1. Home
  2. >
  3. Blog
Categories
Blog Deflect Labs News from Deflect Labs

Baskerville – dynamic model updates

The challenge: Design and implement a system to receive and process feedback from clients, to augment and improve the machine learning model. Produce a model that has the flexibility to adapt to clients’ feedback and the changing patterns in request signatures, whilst also allowing for dynamic model deployment, without breaking existing integration.

In other words: we created the Baskerville botnet mitigation system to be able to react to new and constantly changing attack patterns on the Deflect network. Training the machine on past attacks – we have reached a point where Baskerville can identify more malicious actors than what was captured by our static rules. Now, we need to grow this functionality to accept feedback from our clients on prediction accuracy and to be able to regularly deploy new models without any interruption of service.

Model design

There are several approaches for live model updating. You can use simple files, or a cache and an Rest API call, or a pub-sub mechanism, you can use serialized (pickled) models, models stored in a database and many more mechanisms and formats. But the main concept is the same, either check for a new model every X time unit or have a stand by service which is notified whenever a change occurs and takes care of the model reloading – on demand. We are combining approaches for our case.

The model needs to be re-trained regularly in order to follow the constantly changing patterns of traffic. The general design idea is to decouple the feature generation pipeline from the prediction pipeline. As a result, the feature generation pipeline calculates a super-set of features and the prediction pipeline allows different model versions to use any subset of features. In addition, the model supports backward compatibility and uses the default values in case of an outdated feature generation pipeline.

As soon as a new model is available, the prediction pipeline detects this and starts using the new model without any interruption of service. When features need to be changed, the model is deployed the same way but the User Module will need to be updated and re-deployed as well. Clients will be updating this module from our git repository. It’s very important to mention that during this period required for the User Module to be updated, the new model will be able to communicate with the outdated User Model and deliver the predictions in the usual way. The lack of new or modified features in the model’s input will not break the compatibility since the defaults will be used for missing values.

Based on the assumption that it makes sense that all the requests within a time-window should be processed by the same model, the model change should happen either at the end or at the start of the processing period. For the sake of performance, we decided to put the model updating process at the end of the PredictionPipeline, after the predictions were sent to the client via Kafka, so that we can increase the time it takes for the client to get receive predictions. The following figure explains what happens when a new model is stored in the database after a time-window has been processed (during the idle time waiting for a new batch) and during a time-window processing. In the first case, the next time-window will be processed with the old model and at the end the new one will be loaded. In the second case, since the processing of the current time window has not completed yet, we will load the new model at the end of it and the next time-window will have the fresh model to work with. The asynchronous nature of the training and the predicting is the reason behind the design of the reloading. We ran several test runs to make sure the reloading did not affect the performance of the pipeline.

Feedback Dashboard

In order to receive curated feedback from clients (e.g. the prediction was incorrect) we developed and designed a graphical dashboard consisting of two main components: the back-end REST API built using Python Flask with web-socket support via Flask-SocketIO; and the front-end Angular project, relying on node and npm. The feedback process consists of three steps:

  1. Feedback Context: provide some details about the feedback, like reason, period and an optional notes field. The reason can be one of the following: attack, false positive, false negative, true positive, true negative or other. We provide a short description for each reason option.
  2. Filter out the request sets relevant to the feedback using the search filters. The user can also provide a csv files with IPs to use as a filter.
  3. The last step is for the user to submit the feedback results to Baskerville (Clearinghouse). Because labelling and providing feedback is a painstaking process, we designed the process in a way that the user can omit the last step (submit) if they are not ready yet, and can choose to submit later on. The Clearinghouse will receive the feedback at some point (configurable time window of feedback pipeline) and once the feedback is processed, the pipeline will reply to the user feedback reply topic – which by convention is “{organization_uuid}.feedback”.

We also created a Retrain Pipeline as well as a Retrain dashboard page and functionality to make it easier for us to do periodic model updates. This functionality is only available within the Clearinghouse where the model resides.

This work is a result of months of painstaking development, testing and iteration. If you are interested in trying out Baskerville on your own web platforms, please get in touch. Our work is available under an open source licence and is developed with privacy-by-design principles. We encourage third-party adoptions of our tooling, outside of the Deflect ecosystem and will be publishing another blog post in the very near future outlining the launch of the Deflect Labs Clearinghouse. Watch this space!

  • Baskerville: https://github.com/equalitie/baskerville
  • Baskerville User Client: https://github.com/equalitie/baskerville_client
  • Baskerville Dashboard: https://github.com/equalitie/baskerville_dashboard
  • Baskerville Docker components: https://github.com/equalitie/deflect-analytics-ecosystem
  • Pyspark IForest fork: https://github.com/equalitie/spark-iforest
  1. Home
  2. >
  3. Blog
Categories
Blog Deflect Press Release

Deflect partners with technology and media groups

June 01, 2021 – Deflect partners with technology and media groups

Since 2010, Deflect has specialized in protecting online platforms from cyber attacks. Today, our mission and time-tested tooling reaches further and wider than ever before! We are honoured to announce strategic partnerships with well-known Internet Service Providers and digital media entrepreneurs in the Americas and Europe. Our combined service offering includes all manner of web hosting and online collaboration platforms, technical consultancy and web security services. With over a hundred years of collective technology expertise and a dozen common languages between us, this is a partnership that will serve a global clientele and meet the challenges of shrinking online spaces for expression and self-determination.

