Media websites from Azerbaijan under DDOS.


Stockholm, 19th April 2019

During the afternoon of the 19th of April 2019, the websites abzas.net, gununsesi.info, azadliq.info and 24saat.org were under denial of service attack.

Starting at 14:52 UTC, the attackers flooded the websites and Qurium DNS infrastructure with traffic that peaked one million packets per second.

While the spoofed attack that SYN flooded the webservers and DNS servers was taking place the attacker was verifying the performance using the third party service check-host.

During the 19th of April 2019, the websites have been blocked 114 times. Dedicated personal in Azerbaijan is blocking every new IP addresses of the webservers once the servers are moved to a new location.

The following graph shows the time (epoch) when the website was blocked manually. Between the 15:00 (1555686125) and 18:00 (1555696794) UTC, the website was blocked 69 times. More then 20 times per hour.

The following graphs shows the average time in minutes between two consecutive network blockings.

First blocking starts at 8 AM and last blocking at 2:30 AM (Baku Time)

X-axis: Time of the IP block in UTC | Y-axis: Time between two consecutive IP blocks

Despite the DDOS attacks and the constant blocking, the websites remained online across multiple operators.

The 20th of April, 17:20 PM UTC a second denial of service was launched.

Cleaning DNS attack traffic

During the two attacks we cleaned the traffic in our upstream provider AS12552 upstreams.
The “Hijacked Subprefix” alert, indicates that the IP address 91{.}209.88.66/32 was announced by the upstream provider instead of our ASN. This technique that diverts the traffic for scrubbing reassembles a route hijack.

Reaching the websites

Readers of the websites experiencing problems are reminded of the current mirrors available in the Bifrost project https://www.qurium.org/bifrost/mirrors