La Nueva Prensa under DDoS attack after publishing “Operación Jaque” documentary

July 6, 2020 (Update: July 12, 2020)

Soon after the announcement of the movie documentary of Gonzalo Guillén’s “Operation Jaque, a not so masterful move”, which presents what might really happened behind the operation that led to freedom of 15 kidnapped held by the FARC in 2008, denial of service attacks were launched against the Colombian-based news group La Nueva Prensa.

Five days of continuous attacks

The DDoS attacks against the news site lasted five days, and from June 28 to July 2nd the website site was unreachable. The site was flooded with thousands of bogus web requests that exhausted the hardware resources of the server.

High CPU Usage (28 June- 2 July)

After four days of attacks, La Nueva Prensa reached out to Qurium for support. On July 2nd, Qurium gained access to the flooded server and could confirm that the site was under denial of service attack.

While the DDoS attack was ongoing, Qurium managed to transfer, during 6h, 10GB of web content from the affected server while analyzing the ongoing attack and preparing its infrastructure to mitigate the attack.

During the migration, Qurium analyzed the traffic logs and concluded that the attack was targeting:

GET /component/k2  
Ongoing attack 2nd July 2020.

During the late evening of July 2nd, just before the “Discussion Panel” about the documentary was aired, Qurium completed the migration of La Nueva Prensa’s website to its Secure Hosting infrastructure and brought the site back online.

6000 flooders: proxies and tor-exits

During the presentation of the documentary, which was conducted online, the DDoS attack was intensified.

Online presentation of the Documentary (announcement)

The attack was composed by ,6000 servers that formed a “botnet” acting as a large proxy of the flooding requests.

The “botnet” was composed of a mix of open proxies and TOR exits. The attacks increased around 20:30 PM (Bogota time), minutes after the press conference started online. At 21 PM, the attack peaked at a maximum of 115,000 connections and 200 Mbps.

After eight hours mitigating the attack, the attacker stopped the floodings.

Attack traffic late evening 2nd July during Presentation of Documentary

Second wave of attacks

The 12th of July 2020, a new wave of attacks were launched against the website. The attack that lasted 24h was a combination of spoofed SYN floods and HTTP flood targeting the article “Jaime Lombana más que un crimimal

Constant SYN flood against the server

The HTTP flood contained the same signature that the previous attack, suggesting that all attacks are run by the same attacker. The botnet used a set of very distinctive “HTTP Referrers” <- Slash 

During our investigation we found suspicious activity coming from the ASN 269907 in Huila (Colombia). La Nueva Prensa is trying to seek collaboration from the owner of the Internet provider to confirm if the attacker was monitoring the success of the attack from one of his networks.

The provider “SISTEMAS COMPUTARIZADOS DEL HUILA S.A.S.” recently obtained IP space to provide fiber and wireless connectivity to several costumers in Huila. According to their social media page they provide services in La Plata, Paicol, Tesalia and Nataga.