Our mission is strengthened through this mutually beneficial partnership. We stand together, stronger and ever more resilient, to protect our clients’ platforms with ethical technology solutions, multilingual human resources and a common belief in principles before profits.

Dmitri Vitaliev, Founder deflect.ca

Find out more about our partners’ individual services and mission from the list below. Check out Deflect’s partnership opportunities and write to us!

@colnodo

Colnodo is a non for profit organization working since 1994 providing Internet infrastructure services to activists and civil society organizations.  Colnodo’s main objective is the access, use and appropriation of information and communication technologies (ICT) for social development, human development and the improvement of people’s living conditions through the strengthening of capacities and competencies, education for work, information and knowledge exchange, increased citizen participation, sustainable development and innovation.

@greenhost

Greenhost (Netherlands) is an established infrastructure provider focusing on digital human rights and sustainability. By providing (infrastructure) services to a wide range of organisations supporting human rights, free press and/or censorship circumvention while preserving privacy guarantees. Greenhost makes sure to keep the internet an open and innovative space.

@greennetisp

GreenNet (UK) have been networking people and activist groups for peace, the environment, equality and human rights since 1986 – providing internet services, web design and hosting. Our hardware and software choices are based on expert technical judgment, our ecological sustainability and ethical business values.

@cloud68hq

(Tirana, Tallinn, Worldwide) Cloud68.co provides reliable open source digital infrastructure to for-purpose small & medium teams, organizations and individuals with responsive and friendly support. As a team of long time contributors to digital privacy and open knowledge projects we are committed to help you migrate from big tech as easy as possible.

@sembramedia

SembraMedia is a nonprofit dedicated to empowering diverse voices in Spanish media to publish news and information with independence, journalistic integrity, and a positive impact on the communities they serve. They conduct research, provide training, consulting, and financial support to help media leaders develop more sustainable business models in Latin America, Spain, and the U.S. Hispanic market.

At MainMicro, our goal is to ensure customer satisfaction by providing ongoing support and cost effective solutions for our partners. We take great pride in having a customer retention rate that is among the highest in the industry. For us, when you become a customer you also become a friend, and we become the one-stop shop for all of your IT related needs.

At Black Crow Labs we construct your brand’s ecosystem and tell your story.  By engaging with prospective customers on targeted platforms we integrate your brand into their lives and conversations.

  1. Home
  2. >
  3. Blog
Categories
Blog Deflect

Updates from Deflect – 2 – 2021

Traffic & Attacks

Since the beginning of this year, we have served over 2 billion website hits to approximately 18 million unique readers the world over! We mitigated over 30 distinct attacks and kept our clients online 100% of the time! The Banjax bot banning technology blocked 291,898 malicious hits originating from 58,181 zombie bots. Our machine lead anomaly prediction system Baskerville was further able to identify and challenge suspiciously behaving IPs 1,182,084 times out of which only 16,755 proved to be legitimate readers and were allowed to access the requested website. This equates to 98.58% precision – which is pretty good for a machine!

Most popular countries reading Deflect protected websites

These attacks have helped us confirm that our prior implementation of the Shapley value estimation in Baskerville had lead to positive results. This is a general way to explain the output from the machine learning model by feature importance ranking – to help us decide which feature works best. We used this algorithm to compare an older machine model with a model that uses only the features Shapley values say are important, on a data set that contained the latest attacks. The model with only the most important features outperformed the older model.

Deflect referral program

Financial survival and independence on today’s Internet is tough. Big Tech permeates and controls virtually every aspect of our digital experience. When it comes to Internet infrastructure and network services, corporate giants such as Akamai, AWS and Cloudflare dominate the space. These handful of companies have managed to create an ecosystem where they profit from virtually every transaction or advertising campaign. While we choose our destiny as consumers, the growing problem is a lack of choices. One way or another, we are being pushed towards a handful of companies.

We want to do things differently. Our goal is to succeed in lockstep with our clients, not simply profit from them. The Deflect referral program creates a mutually beneficial commercial opportunity – by registering for this program and installing a ‘Protected by Deflect’ badge on your website with a unique hyperlink, you will receive 50% of the first full month’s fees charged to every new client that subscribed from this link. Write to partner@deflect.network if you want to participate in this program or read more about this and other collaborative opportunities on the Partner Programs page.

New Website

You are reading this update on our freshly minted website – powered by WordPress and hosted on the secure eQpress platform. We decided to build it using the default 2020 theme. This code is supported by the WordPress team, built according to best practices. That’s important when it comes to running the popular (but often compromised) WordPress platform – the ease of installation for new themes and plugins lowers the barrier for entry and makes it highly functional and customizable. At the same time, custom code developments become outdated, insecure and often lead to website hacking and unintended DDoS attacks. Our set-up configuration comes with the following:

  • Protection from DDoS attacks and password brute-force
  • Daily snapshots and differential backup
  • Long term theme support from WordPress
  • SEO management, chat support, Matomo Analytics, Polylang translations

Over 25% of Deflect clients also host their website on eQpress. The service is detailed on the eQpress page and you can request it from the Dashboard, or contact us with questions. 

  1. Home
  2. >
  3. Blog
Categories
Blog

Kandinsky WordPress theme

A new website creation framework ‘Kandinsky‘ has just been released as a WordPress theme by our friends from «Теплица социальных технологий» (Greenhouse for Social Technologies) in response to needs expressed by civil society groups. The free and open source release on Github offers three templates for installation and guides website creators with helpful tips and check lists. We spoke with Alexey, director of the Greenhouse for Social Technologies about their new release:

eQ: What can you tell us about this new theme?

