Russian exiled media Meduza.io facing repeated DDoS attacks


Meduza is one of the largest and most influential Russian regime critical news site that delivers daily news from all across Russia in Russian and English languages. Meduza operates in exile from its headquarters in Riga, Latvia where most of its newsroom is located.

In January 2023, Russia’s General Prosecutor’s Office declared Meduza undesirable in the country after concluding that the media outlet “poses a threat to the foundations of Russia’s constitutional order and security”. Their news sites are since long blocked in Russia.

In February 2024 Meduza made a public statement announcing that it was facing the most intense cyberattack campaign in its history. The attacks included denial-of-service attacks against their websites, attempts to bring down their crowd-funding infrastructure, immediate blocking of new mirror sites (10-20min after launch) and attempts to compromise mail and social media accounts of staff members.

On April 15th Meduza’s website was again targeted by a DDoS attack which lasted no less than 48 hours. Meduza reached out to Qurium’s Rapid Response service to investigate the attack’s origin and composition, and to support their technical team with mitigation strategies.

Our forensic investigation leads us back to a denial of service infrastructure built as an overlay of several residential proxy providers. We have identified at least three proxy providers “Plainproxies”, “Min Proxy” and “RapidSeedBox”. Two of the residential proxy providers Plain Proxies and Min Proxy have obtained their IPv6 addresses from providers that we have already identified in previous attacks against Hungarian media during 2023: A1 Network Exchange and Access2.IT (NL).


The denial of service attack started the 15th of April at 17:00 PM UTC and lasted 48 consecutive hours. The attack consisted in an Application layer attack aimed against the search engine capabilities of Meduza.io. The attackers targeted the search component of the site since it retrieves fresh content from the backend servers in each request instead of hitting the cache.

In order to better understand the attack infrastructure Meduza and Qurium decided to look into the logs of the attack provided by Cloudflare Logpush. The total volume of the attack logs from the two days period was close to 3TB and recorded 2 Billion requests.

Number of requests over time during the 48h attack window.

Since Cloudflare provides logs using its own data format we implemented a parser to convert the Cloudflare logs in order to ingest them into our Elasticsearch engine for analysis.

Cloudflare R2 logs.

The botnet behind the attack consists of devices distributed among providers outside of Europe behind consumer DSL routers, which suggests that the botnet operates from IoT devices or malware in desktop computers.

Providers that host devices involved in the attack.

The number of different IP addresses used during the whole attack results in a total of 6,300. Looking at the attack rate per IP address, it suggests that the botnet did not have any internal rate control and each address was flooding the target at its own best-effort speed.

For example, an analysis of the top 200 IP addresses flooding the website shows that the rate speed varies from several million requests/h to a few thousands requests/h.

The number of hits per IP address involved in the attack shows that no rate control was implemented.

The illustrations below shows the distribution of compromised devices per AS number and country.

A second wave leads to “Plain Proxies”

A second attack wave took place in the morning of the 18th of April. This time we spotted a web flooding coming from IPv6 addresses. One of the addresses, 2a0a:1f46:c800:d27f:9c8e:26b6:d0d0:2ef5, provided us with a hint of what kind of infrastructure that was used by attackers.

The network prefix 2a0a:1f46::/32 is routed by A1NX, a Bangladeshi provider that Qurium recently has flagged as a host of residential proxies involved in denial of service attacks. In November last year, Qurium could back-trace attacks against regime critical Hungarian media to A1NX.

The IPv6 prefix is leased from Canadian provider Heymman Servers to A1NX that in turn allocates the space to the German customer 3xK Tech GmbH (3xktech.cloud), a IPv6 proxy provider operated by Friedrich Kräft. Friedrich Kräft runs “Plain Proxies” and in this promotional video is described in great detail the benefits of IPv6 proxies.

inet6num: 2a0a:1f40::/29
netname: DE-3XKTECHGMBH-20170227
country: DE
org: ORG-TG236-RIPE
admin-c: TAD45-RIPE
tech-c: TAD45-RIPE
status: ALLOCATED-BY-RIR
mnt-by: lir-de-3xktechgmbh-1-MNT
mnt-by: RIPE-NCC-HM-MNT
created: 2024-02-14T10:37:04Z
last-modified: 2024-02-14T10:37:04Z
source: RIPE
route6: 2a0a:1f46::/32
origin: AS51082
mnt-by: mnt-ca-heymman15-1
created: 2023-07-04T06:39:16Z
last-modified: 2023-07-04T06:39:16Z
source: RIPE
FranDev promiting Plain Proxies in Blackhat Forums.

