23 April 2024
Meduza is one of the largest and most influential Russian regime critical news site that delivers daily news from all across Russia in Russian and English languages. Since January 2023 Meduza has been declared undesirable in Russia since the media outlet “poses a threat to the foundations of Russia’s constitutional order and security” and their website is blocked in Russia since March 2022.
Last week Meduza’s website was targeted by two waves of DDoS attacks, the first one lasting 48h. The denial-of-service attacks, the largest ones in the history of Meduza.io, came after a period of intense cyberattacks against the organization where not only their website was targeted but also their crowd-funding infrastructure, mirror sites and social media accounts.
The DDoS attack generated more than two billion requests over the course of 48h, several hundred times more than regular traffic to Meduza.io. The traffic logs generated were 3TB large.
Qurium’s forensic investigation reveals that the denial of service infrastructure used is built as an overlay of several residential proxy providers. Three proxy providers have been identified to be a part of the attack, namely Plainproxies, Min Proxy and RapidSeedBox. The proxy providers do not launch the DDoS attack themselves but their infrastructure is used by attackers to gain access to a large amount of globally distributed IP addresses to carry out the attack. The providers, many of them calling themselves “ethical providers”, do not implement reasonable rate limits which facilitates the abuse of their infrastructure. Their abuse handling procedure for DDoS attack is always handled the same way – they offer to block future attacks against the very same target (Meduza in this case) but always keep protecting the attacker – its paying client. In this way, future DDoS attacks against any independent media BUT Meduza can continue.
More about Proxy Providers and DDoS attacks can be found in Qurium’s forensic series Weaponizing proxy and VPN providers
Forensic report: Russian exiled media Meduza.io facing repeated DDoS attacks
Meduza article (RU): Миллиард запросов в сутки В середине апреля «Медуза» пережила самую мощную DDoS-атаку в своей истории. И это еще не конец
Meduza article (EN): Cyberattackers target Meduza with unprecedented DDoS campaign in effort to disable site
Contacts
Digital forensics: Tord Lundström <t at virtualroad.org> Technical Director
Media: Clara Zid <info at virtualroad.org> Media and Outreach Manager