Alexey: Any organization can use it. It’s free and open source. Having said this, it was created with NGOs and public initiatives in mind. It’s not just a customizable WordPress theme. It also contains pre-made content created to address typical challenges that NGOs face on a regular basis. In particular, NGOs, at least in Russia, usually have difficulties with composing content. Therefore, Kandinsky not only fulfills the role of a theme but also of a checklist of what content should be on an NGO website. There are three templates for different use cases (soon, however, we plan to use only one but greatly improve its ability to be customized). Each template contains test content (news, reports, teams, photos from events, description of activities). Based on NGOs’ best practices, we’ve invented three non-existent organizations in order to fill these templates with content that makes sense in the NGO context.

eQ: What motivated you to create it? Was there a real-life use case that drove this initiative?

Alexey: The need came from our own experience – as an organization we help NGO’s with digital communication and we needed some reliable and modern framework that would be fast and easy to install (now, after 8 minutes, the Installation Wizard has a website up and running). We just wanted to help the organizations have something decent on WordPress and not pay anyone or worry constantly that someone might commercialize the theme. Also, we needed it ourselves for 2 kinds of tasks: side-projects and events. Sometimes we launch a hackathon or a series of online webinars and we wanted a dedicated site – we wanted something that could be set up easily, customizable, and had everything we might need. And so we did it. We adhere to the principle ‘eat your own dog food’ and any event web page or side event we build now is based on Kandinsky which saves us lots of time and effort. We stopped considering website creation a budget line.

eQ: What are these new features?

Alexey: Originally, key values of Kandinsky were simplicity, ease of installation, and responsiveness to NGO’s needs. As we’ve learned, we realized that aside from being able to install the theme in a few seconds and have plug-ins ready as well as pre-made content, customization is of key importance. People are annoyed having the same Ford Model “T” in any color given it’s black, to quote famous inventor Henry Ford. They need to set up a website and then make it unlike any other website in a few minutes.

Therefore, freedom of customization is the most important development line now. In the last year, we’ve added:

  • over 100 Google Fonts to choose from
  • customizable header with the ability to turn on/off different elements inside (logo, phone number, links to social networks, etc.), which creates multitude of different options
  • customizable footer

Our next milestone is turning the main page of a website to a Gutenberg block editor (now the main page can be freely edited with the help of a less versatile tool) and then – to the new WordPress system called Full Site Editing.

Deflect clients can create a new eQpress site with the Kandinsky theme by going to the ‘Hosting tab’ in the Deflect Dashboard and selecting to pre-load the installation with this theme.

  1. Home
  2. >
  3. Blog
Categories
Blog Deflect News from Deflect Labs

Updates from Deflect – January 2021

Giant leaps in our machine-lead mitigation tooling have removed some of the heavy load in mitigating attacks from our support team this month. We’re very pleased with the machine’s performance but it won’t replace the humans! Below, we share some traffic highlights, Deflect relevant events and stories from our clients.

January Traffic

Throughout the month of January, Deflect served over 884 million requests to more than 9 million unique readers around the world. Much of the traffic was bound for Los Danieles – a new and very popular independent media publication in Colombia. Every Sunday, their website attracts between 5 and 9 million legitimate hits! Thankfully, Deflect was able to serve over 94% of these requests directly from its edge cache.

Content served from Deflect cache

Another notable traffic event this month coincided with the release of an online report, investigating torture of thousands of Belarus protesters at the hands of the incumbent government forces. Published by the renowned Committee Against Torture, this is a visual investigation, suitable for mature audiences only.

Notable Attacks in January

Sixteen distinct attacks were recorded against Deflect protected websites this month. Of these, five were notable for their strength and consistency, with two attacks continuing over a four-day period. The largest attack, with over 5000 bots participating, was targeting the Vietnamese independent new site Tiếng Dân. This is not the first time their website has been targeted. Approximately half of the attacking bots were discovered and challenged by Baskerville, whilst the other half were blocked by our manual rule sets. Overall, Deflect maintained 100% network up-time in January.

Kandinsky theme options for eQpress

Deflect clients who run or would like to migrate to our secure WordPress hosting platform can now request the installation of a new theme called Kandinsky. Developed by our friends at «Теплица социальных технологий» (Greenhouse for Social Technology) in response to needs expressed by civil society groups, wishing to have an effective and well designed online presence Kandinsky offers three templates and guides website creators with helpful tips and check lists. You can read our full interview with Kandinsky here.

Deflect and the World Social Forum

On January 29th, Deflect staff participated in a live panel during the World Social Forum together with our partners Colnodo and the Foundation for Freedom of the Press (FLIP). Julian Casasbuenas from Colnodo presented the use case of a Colombian independent media site losdanieles.com as an example of Deflect protection and its importance to the development of free journalistic expression in Colombia. The losdanieles.com project was launched by a group of highly reputable journalists who had been implicated in the Colombian parapolitics scandal.

To finish this newsletter, we wanted to share a lovely thank-you video sent to us by LosDanieles.com columnist Daniel Samper Ospina.

Find the Daniels on Twitter @DanielSamperO, @DanielsamperP and @DCoronell

  1. Home
  2. >
  3. Blog
Categories
Advocacy Blog DDoS Deflect General

Distributed Deflect – project review

This is the fifth year of Deflect operations and an opportune time to draw some conclusions from the past and provide a round of feedback to our many users and peers. We fought and won several hundred battles with various distributed denial of service and social engineering attacks against us and our clients, expanding the Deflect offerings of open source mitigation solutions to also include website hosting and attack analytics. However, several important missteps were taken to arrive here and this post will concentrate on lessons learned and the way forward in our battle to reduce to prevalence of DDOS as an all too common technique to silence online voices.