The 1h attack was conducted from the following IPv6 networks:

An analysis of the IPv6 flooding shows an almost constant number of active addresses (1,500-2,000) that constantly are rotating.

In comparison with the first (48h) flooding, the new attack scaled up by a factor of x10 the number of IP addresses flooding the site.

During our research we found that plainproxies.com shares infrastructure with several other proxy providers including:

www.lightningproxies.net
www.plainproxies.com
www.proxies.fo
www.proxies.gg
www.sparkproxies.net
www.strikeproxy.com
www.catproxy.io

RapidSeedbox

Plain proxies was not the only IPv6 proxy provider used to conduct the denial of service attacks. When we looked into the attack data we found that more than 350 IPv6 addresses flooding the website came from the prefix 2a13:2f40::/29 (170) and 2a11:4e80::/29 (160) announced by AS60781 and AS395839 and maintained by sc-rapidseedbox-1-mnt

Our analysis could see that after 10.000 requests, the RapidSeedBox was rotating to a new IPv6 addresses. During the attack the prefix 2a11:4e80::/29 alone flooded meduza.io with 1.6M requests targeting one single article.

IPv6 rotation changing upstream from Leaseweb to Hostkey after 3 minutes and 1.5 Million requests.

RapidSeedBox advertises itself as is a leading provider of online anonymity and digital freedom services.

MIN Proxy

A third proxy provider identified is MIN proxy (minproxy.io/vn) operating from AS200250, who started to advertise its prefixes in late 2023. The attack came from prefix 2a0e:a942::/32. The prefix was provided by NL ISP Access2.IT Group B.V, that we have flagged in the past as provider of IP space for Whiteproxies, a proxy provider used to target Hungarian media.

250+ IPv6 prefixes from Minproxy from January 2024.

Conclusion

Two types of infrastructures has been used to target Meduza.io, the first infrastructure was formed by IPv4 addresses in consumer networks with compromised routers (IoT).

The second infrastructure was formed by the overlay of multiple IPv6 proxy providers including RapidSeedBox (IL), Plainproxies (DE), Minproxy (VN) and IPv6 tunneling service Tunnelbroker (USA).

A sample summary table with the top IPv6 prefixes of the denial of service attack follows:

PrefixUpstreamProxy Provider
2a11:4e80::/29AS395839sc-rapidseedbox-1-mnt (RapidSeedBox)
2a13:2f40::/29AS60781sc-rapidseedbox-1-mnt (RapidSeedBox)
2a04:52c0::/32AS60404mnt-nl-theinfrastructuregroup-1 (Liteserver)
2a0a:1f46::/32AS51082mnt-ca-heymman15-1 (Plainproxies)
2a0e:a942::/32AS200250A2-MNT (minproxy)
2001:470:7000::/37AS6939Hurricane Electric / tunnelbroker.net

Abuse reporting

18 April: Qurium emails “Plain Proxies” and “A1NX” informing them that a Denial of Service attack against meduza.io is being sourced from their infrastructure and attaching traffic logs as proofs.

19 April: Plan Proxies answers claiming that no such traffic is sourced in their infrastructure “as of now”. The will block all outgoing traffic against meduza.io to prevent further attacks. However, attacks against any other domain is still possible as the root cause of the problem (malicious clients) is not addressed. In an exchange of e-mails with Friedrich Kräft, CEO of plain proxies he considered 250.000 requests from one single IPv6 address not a reason to consider it a denial service attack and committed to reach out to his custumer to ask why requested the target “meduza.io” so often.

20 April: Rapidseedbox and Access2.IT have been informed about the denial of service attacks.

Responses from Plain Proxies

Hello,

we have received your report and are investigating it internally. We are not seeing any traffic going to this target as of now. We will block that domain across our infrastructure.

Kind regards

Hello,

We have no need to justify anything against your party, company whatsoever.
We have blocked the domain that was “attacked”, we have requested the customer in charge to explain why he requested this target so often.
The amount of requests to a single target is nothing unusual in a proxy environment. We host companies scraping billions of records monthly.

If there are any recurring issues, let us know. Otherwise we consider this case as closed.

Kind regards

And as all the residential proxy providers that we have identified involved in providing infrastructure for denial of service attacks they promote “a more ethical and transparent digital future together!”

Media

[April 25, 2024] Mastodon. Catalin Cimpanu. Qurium researchers have linked recent DDoS attacks against Russian…