Defending users at risk from DDoS attacks: An evolving challenge

backlit keyboard

You may have heard about Distributed Denial of Service (DDoS) attacks — but did you know they’re changing with the times?

Over the few years that we’ve been operating the Digital Security Helpline at Access Now, we’ve seen a lot of changes when it comes to DDoS attacks on our civil society clients. A DDoS attack is when an attacker uses a large number of computers to send a huge volume of network requests to a website to overwhelm and bring it down. These attacks are often politically motivated, driven by the desire to silence voices of opposition or dissent.

Today, we’re publishing a close look at one of our cases, drawn from an interview with one our clients: Digital Security Helpline case study: Defending freedom of expression in Sudan.

To provide broader context, we take a look below at how DDoS attacks have changed, as well as discussing where they’re happening across the globe, and why.

DDoS: From botnets to firms-for-hire

When we began to help our clients mitigate DDoS attacks in 2012, DoSP (Denial of Service Protection) services were expensive. Most of the world’s civil society organizations could not afford them.

Back then, we attempted to keep them online by converting their websites to static content, and mirroring that content on as many servers as possible. This worked particularly well if we moved the websites onto big hosting platforms that could absorb the DDoS attacks, such as Amazon’s Amazon Web Services (AWS).

Then, one by one, DoSP providers entered the ring with free or fee-reduced products for civil society organizations. CloudFlare’s Project Galileo, Google’s Project Shield, and the Deflect service from Equalit.ie have all given us options for properly defending at-risk clients from being DDoSed off the internet.

More recently, we again experienced a shift on the DDoS battlefield. The new DDoS attack services are bolder. Attackers have shifted from using “botnets” comprised of large numbers of compromised domestic computers, to using brazen DDoS-for-hire services that are run out of datacenters. Arrays of powerful machines are rented to perpetrate DDoS attacks which can be bought by the minute, hour, or day.

Is it a DDoS attack — or something else?

Over the past three months, we have had 12 DDoS-related cases at the Digital Security Helpline. Of those, five were proactive. That is, the website owners either expected the attacks, or had previously suffered from DDoS attacks and wanted to make sure their websites could withstand future attacks.

That leaves seven reactive cases, where the website owners contacted us because they suspected their systems were under a DDoS attack.

In six of the cases, the websites were under some kind of attack. In three of those cases, we are reasonably certain they were DDoS attacks. For the remaining three, it was difficult to tell, since the attacks were neither sustained, nor obvious DDoS attacks. This sometimes happens, particularly in cases where the websites are hosted in such a way that they cannot handle much traffic. Under such circumstances, we can speculate that the website may suddenly have became more popular — for instance, when the site owners have run an advocacy campaign. But it can then be unclear whether the advocacy campaign was simply successful, or the success of the campaign raised the ire of an adversary. Regardless, in none of the cases was it possible to identify the source of the attack —not surprising, because attribution in general is difficult.

Fortunately, regardless of the source, in all six cases the implementation of DoSP fully mitigated the attacks, and all the websites came back online. DoSP services have matured and really work. This is true even for free services such as CloudFlare’s Project Galileo, which is a boon for civil society around the world.

In the seventh case, we determined that the problem was a misconfiguration of the DoSP itself, which caused the site to go offline. This can be an issue when the configuration necessary is more complicated than usual, such as when traffic to and from the site is encrypted.

Where are DDoS attacks happening?

Of the 12 cases we have had in the last few months, five were in Ecuador. There were six other cases in the Middle East North Africa (MENA) region, and the remaining case was in South East Asia.

Why are they happening?

It appears that 11 of the 12 cases were related to politics. In some cases, the attacks were on independent media or opposition party political websites. The sites were attacked just prior to or during elections, or the site operators were expecting to be attacked during elections.

This is unfortunately very common in much of the world today, and we try hard to ensure that the citizenry have access to all the information they need to make an informed choice about whom they are voting for. In some cases we see independent media outlets attacked for reporting on political corruption, which is what happened in the case in South East Asia. In other cases, attacks were launched against websites for political activists.

Only one case did not involve politics, an instance where a website for an Lesbian, Gay, Bisexual, Transgender (LGBT) activist was attacked in the MENA region. LGBT issues remain controversial in many parts of the world, with some parties attempting to silence voices in the LGBT community by DDoSing them off the internet.

What can we do about it?

DDoS attacks against civil society aim to maintain the status quo by silencing progressive voices and denying citizens their right to access information. At Access, we will continue to fight so these important voices can be heard. If you are part of a civil society organization, and you are experiencing a DDoS attack — or suspect you are at risk of one — please contact our Digital Security Helpline at [email protected]. Our PGP key is: 0x32E8A2BC and the fingerprint is 6CE6 221C 98EC F399 A04C  41B8 C46B ED33 32E8 A2BC