January 27, 2019
During the past weeks, the alternative online news agency Bulatlat.com has been receiving series of denial of service attacks. The attacks intensified on the 25th of January bringing the website down for several days.
Bulatlat, established in 2001, is a well known alternative media in the Philippines with the mission of fighting for truth and justice and against all forms of oppression.
Migration to Virtualroad.org after a week of continuous attacks
The website has been under attack from 19th of January 2019. The attackers first attacked the front-end, hosted with Cloudflare, and later on they directed the attack to the backend.
Bulatlat reached out to Qurium’s Rapid Response service on Friday the 25th of January. A few hours later, the website was migrated to Virtualroad.org’s secure hosting infrastructure during an ongoing attack.
Day 1, 26th of January
Since the migration to Virtualroad.org on the 25th, we have successfully been mitigating the ongoing attack by means of our in-house DDoS mitigation gear.
The DDoS attack, that has been active for several days, increased around 2 AM UTC on Saturday 26th (10 AM in the morning in Philippines). The attackers are using 1,100 compromised computers to flood the website with requests.
The attackers are using the following 19 “User Agents” in their requests:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0.2 Safari/604.4.7]
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36]
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36]
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36]
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36]
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36]
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0]
Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1]
Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1]
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1]
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36]
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0]
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0]
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1]
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36]
Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02]
Mozilla/5.0 (X11; U; Linux x86_64; de; rv:220.127.116.11) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8]
The attackers are performing requests to the URL “/?” as in “GET /?” aimed to bypass any “Cache” mechanisms and overload the service.
The attackers aimed the attack to HTTP (Port 80) in three occasions for 30 minutes periods. The number of requests per second reached 1430, meaning that the attackers kept a low request ratio per bot to avoid flood detection.
Day 2, 27th of January
After a few hours without attack traffic, a new botnet has been deployed to attack the site. This time the attack had a combination of application layer and UDP flooding with very small packet sizes.
During the one hour flooding, the attackers were checking if the website was online periodically using the service “check-host”.
Day 3, 28th January 2019
Day 3 of the attacks started by a flood using servers hosted in data centers. The attack increased the speed at 6.36 AM and combined servers from data centers and open proxies (Mikrotik routers).
The attackers started by using new web flooders: “CF-Cannon” and “Hulk” to try to bypass the “Caching” and mitigation.
The attack continued during the morning, where they added SYN Floods with spoofed traffic and UDP amplification abusing MS SQL, NTP and mDNS services.
The graphs shows the different attempts to take the website down during the past 12hours.
The following graph shows the number of bots blocked (~2000) during the last three days (Y-axis=epoch). Easy to spot, that the attackers are using one or several “stress testing services”.
Attack signatures Day 3
- L7, multiple flooders including CF-Cannon and Hulk
- L7, Search Flood – Cache bypass
- MS SQL Amplification attack: UDP Port 1434 (Against port 80 and 443)
- NTPv2 and NTPv3 Amplification attack: UDP Port 123
- SYN Flood (without payload) – win 10 – 255
- FIN – ACK Flood
- mDNS RFC6762 Amplification attack: UDP Port 5353
- TeamSpeak UDP Flood: UDP Port 9987
- SSDP/UPnP Amplification attack: UDP Port 1900
Day 4, 29th January 2019
Attack started at 3.05 AM after 5 minutes trials and lasted 3 hours. The graph shows the different floods and when attack signatures changed. Attacks reached several million packets per second during 60 minutes.
Two hours of ACK Flood, starting 10.30 AM UTC. 2.5 billion of bogus sessions mitigated.
Day 5, 30th January 2019
Two new attacks were launched in the morning including a new attack vector UDP Chargen Port 19.
Also some rogue zombies continued the L7 application layer attack at 9:30 AM, probably when they went online (10 mins)
A new wave of attack started in the evening including new attack vectors to increase the UDP Amplification:
- Ubiquiti Amplification, UDP Port 10001
- DNS Amp, UDP Port 53
- GREv1 PPP Flooding
- SNMP Amplification
- Cstrike Amplification
- Isakmp, UDP port 4500
Day 6, 31th January 2019
Attacks start again at 3.20 AM, with traffic reaching 5 Mpps of SYN flood
Interesting to see was how the “flooders” were taking turns and disengaging after 30 or 1h or activity.
After a couple of days without attacks, the attackers initiated a round of pen testing attacks trying to break into the website.
- 1st February 2019: Nikto scanning
- 2nd February 2019: Dirbuster scanning
- 4th February 2019: WPScan scanning (16 PM)
The night of 4th of February 2019, the attacker launched a denial of service attack against the website and just a few minutes after he used the same technique against kodao.org
For example, at 19:14 CLDAP Amplification attack started against bulatlat.com and at 19:19 the same attack was launched against kodao.org
An example of one day of attacks, can be summarized as follows:
- 16 PM, he conducts a vulnerability scan against the site that gets slow down after detection
- 17:30 PM, he starts a denial of service attack against our setup with “Project Shield” where we proxy one of our load balancers. The attack includes an application layer attack with hundreds of bots.
- 18:15 PM, he starts a second denial of service attack against Qurium load balancer. A UDP flooding (18:14-18:17) is followed by a SYN, RST-ACK flooding (18:17 PM)
- 19:14 PM, he continues the attack using CLDAP UDP flooding
- 19:19 PM, he changes target an attacks kodao.org