One year after the denial of service against

The attack against

During the 1st of October 2017, the website was responsible for the registration of voters during the Catalan referendum. Soon after the website was made public a series of Denial of service attacks were organized from the discussion board

The denial of service attacks were coordinated by “alextango” in the Forum thread

As the domain name became unavailable due to denial of service attacks and the domain blocking in main upstream providers as Telefonica, a set of reverse proxy servers were deployed in different hosting providers to re-route the traffic to the server:

AS14061 Digital Ocean, Inc.
AS16509, Inc.
AS24806 INTERNET CZ, a.s.
AS29073 Quasi Networks LTD.
AS8100 QuadraNet, Inc

At 8:40 AM UTC, that day we recorded backscatter traffic coming from, one of the IP addresses used as a proxy server.

The technique of using backscatter traffic to track denial of service attacks was first described in the work of Savage and Moore from the University of California (UCSD/CAIDA) in 2001.

In a nutshell, when a server is under denial of service attack will respond to the attack traffic with several types of traffic (SYN-ACK, RST and ICMP). If the attacker is randomly  “spoofing” the addresses to perform the attack, the responses from the server can be recorded by sensors globally.

These sensors are known as “darknets” or “network telescopes” and are frequently used by researchers to monitor network outages or the evolution of Internet threats as worms and remote exploitations.

One year ago, we recorded “1 packet” in our sensors that indicated that the attackers “spoofed” the traffic to launch the attacks.

08:40:32.490444 IP (tos 0x0, ttl 44, id 0, offset 0, flags [DF], proto TCP (6), length 44) > X.X.X.124.31365: Flags [S.], cksum 0xcdfd (correct), seq 4101521145, ack 1295182152, win 26883, options [mss 1360], length 0

Since then, we have reached out to every organization that we could find that have similar research networks including “UCSD Network Telescope” that runs the largest network of this type worldwide.


Backscatter traffic from Amazon AS16609

Using their data we searched for activity coming from Amazon (AS16609) the 1st of October. We could see a series of spikes in packets coming from Amazon during the 1st of October (red graph). The spikes shows the increase of “backscatter” traffic from Amazon.


Backscatter traffic from confirms denial of service with spoofed traffic

But not all the Amazon backscatter traffic corresponds to the denial of service against  After obtaining more specific data from the UCSD project for one specific IP we can see that between 8:40 AM and 10 AM were several attacks.





Just using the backscatter traffic is impossible to know the attack duration as most servers will not be able to cope with the attack traffic and just stop responding.  What it seems clear is that we can fully confirmed a “spoofed” SYN flooding coming into ( the 1st of October for at least 90 minutes. This is the only IP address that received an attack of this type.


Google Complains about disproportional blocking

At the end of September 2017, Google received a request from the “Court of first instance nº 13 of Barcelona Ref: 118/2017-L” to cancel the service of Google Cloud to several domains connected to the referendum of Catalonia and all domains connected to the same user.



At the end of May 2018, Google sent a letter to the Court of first instance in Barcelona, stating that after more than six months they are unaware of the status of Court proceedings and that Google considers that the indefinite blocking of the sites is a disproportional measure.

A transcript of the letter that Google sent is here:


Diligencias Previas 118/2017-L




In a similar document that orders the shutdown of the domains with date 15th September 2017, the Guardia Civil requests to the operators to block the domains but in this case they include “a maximum” of one year.




Are the Websites still blocked?

During this year we have been monitoring the status of 70+ domains related to the Catalan referendum. The main techniques used to block the domains are:

  • Use of DPI equipment to redirect the HTTP requests to
  • Revoke the .cat domain / Change DNS servers
  • Provide bogus DNS responses at the carrier resolver


The following domains have been redirected to “Akamai Hosting” by the .cat TLD

The following 6 IPs have been used to block the domains,,, and

The following 21 domains are redirected to Akamai (until 2018-08-15)

; EDNS: version: 0, flags:; udp: 4096

cat. 7200 IN SOA 1809130930 900 300 604800 7200


As, 1st of October 2018, more than 1 year after the Court Proceedings started, 21 websites still show this banner