December 6, 2011 at 19:34DDoS Attacks on Online Media: A Chronicle of Events
On December 4, 2011, elections to the State Duma were held in the Russian Federation. At the same time, major attacks on a number of popular online media were recorded. Service Qrator company Highload Lab filters out most of these attacks. The following is a chronology of events from our point of view.
Disclaimer: Highload Lab is in no way associated with any political party and is ready to offer its services to any organizations whose activities do not violate the laws of the Russian Federation. This review is published on a specialized IT resource, focused on the technical details of events, and does not in any way set as its goal the determination of the reasons and culprits described in the article.
December 02, 2011 . On theqrator.net zaks.ru and novayagazeta.spb.ru sites are registered . The active phase of the attack lasted until the evening of December 04, at the peak about 3400 requests / s were recorded in total for both resources, which was an order of magnitude higher than the usual load. However, most of the requests were heavy POSTs at various URLs. Before the start of filtering, the response time to the request was up to 60 s, after connecting this figure quickly straightened out.
At that moment there was still the thought that everything would be limited to this attack. Oddly enough, basically DDoS attacks did not begin a week before the election, not during the campaign period, but directly on the day of popular voting. Perhaps the calculation of the attackers was that the owners of the attacked sites would not be ready for the threat and spend significant time choosing a traffic filtering service provider and setup. Partially this calculation was justified.
December 04, 2011 . At 14:00 slon.ru is connected to Qrator . In fact, the attack on the resource had two phases:
- from 14:00 to 19:20 the attack continued at the application level, HTTP requests such as GET and POST, plus UDP flood. 250 Mbit / s (plus a share in blackhole), 2.5 thousand requests / s, 50-60 thousand bots
- from 19:20 until the end of the day, an attack on the application level changed tactics, SYN-flood was also added to it. A total of 200-250 thousand bots were registered, mainly from India and Pakistan. A number of bots passed LAN addresses like "10.94.3.16" in the X-Forwarded-For HTTP header. Due to the lack of time for training the filters, a change in strategy benefited the attackers, and from 19:24 to 21:12 slon.ru was again unavailable, after which it was already working continuously.
Unfortunately, this graph does not very accurately represent the real state of affairs, since traffic filtered directly on the hardware is not taken into account by the statistics collection module. Well, in general, it’s statistics for that, to be inaccurate.
At 19:40 echo.msk.ru is connected. We register an average of 3,500 HTTP GET requests from about 3,000 IP addresses, as well as SYN flood with a total volume of about 1 Gbit / s. On December 5, the SYN flood repeatedly returned, but the capacity no longer exceeded 100 Mbps.
20:20: kartanarusheniy.ru . In the process of filter training, due to a misunderstanding (you can imagine the passions yourself), the site administrators switched the DNS back directly, but returned the next day at 14:30 and managed in time - after 3 hours, a 1.5 Gbit SYN flood arrived at the site /from. After it ended, the attack on the site practically subsided.
December 5, 2011 . In the middle of the day, the Map of violations returns, and at 18:40 bg.ru and tvrain.ru become defense. There are HTTP requests aimed at disabling the site database. A total of 8 thousand unique IP addresses.
At the moment, the active phase of most of the described attacks has ended, but a number of them (for example, DDoS on Echo of Moscow) have gone to the waiting stage: about a hundred bots are trying to send “heavy” requests to the server in order to detect the moment when the site starts to “hand over” "- for example, out of protection. Another example: the attack on Slon.ru has now subsided and only 60,000 bots are taking part in it on an ongoing basis.
What thought would I like to convey? Practice shows that DDoS attacks in Runet are ahead of the rest. A number of European hosting companies, in principle, are not ready even for medium attacks on Russian sites, not to mention really serious precedents. At the same time, switching to filtering takes noticeable time. So, if you are planning a serious event in RuNet, you should take care of insurance before your house begins to burn.
Disclaimer: Highload Lab is in no way associated with any political party and is ready to offer its services to any organizations whose activities do not violate the laws of the Russian Federation. This review is published on a specialized IT resource, focused on the technical details of events, and does not in any way set as its goal the determination of the reasons and culprits described in the article.
December 02, 2011 . On theqrator.net zaks.ru and novayagazeta.spb.ru sites are registered . The active phase of the attack lasted until the evening of December 04, at the peak about 3400 requests / s were recorded in total for both resources, which was an order of magnitude higher than the usual load. However, most of the requests were heavy POSTs at various URLs. Before the start of filtering, the response time to the request was up to 60 s, after connecting this figure quickly straightened out.
At that moment there was still the thought that everything would be limited to this attack. Oddly enough, basically DDoS attacks did not begin a week before the election, not during the campaign period, but directly on the day of popular voting. Perhaps the calculation of the attackers was that the owners of the attacked sites would not be ready for the threat and spend significant time choosing a traffic filtering service provider and setup. Partially this calculation was justified.
December 04, 2011 . At 14:00 slon.ru is connected to Qrator . In fact, the attack on the resource had two phases:
- from 14:00 to 19:20 the attack continued at the application level, HTTP requests such as GET and POST, plus UDP flood. 250 Mbit / s (plus a share in blackhole), 2.5 thousand requests / s, 50-60 thousand bots
- from 19:20 until the end of the day, an attack on the application level changed tactics, SYN-flood was also added to it. A total of 200-250 thousand bots were registered, mainly from India and Pakistan. A number of bots passed LAN addresses like "10.94.3.16" in the X-Forwarded-For HTTP header. Due to the lack of time for training the filters, a change in strategy benefited the attackers, and from 19:24 to 21:12 slon.ru was again unavailable, after which it was already working continuously.
Unfortunately, this graph does not very accurately represent the real state of affairs, since traffic filtered directly on the hardware is not taken into account by the statistics collection module. Well, in general, it’s statistics for that, to be inaccurate.
At 19:40 echo.msk.ru is connected. We register an average of 3,500 HTTP GET requests from about 3,000 IP addresses, as well as SYN flood with a total volume of about 1 Gbit / s. On December 5, the SYN flood repeatedly returned, but the capacity no longer exceeded 100 Mbps.
20:20: kartanarusheniy.ru . In the process of filter training, due to a misunderstanding (you can imagine the passions yourself), the site administrators switched the DNS back directly, but returned the next day at 14:30 and managed in time - after 3 hours, a 1.5 Gbit SYN flood arrived at the site /from. After it ended, the attack on the site practically subsided.
December 5, 2011 . In the middle of the day, the Map of violations returns, and at 18:40 bg.ru and tvrain.ru become defense. There are HTTP requests aimed at disabling the site database. A total of 8 thousand unique IP addresses.
At the moment, the active phase of most of the described attacks has ended, but a number of them (for example, DDoS on Echo of Moscow) have gone to the waiting stage: about a hundred bots are trying to send “heavy” requests to the server in order to detect the moment when the site starts to “hand over” "- for example, out of protection. Another example: the attack on Slon.ru has now subsided and only 60,000 bots are taking part in it on an ongoing basis.
What thought would I like to convey? Practice shows that DDoS attacks in Runet are ahead of the rest. A number of European hosting companies, in principle, are not ready even for medium attacks on Russian sites, not to mention really serious precedents. At the same time, switching to filtering takes noticeable time. So, if you are planning a serious event in RuNet, you should take care of insurance before your house begins to burn.