Our reflections and this post were motivated by an external evaluation report of the Distributed Deflect service, which you can read in this PDF. The project itself was a technical long shot and an ambitious community building exercise. Lessons learned from this endeavor are summarized within. Its about a 10 minute read 🙂

During peak times on Deflect throughout 2012-2016 we were serving an average of 3 million unique daily readers and battling with simultaneous DDoS attacks against several clients. The network served websites continuously for the entire 3 1/4 years of project duration, recording less than 30 minutes of down time in total. The project had direct impact on over four hundred independent media, human rights and democracy building organizations.

What we did

eQualit.ie released 10 open source libraries, toolkits and frameworks including tools for network management and DDoS mitigation; a WordPress managed hosting framework; classification and analysis of malicious network behaviour; the Bundler library for website encryption and delivery across an untrusted network, which was also reused in the Censorship.NO project for circumventing Internet filtering infrastructure.

Over three hundred and fifty websites passed through the Deflect protection service. These websites ranged in size and popularity, receiving anything between a dozen daily readers to over a million. Our open door policy meant that websites who had changed their mind about Deflect protection were free to leave and unhindered in any way from doing so. Over the course of the project, we have mitigated over four hundred DDoS attacks and served approximately 1% of Internet users each calendar year (according to our records correlated against Internet World Statistics). Our work also appeared in topical and mainstream media.

Aside from the DDoS protection service, we trained numerous website administrators in web security principles, worked with several small and medium ISPs to set up their own Deflect infrastructure and enabled Internet presence for key organizations and movements involved in national and international events, including the ’13 election in Iran, ’14 elections in Ukraine, Iguala mass kidnapping, Panama papers, and Black Lives Matter among others.

Distributed Deflect

As attacks grew in size, we debated the long-term existence of the project, deciding to prototype an in-kind DDoS mitigation service, whereby websites receiving free protection and any volunteers could join and expand the mitigation network’s size and scope. We wanted to create a service run by the people it protected. The hypothesis envisioned the world’s first participatory botnet infrastructure, whereby the network would be sustained with around a hundred servers run by the Deflect project and several thousand volunteer nodes. Our past experience showed that the best way to mitigate a botnet attack was with a distributed solution, utilizing the design of the Internet to nullify an attack that any single end point/s could not handle by itself. Distributed Deflect brought together people of various background and competencies, blending software development and technical service provision, customer support and outreach, documentation and communications. We designed, prototyped and brought into production core components of a distributed volunteer infrastructure, only to realize that the hypothesis behind our proposal could not scale if we were to maintain the privacy and security of all participants in our network.

An infrastructure that would accept voluntary (untrusted) network resources had to introduce checks for content accuracy and confidentiality, otherwise a malicious node could not only see who was doing what on the Deflect network but delete or change content as it passed through their machine. Our solution was to encrypt web pages as they left the origin server and deliver them to readers as an encrypted bundle, with an additional authentication snippet being sent by another node for verification. Volunteer nodes would only be caching encrypted information and would not be able to replace it with alternative content.

All necessary infrastructure design and software tools to implement this model were built to specification. However, once ready for production and undergoing testing, we realized the error in hypothesis made at the onset. Encrypted bundles grew in size, as all page fonts and various third-party libraries – that make up the majority of web pages today and are usually stored in the browser’s cache – had to be included in each bundle.

This increased network latency and could not scale during a DDoS attack. We were worsening the performance of our infrastructure instead of improving it. Another important factor driving our deliberation was the low cost of server infrastructure. By renting our machines with commercial providers, and using their competitive pricing to our advantage, we have managed to maintain infrastructure costs below 5% of our overall monthly expenditure. Monetary support for a worldwide infrastructure of Deflect servers was not significant when compared with the resources required to service the network. By concentrating development efforts on encrypting and delivering website content from our distributed cache and performance load balancing on a voluntary node infrastructure, we held back work on improving network management and task automation. This meant that the level of entry to providing technical support for the network was set quite high and excluded the participation of technically minded volunteers protected by Deflect.

After several months of further testing, deliberation and consultation with our funders, we decided to abandon the initiative to include voluntary network resources, in favour of continuing the existing mitigation platform and improving its services for clients. As attack mitigation became routine and Deflect successfully defended its clients from relentless DDoS offensives, the team began to look at the impunity currently enjoyed by those launching the attacks. Beginning with a case of a Vietnamese independent media website targeted by bots originating from a state-regulated and controlled Vietnamese ISP, we understood that a story could be extracted from the forensic trail of an attack, that may contain evidence of motivation, method and provenance. If this story could be told, it would give huge advocacy power to the target and begin to peel away at the anonymity enjoyed by its organizers. The cost for attacking Deflectees would raise as exposure and media attention around the event upended the attackers’ goals.

We began to develop an infrastructure that would capture a statistically relevant segment of an attack. Data analysis was achieved through machine-led technology for profiling and classifying malicious actors on our network, visualization tools for human-led investigation and cooperation with peer organizations for tracing activity in our respective networks. This effort became Deflect Labs and in its first twelve months we published three detailed reports covering a series of incidents targeting websites protected by Deflect, exposing their methodology and profiling their networks. Doing some open source intelligence and in collaboration with website staff, we identified a story in each attack exposing possible motivations and identity of the attackers. Following publication and media attention created by these reports, attacks against one of the websites reduced significantly and ceased altogether for the other one.

