DDoS attacks on online media: event chronicles
December 4, 2011 in the Russian Federation held elections to the State Duma. At the same time, large-scale attacks on a number of popular online media were reported. Highload Lab's Qrator service has filtered most of these attacks. Below is a chronology of events from our point of view.
Disclaimer: Highload Lab is in no way associated with any political party and is ready to offer its services to any organizations whose activities do not violate the laws of the Russian Federation. This review is published on a specialized IT resource, focuses on the technical details of events and in no way aims to determine the causes and perpetrators described in the article.
December 2, 2011 . The sites zaks.ru and novayagazeta.spb.ru are registered on qrator.net . The active phase of the attack lasted until the evening of December 4, at the peak, about 3,400 requests / s were registered for both resources, which was orders of magnitude higher than the usual load. However, the majority of requests were heavy POSTs at various URLs. Prior to filtering, the response time to the request was up to 60 s, after connecting this figure quickly straightened out.
')
At that moment, there was another thought that everything would be limited to this attack. Strangely enough, mostly DDoS attacks did not start a week before the elections, not during the campaign period, but directly on the day of the popular vote. Perhaps the calculation of the attackers was that the owners of the attacked sites would not be ready for the threat and spend significant time choosing a traffic filtering service provider and a setup. Partially this calculation was justified.
December 04, 2011 . At 14:00 to the Qrator connects slon.ru. In fact, the attack on the resource had two phases:
- from 14:00 to 19:20 the attack on the application level lasted, HTTP requests such as GET and POST, plus UDP flood. 250 Mbit / s (plus a share in blackhole), 2.5 thousand queries / s, 50-60 thousand bots
- from 19:20 to the end of the day, an attack on the application level changed tactics, a SYN-flood was also added to it. In total, 200-250 thousand bots were registered, mainly from India and Pakistan. A number of bots transmitted in the HTTP header X-Forwarded-For addresses of local networks like "10.94.3.16". Due to the lack of time for learning the filters, the change in strategy benefited the attackers, and from 19:24 to 21:12 slon.ru was again unavailable, after which it worked continuously.
Unfortunately, this graph does not accurately represent the real state of affairs, since traffic filtered directly “on hardware” is not taken into account by the statistics collection module. Well, in general, then she and the statistics to be inaccurate.
At 19:40 echo.msk.ru connects. We register an average of 3.5 thousand HTTP GET requests with approximately 3000 IP addresses, as well as SYN flood with a total volume of about 1 Gbit / s. On December 5, the SYN-flood repeatedly returned, but the power did not exceed 100 Mbit / s.
20:20: kartanarusheniy.ru . In the process of learning the filters due to a misunderstanding (you can imagine the passions), the site administrators switched the DNS back directly, but returned the next day at 14:30 and were on time - after 3 hours a 1.5 Gbit SYN flood arrived on the site /with. After it ended, the attack on the site almost subsided.
December 5, 2011 . In the middle of the day, the map of violations returns, and at 18:40 bg.ru and tvrain.ru become defensive . There are HTTP requests aimed at disabling the site database. Totally 8 thousand unique IP addresses.
At the moment, the active phase of most of the attacks described has ended, but a number of them (for example, DDoS on Ekho Moskvy) have passed into the waiting phase: about a hundred bots are trying to send "heavy" requests to the server in order to detect the moment when the site starts "- for example, out of protection. Another example: the attack on Slon.ru is now asleep and only 60,000 bots are taking part in it on an ongoing basis.
What thought would like to convey? Practice shows that DDoS attacks in Runet are ahead of the rest. A number of European hosting companies, in principle, turn out to be unprepared even for average attacks on Russian sites, not to mention really serious precedents. At the same time, switching to filtering takes considerable time. So, if you are planning a serious event in RuNet, you should attend to insurance before your house starts to burn.
Disclaimer: Highload Lab is in no way associated with any political party and is ready to offer its services to any organizations whose activities do not violate the laws of the Russian Federation. This review is published on a specialized IT resource, focuses on the technical details of events and in no way aims to determine the causes and perpetrators described in the article.
December 2, 2011 . The sites zaks.ru and novayagazeta.spb.ru are registered on qrator.net . The active phase of the attack lasted until the evening of December 4, at the peak, about 3,400 requests / s were registered for both resources, which was orders of magnitude higher than the usual load. However, the majority of requests were heavy POSTs at various URLs. Prior to filtering, the response time to the request was up to 60 s, after connecting this figure quickly straightened out.
')
At that moment, there was another thought that everything would be limited to this attack. Strangely enough, mostly DDoS attacks did not start a week before the elections, not during the campaign period, but directly on the day of the popular vote. Perhaps the calculation of the attackers was that the owners of the attacked sites would not be ready for the threat and spend significant time choosing a traffic filtering service provider and a setup. Partially this calculation was justified.
December 04, 2011 . At 14:00 to the Qrator connects slon.ru. In fact, the attack on the resource had two phases:
- from 14:00 to 19:20 the attack on the application level lasted, HTTP requests such as GET and POST, plus UDP flood. 250 Mbit / s (plus a share in blackhole), 2.5 thousand queries / s, 50-60 thousand bots
- from 19:20 to the end of the day, an attack on the application level changed tactics, a SYN-flood was also added to it. In total, 200-250 thousand bots were registered, mainly from India and Pakistan. A number of bots transmitted in the HTTP header X-Forwarded-For addresses of local networks like "10.94.3.16". Due to the lack of time for learning the filters, the change in strategy benefited the attackers, and from 19:24 to 21:12 slon.ru was again unavailable, after which it worked continuously.
Unfortunately, this graph does not accurately represent the real state of affairs, since traffic filtered directly “on hardware” is not taken into account by the statistics collection module. Well, in general, then she and the statistics to be inaccurate.
At 19:40 echo.msk.ru connects. We register an average of 3.5 thousand HTTP GET requests with approximately 3000 IP addresses, as well as SYN flood with a total volume of about 1 Gbit / s. On December 5, the SYN-flood repeatedly returned, but the power did not exceed 100 Mbit / s.
20:20: kartanarusheniy.ru . In the process of learning the filters due to a misunderstanding (you can imagine the passions), the site administrators switched the DNS back directly, but returned the next day at 14:30 and were on time - after 3 hours a 1.5 Gbit SYN flood arrived on the site /with. After it ended, the attack on the site almost subsided.
December 5, 2011 . In the middle of the day, the map of violations returns, and at 18:40 bg.ru and tvrain.ru become defensive . There are HTTP requests aimed at disabling the site database. Totally 8 thousand unique IP addresses.
At the moment, the active phase of most of the attacks described has ended, but a number of them (for example, DDoS on Ekho Moskvy) have passed into the waiting phase: about a hundred bots are trying to send "heavy" requests to the server in order to detect the moment when the site starts "- for example, out of protection. Another example: the attack on Slon.ru is now asleep and only 60,000 bots are taking part in it on an ongoing basis.
What thought would like to convey? Practice shows that DDoS attacks in Runet are ahead of the rest. A number of European hosting companies, in principle, turn out to be unprepared even for average attacks on Russian sites, not to mention really serious precedents. At the same time, switching to filtering takes considerable time. So, if you are planning a serious event in RuNet, you should attend to insurance before your house starts to burn.
Source: https://habr.com/ru/post/134124/
All Articles