12 September 2022
Nacionale is a new independent media in Kosovo, launched in March 2022. Though newly established, it is formed by a team highly experienced journalists and has quickly became one of the main news platforms in Kosovo. The issues covered by Nacionale focus on local political and social issues including topics as high level corruption from government officials, domestic violence, LGBTQ rights and religious issues.
Since April 2022, Nacionale has been facing constant denial of service attacks as a measure to silence the media. In most of the occasions, the organization has received an anonymous email minutes before the attack would start indicating that the attack was a retaliation for their reporting.
In early September, Nacionale was migrated to Qurium’s secure hosting platform Virtualroad.org to seek protection against further DDoS attacks. On September 9th, the DDoS attacks resumed. The attacks started with a test flood at 13.15PM UTC, and followed with 10h of continuous waves of DDoS attacks. Attacks continued on Monday 12th of September for another 8 hours.
Nacionale is hosted under a pro-bono agreement as a part of Qurium’s Rapid Response service to independent media facing digital attacks. Hence, the digital attacks against Nacionale do no longer affect the organization financially, which often is a great motivation for the attacker.
“The attacks highlight the importance for independent media to freely express their thoughts and opinions online without the risk of being silenced by those that disagree” says Ester Eriksson, Managing director of Qurium.
Analysis of the attack
The attacks were crafted to exhaust the resources of the hosting servers by increasing the normal traffic by a factor of 1,000 and reaching several million of bogus connections per second.
During the 10 hours long period of floods, the attacker kept increasing the intensity of the attacks in 10 minutes periods that strongly suggest that the attacker is purchasing the attacks from a third party provider rather than operating its own attack infrastructure.
During the attack, Qurium carefully sampled and recorded the traffic to better understand the methods used against the site. Full packet traces at several million packets per second were collected and analyzed.
The analysis of the traffic logs revealed that the attacks made use of at least three major techniques:
Application Layer Floods
More than 10,000 bots flooded the website with GET / and GET /?q=1U3z3A7JZ0t3 type of queries targeting the front page and the search functionality of the site. Both open proxies and the Tor network were used to conduct the attack.
During the attack, Qurium could see show how a large botnet from Thailand was engaged to scale up the application layer flooding. A great number of servers from the US hosting provider Colocrossing were also engaged.
The geographical distribution of the flooders included a large number of bots in Thailand, Indonesia, Brazil and Bangladesh, which is not uncommon in commercial “stressing services”.
Spoofed SYN Floods
The attack infrastructure had the ability to “spoof traffic” i.e. the ability to create and route packets with any source IP address into the Internet. “Spoofing” allows to build several types of attacks including Amplifications and Reflections.
Qurium recorded clear signatures of SYN flood spoofing and detected in our mitigation edges millions of packets coming from the 10.0.0.0/8 network with a colorful number of MSS values. Interesting to see 1299, 1399 as MSS values, right?
SYN-ACK Reflection aka TCP Amplification
The attacker used the “spoofing” capabilities of the attack infrastructure to flood the server with SYN-ACK [S.] packets. Prior to the attack, the attack infrastructure (likely a pay-as-you-ddos service) scanned and discovered thousand of devices with port number 1080 active. Once the servers with open ports are discovered, they can be used to run TCP Amplification attacks against any target.
9544 US 4022 CN 3222 HK 2855 KR 2186 FR 1843 TW 1558 CL 1198 BR 1192 GB
In France for example, hundreds of devices from mobile.abo.orange.fr were systematically abused to run the SYN-ACK floods. Similarly, hundreds of servers under the domain health.mil of the DoD of the USA were also flooded to bounce traffic against Nacionale.
The attackers checking success level
During the 10 hours period of denial of service attacks, the attacker used the third party service check-host dozens of times to verify whether the attacks were successful.
The last check was done by the attacker just minutes before midnight after targeting both port 80 and port 443 of the site.
More attacks on Sunday night and Monday
On the night of September 11th, the attacker started a new wave of attacks at 22:30 UTC that lasted 2,5 hours. In the morning of the 12th of September the attacker launched several attacks targeting the url /politike
As in previous attacks, the attacker flooded the site with thousands of web requests coming from more than 14,000 IP addresses while using check-host service to verify his success.
Three hosting providers alone COLOCROSSING, BLAZINGSEO and SERVER-MANIA were sourcing a big part of the attack.
At the time of this writing, 15 waves of attacks have been observed since the early morning of the 12th of September.