Bot behavior follows a certain pattern inside the seven dimensional space create by Bothound analytics

Challenges

Many difficulties and problems could be expected with running a high-impact, 24/7 security service for several million daily readers. Fatigue, lack of time for developing new features, round-the-clock emergency coverage and numerous instances of high-stress situations led to burnout and staff turnover. The resources invested in the Distributed Deflect model set back development considerably for other project ambitions.
At around the same time as Deflect was gaining popularity, free mitigation offerings from Cloudflare and Google were introduced in tandem with outreach campaigns targeting independent media and human rights organizations. This led to more options for civil society organizations seeking website protection but made it harder for us to attract the expected number of websites. We started a campaign to define differences in our distinctive approaches to client eligibility, respect for their privacy and clear terms of service, trying a variety of communications and outreach strategies. We were disappointed nonetheless to not have received more support from within our community of peers, as open source solutions and data ownership did not figure highly as criteria for NGOs and media when selecting mitigation options.

… we carry on

Deflect continues to operate and innovate, gradually growing and solidifying. Our ongoing ambitions include offering our clients broader hosting options and coming up with standards and systems for responsible data sharing among like-minded ISPs and mitigation providers. Look out for pleasant graphic user interfaces in our control panels and documentation platforms. We are also prototyping several different approaches to generating revenue in order to sustain the project for the foreseeable future. The goal is to get better without losing track of what we came here to do in the first place. As always, we are here to support our clients’ mission and their right to free expression. We are heartened by their feedback and testimonials.

  1. Home
  2. >
  3. Blog
Categories
Advocacy Blog DDoS

Deflecting cyber attacks against the Black Lives Matter website

Last week and throughout the weekend, Deflect helped mitigate several DDoS attack bursts against the official Black Lives Matter website. At current estimates over 12,000 bots pounded the website just over 35 million times in 24 hours. An unusual trait of this attack was the prevalence of  malicious connections originating from the US. An in-depth analytic report will follow this prima facie bulletin.

 

[one_third]

hits_BLM
Hits against the BLM site

[/one_third][one_third]

unique_ip_country
All unique visitors (IP) by country

[/one_third][one_third_last]

unique_bots_by_country
Unique bots (IP) by country

[/one_third_last]

The Black Lives Matter website had already been attacked in May using a similar method of a WordPress Pingback reflective attack and similarly an unusually high percentage of bots from the US.

unique_ip_banned_ddosrule
Deflect banning rules triggered by the attacks

Despite its intensity, the attack has been successfully contained by Deflect, and the Black Lives Matter website is functional and accessible throughout much of the weekend. Black Lives Matter has released an official statement on this incident together with eQualit.ie, Design Action Collective and May First/People Link:

Keeping a website available when attackers are seeking to take it off-line is essential for many reasons. The most obvious is the importance of protecting the fundamental right to human communication. But the specific targeting that characterizes recent DDOS attacks (on networks supporting reproductive rights, Palestinian rights and the rights of people of color) highlights this type of on-line attack as part of the arsenal being used to quash response and social change movements.

DDOS attacks will increase as our protests and organizing increases and so must our movements’ ability to resist them and stay on-line. The collaborative work that spawned the response to this attack is both an example of this protective effort and yet another step in improving it and making it stronger.

Our organizations work in different areas with different programs but we are united in our  commitment to vigorously preserving our movements’ right to communicate and defeating all attempts to curtail that right. Without the ability to communicate freely, we can’t organize and, if we can’t organize, our world can never be truly free.

Read the Statement on the Recent Attacks on Black Lives Matter’s Website.

We are in the process of studying and classifying these attack using Deflect Labs technology and aim to publish the results in our next Deflect Labs report.

  1. Home
  2. >
  3. Blog
Categories
Blog DDoS Deflect Labs

Deflect Labs Report #2

Botnet attack analysis of Deflect protected website bdsmovement.net

This report covers attacks between February 1st and March 31st of six discovered incidents targeting the bdsmovement.net website, including methods of attack, identified botnets and their characteristics. It provides detailed technical information and analysis of trends with the introduction of the Bothound library for attack fingerprinting and botnet classification. We cluster malicious behaviour on the Deflect network to identify individual botnets and employ intersection analysis of their activity throughout the documented incidents and further afield. Our research includes discovered patterns in the selection of targets by the actors controlling these attacks.

Deflect is a website security project working with independent media, human rights organizations and activists. It offers DDoS mitigation, secure hosting and attack analytics, free of charge to qualifying organizations. All of our tools are open source and we operate according to principles promoting the privacy of our clients. Deflect is a project of eQualit.ie, a Canadian not-for-profit organization working to promote and defend human rights in the digital age.

Navigation links: Attack Profile; Botnet profile; Botnet target selection; Botnet behaviour comparison; In-depth incident analysis; Report conclusions

General Info

The Boycott, Divestment and Sanctions Movement (BDS Movement, bdsmovement.net) is a Palestinian global campaign, initiated in 2005. The BDS movement aims to nonviolently pressure Israel to comply with international law and to end international complicity with Israel’s violations of international law. Their website has been protected by Deflect since late 2014 and has frequently been attacked.

Graph 1. Timelion graph showing the average hits per day in the period of February 1 to March 31 (in red) and the moving average + 3 standard deviation (in blue).
Graph 1. Timelion graph showing the average hits per day in the period of February 1st to March 31st (in red) and the moving average + 3 standard deviation (in blue).

