DDOS: the inconvenient business visitor of Name.com

24 July 2019

The 18th of July, the website azerbaycansaati.tv became unreachable and 24h later, the domain name was no longer available and sinkholed to 127.0.0.1

Name.com, a domain registrar and hosting company, hosted the targeted website. When the site went offline, the site owner reached out to the company to find answers. A support ticket was filled.

More than 24hours later, a brief answer on ticket #1698528 was provided by “Samantha”, stating:

Thank you for your response. Due to the nature of your suspension, we cannot re-enable cPanel for you.

Out of frustration, the website owner reached out to Qurium’s Rapid Response service for help.

Was the website under attack?

During our investigation, we checked our DDOS sensors, that collect traffic from victims of Denial of service attacks.

When a victim of Denial of service attack is targeted with “spoofed” (fake crafted) traffic, our network of distributed sensors are able to record the “back-scatter” (the rebound) traffic of the attacks during the time that the website is able to respond to the attack.

We looked specifically for traffic coming from 173.192.199.144 and 173.192.190.130 the were the last IP addresses of azerbaycansaati.tv

The collectors of backscatter traffic recorded backscatter traffic the 18th and 19th of July targeting ports 22 and 80 of the website.

SYN flood DDoS attack animation — We have a sensor network in a few of those “?” 🙂

We also registered how name.com moved the website from IP addresses 173.192.190.144 to .157 and then .130 and then suspended the DNS service, pointing the website to 127.0.0.1 making it unreachable.

Name.com locks the Control Panel and provides no support

By the morning of the 21th of July, we had the strong indications that the website was under DDOS, despite no access to the content, the website logs or any detailed feedback from Name.com. The hosting provider insisted in not providing access to the Control Panel of the website, and the site content was by then… “kidnapped”.

Twitter can be useful sometimes!… not

Almost 30 hours after the creation of the support ticket, we tried to reach Name.com by social media. We got automatized and not useful feedback: “Thank you for letting us know!”

Two days after opening the support ticket, we got another amazing support response. This time from Nate, Customer Support Representative.

Finally, almost two days after opening the support ticket, we were informed why the account was suspended.

The hosting was suspended for a DDoS attack.

Hours later a backup copy of the whole website was made available to download and Name.com invited the victim of the attack to move away to another provider.

Webhosting Agreement and victims of cyberattacks

We ignore what Name.com means by “Our policies regarding this matter” as the webhosting agreement does *not* talk about “Account Suspension” for those victims of a DDOS attack.

Should a victim of a Denial of service attack be blocked from retrieving its own content from their hosted website?

Should victims of attacks not been properly informed about the reasons of their “Account Suspension”?

Website migration and initial forensic analysis

With a backup copy of the website, we were able to quickly migrate the whole content to our infrastructure.

We also performed a quick forensic analysis of what was logged during the attacks and discover the following:

The attacker launched attacks against the article “Сеньор-Помидор Самед Гурбанов проиграл “SOCAR”.
The attacker monitored the website and the attack using the service Host-Tracker (similar to other attacks we have seen against meydan.tv in the past).
The attacker launched a HTTP POST flooding the 18th and 19th of July using “fineproxy service”.


// Fineproxy -  QualityNetwork OÜ Estonia enabling application layer floodings via 500 of their proxies.

91.243.90.69 - - [18/Jul/2019:05:02:13 -0600] "POST /xmlrpc.php?x=42373464569 HTTP/1.1" 508 288 "https://search.yahoo.com/search?p=en&ei=UTF-8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"

Attacker is tracking the availability of the article during the flooding

Fineproxy – a known “proxy as a service” DDOS enabler

Fineproxy service (with a company registered in Estonia) has been used against media in Azerbaijan in the past and we have documented the investigations here:

Azerbaijan and the fineproxy DIY DDOS service (Region40 / QualityNetwork)

What next?

We have been trying to reach Name.com to discuss “this matter” and we have received no response.
We have reached to CERT.EE to report the role of QualityNetwork OÜ Estonia in this kind of DDOS attacks

Update 24th July

The support ticket in Name.com remains open
Name.com promises to reply back when a “review” of the case is completed. ⏳

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.