The attack against registremeses.com
During the 1st of October 2017, the website registremeses.com was responsible for the registration of voters during the Catalan referendum. Soon after the website was made public a series of Denial of service attacks were organized from the discussion board forocoches.com
The denial of service attacks were coordinated by “alextango” in the Forum thread https://www.forocoches.com/foro/showthread.php?t=5933224
As the domain name became unavailable due to denial of service attacks and the domain blocking in main upstream providers as Telefonica, a set of reverse proxy servers were deployed in different hosting providers to re-route the traffic to the registremeses.com server:
AS14061 Digital Ocean, Inc.
AS16509 Amazon.com, Inc.
AS24806 INTERNET CZ, a.s.
AS29073 Quasi Networks LTD.
AS8100 QuadraNet, Inc
At 8:40 AM UTC, that day we recorded backscatter traffic coming from 184.108.40.206, one of the IP addresses used as a proxy server.
The technique of using backscatter traffic to track denial of service attacks was first described in the work of Savage and Moore from the University of California (UCSD/CAIDA) in 2001.
In a nutshell, when a server is under denial of service attack will respond to the attack traffic with several types of traffic (SYN-ACK, RST and ICMP). If the attacker is randomly “spoofing” the addresses to perform the attack, the responses from the server can be recorded by sensors globally.
These sensors are known as “darknets” or “network telescopes” and are frequently used by researchers to monitor network outages or the evolution of Internet threats as worms and remote exploitations.
One year ago, we recorded “1 packet” in our sensors that indicated that the attackers “spoofed” the traffic to launch the attacks.
08:40:32.490444 IP (tos 0x0, ttl 44, id 0, offset 0, flags [DF], proto TCP (6), length 44)
220.127.116.11.80 > X.X.X.124.31365: Flags [S.], cksum 0xcdfd (correct), seq 4101521145, ack 1295182152, win 26883, options [mss 1360], length 0
Since then, we have reached out to every organization that we could find that have similar research networks including “UCSD Network Telescope” that runs the largest network of this type worldwide.
Backscatter traffic from Amazon AS16609
Using their data we searched for activity coming from Amazon (AS16609) the 1st of October. We could see a series of spikes in packets coming from Amazon during the 1st of October (red graph). The spikes shows the increase of “backscatter” traffic from Amazon.
Backscatter traffic from 18.104.22.168 confirms denial of service with spoofed traffic
But not all the Amazon backscatter traffic corresponds to the denial of service against registremeses.com After obtaining more specific data from the UCSD project for one specific IP 22.214.171.124 we can see that between 8:40 AM and 10 AM were several attacks.
Just using the backscatter traffic is impossible to know the attack duration as most servers will not be able to cope with the attack traffic and just stop responding. What it seems clear is that we can fully confirmed a “spoofed” SYN flooding coming into registremeses.com (126.96.36.199) the 1st of October for at least 90 minutes. This is the only IP address that received an attack of this type.
Google Complains about disproportional blocking
At the end of September 2017, Google received a request from the “Court of first instance nº 13 of Barcelona Ref: 118/2017-L” to cancel the service of Google Cloud to several domains connected to the referendum of Catalonia and all domains connected to the same user.
At the end of May 2018, Google sent a letter to the Court of first instance in Barcelona, stating that after more than six months they are unaware of the status of Court proceedings and that Google considers that the indefinite blocking of the sites is a disproportional measure.
A transcript of the letter that Google sent is here:
Diligencias Previas 118/2017-L
AL JUZGADO DE INSTRUCCIÓN NÚM. 13 DE BARCELONA
In a similar document that orders the shutdown of the domains with date 15th September 2017, the Guardia Civil requests to the operators to block the domains but in this case they include “a maximum” of one year.
Are the Websites still blocked?
During this year we have been monitoring the status of 70+ domains related to the Catalan referendum. The main techniques used to block the domains are:
- Use of DPI equipment to redirect the HTTP requests to paginaintervenida.edgesuite.net
- Revoke the .cat domain / Change DNS servers
- Provide bogus DNS responses at the carrier resolver
The following domains have been redirected to “Akamai Hosting” by the .cat TLD
The following 6 IPs have been used to block the domains 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168. 22.214.171.124 and 126.96.36.199
The following 21 domains are redirected to Akamai
referendum.cat (until 2018-08-15)
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;referendumcat.cat. IN NS
;; AUTHORITY SECTION:
cat. 7200 IN SOA ns.nic.cat. dnsmaster.corenic.org. 1809130930 900 300 604800 7200
As, 1st of October 2018, more than 1 year after the Court Proceedings started, 21 websites still show this banner