Attack Profile

During February and March of 2016, there were 6 recorded incidents against the target website. The Deflect Labs infrastructure allows us to capture, process and profile each attack, analysing unique incidents and intersecting findings with a database of profiled botnets. We define the parameters for anomalous behaviour on the network and then group (“cluster”) malicious IPs into botnets using unsupervised machine learning algorithms.

[one_half]

Graph 2. Total hits to the website, by country of origin. The spikes represent attacks investigated in this report
Graph 2. Total hits to the website, by country of origin. The spikes represent attacks investigated in this report

[/one_half][one_half_last]

Graph 3. Prevalence of WordPress pingback attacks during the six incidents
Graph 3. Incidents where the WordPress pingback attack is used against the target site

[/one_half_last]

We define each incident by wrapping it inside a given time frame, record the total number of hits that reached the website during this time and use our analytic tool set to separate malicious requests made by bots from genuine everyday traffic.

Table 1. Attacks Summary, including start/end date, duration, size of the incident, size and number of the botnets detected

id Incident Start Incident Stop Duration Total hits Unique IPs No. of bots identified Identified botnets
29 2016-02-10 21:00 2016-02-11 01:00 ~5hrs 879,634 14,773 12,921 3
30 2016-02-11 10:30 2016-02-11 12:30 ~2hrs 321,203 11,108 9,023 3
31 2016-03-01 15:00 2016-03-01 19:30 ~6h30 3,597,689 5,918 3,243 3
32 2016-03-02 12:30 2016-03-02 16:00 ~3h30 13,559,169 19,851 2,748 2
33 2016-03-04 09:00 2016-03-04 09:30 ~30min 2,058,710 9,613 8,844 1
34 2016-03-08 14:20 2016-03-08 16:40 ~2h20 5,017,045 7,937 7,151 1

The number of unique bots and their grouping into specific botnets is the result of clustering work by BotHound. This toolkit classifies IPs by their behaviour, and allows us to determine the presence of different botnets in the same incident (attack).

Botnet profile

Using BotHound, we have calculated the percentage of unique IPs (classified as bots) that recur in separate incidents. A substantial percentage of previously seen bots would be one way to identify whether a botnet was re-used for attacking the same target. It would reveal a trend in botnet command and control behaviour. This intersection of botnet IPs also creates an opportunity to compare activity between several target websites, whether protected by Deflect or on one of our peers’ networks. Taken together, we begin to build a profile of activity for each botnet, helping us make assumptions about their motivation and target list.

[one_half]
Table 2. Intersection of identical bots across the incidents

Incident #

No. of identical bots
in both incidents

The portion of identical bots
(of the smallest incident)

29, 30 6,928 76.8%
31, 32 1,450 91.0%
33, 34 4,249 59.4%
32, 33 438 17.9%

[/one_half][one_half_last]

Graph xx. Hits from bots, by the identified botnet, by the country of origin
Graph 4. Hits from bots and their country of origin, grouped by identified botnets. Update your software and malware cleaners please!

[/one_half_last]

Table 3. Identified botnets and the incidents they appear in

Botnet ID Seen in incident Unique bots Top 10 countries of bot origin Attack method
1 29, 30 13,857 Russian Federation; Ukraine; China; Lithuania; Germany; Switzerland; Gibraltar; United Kingdom; Netherlands; France POST
2 29, 30 8,913 Russian Federation; China; Ukraine; Germany; Lithuania; United States; Switzerland; United Kingdom; France; Gibraltar POST
4 31, 32 2,589 United States; Germany; United Kingdom; Netherlands; China; Japan; Singapore; Ireland; France; Spain; Australia Pingback
5 31, 32 772 United States; United Kingdom; Germany; Netherlands; Italy; France; Russian Federation; Singapore; Canada; Japan; China Pingback
6 31 971 United States; China; Germany; Japan; United Kingdom; Singapore; Netherlands; France; Ireland; Canada; Australia Pingback
7 33, 34 11,746 United States; United Kingdom; Germany; France; Netherlands; China; Canada; Russian Federation; Ireland; Spain; Turkey Pingback

Botnet target selection

Deflect protects a large number of qualifying human rights and independent media websites the world over. Our botnet capture and analytic tool set allows us to investigate attack characteristics and patterns. We consider the presence (intersection) of over 30% of identical bots as originating from a similar botnet. During our broader analysis of the time period covered by this report, we have found that botnet #7, which targeted the bdsmovement.net website on March 3rd, also hit the website of an Israeli Human Rights organisation under our protection on April 5th and April 11th. In each incident, over 50% of the botnet IPs hitting this website were also part of botnet #7 analysed in this report. Furthermore, a peer website security organization reviewed our findings and concluded that a substantial amount of IPs belonging to this botnet were targeting another Israeli media website under its protection, on April 7th and April 12th. Organisations targeted by this botnet do not share a common editorial or are in any way associated with each other. Their primary similarities can be found in their emphasis on issues relevant to the protection of human rights in the Occupied Territories and exposing violations in the ongoing conflict. Our analysis shows that these websites may have a common adversary — the controller or renter of botnet #7 — that their individual work has aggrieved. We will present our findings on this investigation in more detail in an upcoming report.

