.com index, karyatour.com.ua, l2jfree.com, la2.100nt.ru, la2.timesgame.ru, lineage.cn.km.ua, ll2.su, meridian-express.ru, modcam.ru, notebook812.ru,
notebook812.ru, ohah.ru, ohah.ru index.php, planety-hackeram.ru, portal27.ru, pupsa.net, rodi.ru, rosban.su, sever.ru, slineage.ru, smsdeal.ru index.php, takwap.ru, takwap.ru 111 XXX_DETKA, takwap.ru 157 xxx
ohah.ru, teamsteam.ru, vpotoke.com, wapfan.org index.php, wow.cln.ru, www.2simtv.ru index.php, www.angusht.com index.php, www.art-taxi.ru, www.glazey.ru, www.ingushetiyaru.org, www.notebook812.ru,
www.prado-club.su, www.prado-club.su forum, www.ripoffreport.com, xaknet.ru, forum.antichat.ru, www.ripoffreport.com 80, aph.gov.au and a number of other Australian government sites, vedomosti.ru,
alemarah.info, blogosin.org, danchimviet.com, minhbien.org, contravia.tv, hasiphu.com, 7anein.net, rjfront.info, as-ansar.com, islam-ucoii.it, algathafi.org, alsunnah.info, modawanati.com, iaisite-eng.org, ansar1.info,
tawhed.net, islamicawakening.com, ansarnet.info, alemarah.info, alboraq.info, baghdadsniper.net, almaghrib.org, alqimmah.net, atahadi.tk, majahdenar.com, alboraqmedia.org, muslimdefenseforce.islamicink.com,
muwahideen.tk, jixad.tk, majahden.info, hunafa.com, ahlu-sunnah.com, sheikyermami.com, calltoislam.com, jaami.info, blogosin.org, tunis-online.net, several nasa.gov sites, aut.ac.ir, jarasnews.com, penguinnews.com, blogsochi.ru, 2ch.net, dcinside.com, president.go.kr, prkorea.com, 29 Iranian human rights sites, paltalk.com, p2pnet.net, nkeconwatch.com, web24.com.au, ansar1.info, h-alali.net, asqsatv.ps,
baghdadsniper.net, abu-qatada.com, almaqdese.net, sharia4belgium.webs.com, alboraq.info, islamicawakening.com, hizb-america.org, mtj.tw, rjfront.info, modawanati.com, as-ansar.com, altartosi.com,
tawheedmedia.com, tawhed.ws, alqimmah.net, islamweb.net, iaisite-eng.org, almoltaqa.ps, atahadi.com, majahden.com, almaghrib.org, alsunnah.info, crd-net.org, livejournal.com, mannyvillar.com.ph,
berkshirepublishing.com, jimleeforcongress2010.com, watchglennbeck.com, revolutionislam.com, arabcrunch.com, cpwu.org.tw, contravia.tv, facebook.com, salambc.com, Multiple Islamic websites, nawaat.org,
yezzi.org, news.com.au, sharrmusic.org, phmcgpe.com, Jerusalem Development Authority, various nasa.gov sites, community.livejournal.com/golos_ameriki, kfc.dk, nyasatimes.com, eagar4senate.com,
eagarforsenate.com, vocus.com.au, abu-qatada.com, kaganwatch.com, novayagazeta.ru, livejournal.com, facebook.com, sviridenkov.com, newdemocratnews.com, thongluan.org, dcctvn.net, richardsilverstein.com,
danchimviet.com, dangvidan.org, dcctvn.net, hasiphu.com, minbien.org, ykien.net, vietbaosaigon.com, billoreilly.com, anncoulter.com, joinrudy2008.com, photayokeking.org, photayokeking.org, ihh.org.tr, thejc.com,
Pizza Hut, Egyptian governmental websites, and 50 Israeli websites including www.microsoft.co.il, hotmail.co.il, live.co.il, blogs.microsoft.co.il, coca-cola.co.il, www.coca-cola.co.il, travian.co.il, and www.bebo.co.il,
korea.go.kr, jpost.com, moj.go.kr, kois.go.kr, crd-net.org, msguancha.com, Rights Network of China, Democracy China, , World Azerbaijani Congress, www.karenunited.co.cc, charter97.org, abu-qatada.com,
mtj.tw, mmagreb.com, alsunnah.info, almaqdese.net, baghdadsniper.net, ligattsecurity.com, alemarah.info, almaghrib.org, islamicawakening.com, hackteach.org, ubak.gov.tr, tk.gov.tr, tib.gov.tr, cprtunisie.net,
aljazeera.net, hoshas.moh.gov.my, president.go.kr, cwd.go.kr, mofat.go.kr, naver.com, nonghyup.com, keb.co.kr, mnd.go.kr, xocali.net, krotov.info, livejournal.com, ura.ru, prison.org, charter97.org, holyquran.net,
kommersant.ru, crd-net.org, annabaa.org, almoslim.net, alghurabaa.org, way2allah.com, alfaloja.net, fatwa1.com, islamicemirate.com, tawheedmedia.com, muslimdefenseforce.islamicink.com, rjfront.info, falojaa.net,
islamicawakening.com, alemarah-iea.com/english, sawtaljihad.org, h-alali.net, islamicboard.com, einladungzumparadies.de, mustafahosny.com, facebook.com, youm7.com, lonistom.co.il
source: CAIDA
* 72% have experienced national network filtering
* 62% have experienced DDoS attacks
* 39% have experienced an intrusion
* 32% have experienced a defacement
* Of those experiencing a DDoS attack, 81% also
experienced at least one of filtering, intrusion, or
defacement
Of ind media who had a DDoS attack in the past year:
* 55% had their site shut down by their ISPs
* 36% report that their ISP successfully defended them
source: Arbor Networks
source: thetruthabout...@flickr
Specific Recommendations
* plan for attacks
* minimize dynamic pages
* have robust monitoring, mirroring, and failover
* strongly consider hosting on blogger or similar
* do not use cheapest hosting provider (or dns registrar)
Bigger picture: local experts + core resources
* most successful model we saw was local, embedded tech experts
* many core orgs want to help but don’t know how or where
* risks moving control to private companies