Botnet behaviour comparison

BotHound works by classifying the behaviour of actors on the network (whether human or bot) and clustering them according to a set of pre-defined features. Malicious behaviour stands out from the everyday trend of regular traffic. On the picture below the RED spots refer to attacker sessions, while BLUE spots refer to all other (regular traffic). The graphic displays all the 6 incidents combined. We chose the following 3 dimensions to visually represent a projection from a 7-dimensional space (where BotHound clustering is calculated):

  • HTTP request depth
  • Variance of HTTP request interval
  • HTML to image ratio

Graph 5. Clustering of bot behaviour from the six incidents covered in this report. The graphic illustrates that malicious behaviour, no matter the botnet characteristics, follows a determined pattern which resembles automated machine-driven properties of a botnet attack.

In-depth incident analysis

We have captured, analysed and now profiled each botnet witnessed in the 6 incidents. We break down incidents into three groups, by similarity of attack characteristics and the time of occurrence.

[one_half]

Incidents #29 & #30

Date: February 10-11, 2016
Duration: approximately 28 hours
Identified botnets: 2 (botnet id: #1 #2)
IP intersection between botnets: 76%
Attack type: HTTP POST
[/one_half]
[one_half_last]
image11
[/one_half_last]

Attack analysis

After doing extensive cluster analysis to separate “good” from “bad” IPs based on their behaviour during the incident time frame, we applied a novel secondary clustering method which identified two different patterns of behaviour spanning both incidents. The first attack pattern was using bots to hit the target very fast, with similar characteristics (session length, request intervals, etc.). The second botnet was hitting slower, but more consistently. The session length was varying, likely to evade our mitigation mechanisms. However, the request interval between hits was zero, which helped us identify them. It is easy to distinguish two different botnets from the graphs below.

[one_half]

Identified botnet #1
Members: 13,857
Observations:

  • Session length = 314 sec
  • Payload average = 521 byte
  • Hit rate = 0.04 /minute
  • Requests: 500,000
  • Host header: accurate
  • Method: POST (> 99.9%)
  • URI path: / (> 99.9%)
  • UA: low variation, with most major UAs represented

Deflect Response: Moderate blocking success, origin was affected.[/one_half]
[one_half_last]
Identified botnet #2
Members: 8,913
Observations:

  • Session length = 429 sec
  • Payload average = 447 byte
  • Hit rate = 0.05 /minute
  • Requests: 600,000
  • Host header: accurate
  • Method: POST (> 99.9%)
  • URI path: / (> 99.9%)
  • UA: low variation (slightly higher than botnet 1), most major UAs represented

Deflect Response: Moderate blocking success, origin was affected.[/one_half_last]

[one_half]

Attacks results primarily in response code 502 (bad gateway) and 504 (gateway timeout) codes.
The botnet utilises several hundred unique IPs and a few dozen rotating user agents

[/one_half][one_half_last]

The botnet attacks with several hundred unique IPs (purple) and rotates through a few dozen user agents (yellow)
The botnet attacks with several hundred unique IPs and rotates through a few dozen user agents. Graph tallies at 15 second intervals.

[/one_half_last]

IP geo-reference

The IP address requesting a site can be geo-located. Another way we visualize botnet behavior is by cross-referencing the country of bot origin. We can easily see attack intensity (number of hits) versus bot distribution (unique IPs) in the diagrams below.

[one_half]

Graph 6. Hits against target website, by their geographic origin.
Graph 6. Hits against target website, by their geographic origin.

[/one_half][one_half_last]

Graph 7. The same timespan as per the previous graph, only this time showing a count of unique IPs, per country geoIP
Graph 7. The same timespan as per the previous graph, only this time showing a count of unique IPs, per country geoIP

[/one_half_last]

User agent and device

Every website request usually contains a header with identifying information about the requester. This can be faked, of course, but in any case stands out from the general pattern of traffic to the website. These incidents had a high consistency of “Generic Smartphone” and “Other” devices – describing the hardware unit from which the request was supposedly made. It is common for botnets to spoof a user agent device or, at least, share a common one.

Graph 8. Shows the devices used in the February botnet attack. As we can see, the majority comes from “Generic Smartphone” or “Other” device. Such consistency shows that these are part of an attack, rather than regular visitors.
Graph 8. Shows the devices used in the February botnet attack. As we can see, the majority comes from “Generic Smartphone” or “Other” device. Such consistency shows that these are part of an attack, rather than regular visitors.

Conclusions on incident #29 and #30 attacks
  • These attacks were distinguished by the relatively large number of participating bots, but were smaller in intensity (number of hits on target) compared to incidents #31-34. Three attacks were launched during the period of these incidents, requesting the same url ( /- ), as well as using the same “device” in the user agent of the request.
  • There were two and possibly three botnets in these incidents. They can be differentiated by the geographic location of their bots and hit rates during attack. What is interesting is that the attack method between the different botnets and attack times is the same. Also the two botnets share a high percentage of intersecting bot IPs (76.8%). This may be an indication that they are subnets of a larger malicious network and are being controlled by the same entity.

Incidents #31 & #32

Date: March 1-2, 2016
Duration: approximately 21.5 hours
Identified botnets: 3 (botnet id: #4 #5 #6 )
IP intersection between botnets: 91%
Attack type: Reflection – WordPress Pingback[1]

Attack Analysis

Attackers utilised the same botnet (91% intersection) during incidents #31 and #32 within a time range of 22 hours. Incident #32 is the biggest in terms of hits out of the entire period covered by this report – counting over 13.5 million total hits in 6 hours. These incidents have a very similar UA (device) characteristic, the majority of which are identified as “Spider” (we are making an intersectional analysis on the UA further down in this report).

[one_third]
Identified botnet #4

Members: 2,589
Observations:

  • Session length = 2,971 sec
  • Payload average = 8,217 byte
  • Hit rate = 1.7 /minute
  • Requests: 10.8 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA: high variation, all WordPress pingback

Deflect Response: Successfully blocked. 91% of responses to botnet processed by edge within 20ms

Comparison of unique IPs versus unique user agent strings at 30 second intervals
Comparison of unique IPs versus unique user agent strings at 30 second intervals

[/one_third][one_third]
Identified botnet #5
Members: 772
Observations:

  • Session length = 3,587 sec
  • Payload average = 10,221 byte
  • Hit rate = 0.48 /minute
  • Requests: 3 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA: high variation, all WordPress pingback

Deflect Response: Successfully blocked. 85% of responses to botnet processed by edge within 20ms

Comparison of unique IPs versus unique user agent strings at 30 second intervals. Note the probing attack before escalation
Comparison of unique IPs versus unique user agent strings at 30 second intervals. Note the probing attack before escalation

[/one_third][one_third_last]
Identified botnet #6
Members: 971
Observations:

  • Session length = 583 sec
  • Payload average = 31,317 byte
  • Hit rate = 0.49 /minute
  • Requests: 145,000
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA variation: high variation, all WordPress pingback

Deflect Response: Relatively small incident – some attackers did not trigger our early detection with around 15% getting through to origin (22,000 requests returned an HTTP 200). Successfully blocked.

Error codes showing blocked request versus those that got to the origin site in incident #31
Error codes showing blocked request versus those that got to the origin site in incident #31

[/one_third_last]

User agent and device

The “UA” parameter in our logging system identifies the user agent string in the request header made to the target website. It usually represents the signature (or version) of the program used to query the website, for example “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” means that the request was made from Internet Explorer version 11, running on the Windows 7 operating system [2]. The “device” parameter in our logging system identifies the hardware (device) the user agent is running on, for example “iOS Device” or “Nexus 5” or “Windows 7”. In this case, the vast majority of IP addresses hitting the site were categorised as “spiders”. A spider, or web crawler, is software used by search engines to index the web. User agent strings are just text and can be changed (faked) to say anything – including copying a user agent string commonly used by some other software.[one_half]

Graph 9. Hit count from various devices throughout incidents 31-32
Graph 9. Hit count from various devices throughout incidents 31-32

[/one_half][one_half_last]

Graph 10. Unique IP count from various devices throughout incidents 33-34
Graph 10. Unique IP count from various devices throughout incidents 33-34

[/one_half_last]

Conclusions on incident #31 and #32 attacks
  • These incidents stand out for their common attack and attacker characteristics, with an intersection of 91% of bots used in both instances (of the smaller incident). Botnet #4 and #5 behaviour differs only in their hit rate. Botnet #5 and #6 have a similar number of bots and an almost identical hit rate. Interestingly, they differ greatly in the number of hits each one of them launched at the target site. It seems that all three botnets had strong presence on computers in the United States. All botnets used the same attack method – WordPress pingback – in both incidents.
  • The similarities between bot IP addresses and the attempts to vary the attack pattern from very similar botnets indicates human lead efforts to adapt their botnet to get past Deflect defences. It appears that the botnets used in these two incidents have the same controller behind them.

Incidents #33 & #34

Date: March 4, March 8, 2016
Duration: 30 mins, 2 hours and 20 minutes
Number of bots: 8,844 and 7,151
Identified botnets: 1 (botnet id: #7)
Attack type: Reflection – WordPress Pingback[1]


Identified botnet #7
Members: 11,746
Observations:

Graph XX. Comparable values of unique IPs and unique UAs. We see a huge difference from other botnets in this report
Graph 11. Comparable values of unique IPs and unique UAs. We see a huge difference from other botnets in this report

  • Session length = 2,665 sec
  • Payload average = 15,572 byte
  • Hit rate = 0.30 /minute
  • Requests: 7.9 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA variation: high variation, mostly WordPress pingback (92%)

Deflect Response: Moderate blocking success. 75% of requests dealt with in <200ms, 5% origin read timeouts

Graph 10. Unique IP count from various devices throughout incidents 33-34
Graph 12. Unique IP count from various devices throughout incidents #33-34

Conclusions on incident #33 and #34 attacks
  • Incident #33 comes across as a probe (or a first attempt) before a much stronger attack with similar characteristics is launched in incident #34. This is backed up by the use of a single botnet in both incidents.
  • Botnet #7 appears in other attacks against Israeli websites, on our network and on the network of one of our peers. The attack pattern used in these incidents is similar to the previous two incidents, and we have found a 17.9% intersection between bots used in incidents #32 and #33, possibly linking #31-34 together. Along with the prevalence of bots originating from the United States, there is some justification that botnets 4-7 originate from a similar larger network.

Report conclusions

Attempts to bring down the bdsmovement.net website were made using several (at least two distinct and relatively large) botnets and varied in their technical approach. This shows a level of sophistication and commitment not generally seen on the Deflect network. The choice of attack method allowed us to see which website was being targeted, which may have been a conscious decision. However, we did not find anything linking attacks in incidents #29-30 with attacks in incidents #31-34. Relative success with affecting the origin in the first two incidents was not built upon in the next four. Furthermore, other effective methods to swarm the network with traffic or overwhelm our defence mechanisms could have been used, had the attackers had enough resources and dedication to achieve their aims.

The creation of historical profiles for botnet activity and the ability to intersect our results with peer organizations will lead to better understanding of trends, across a greater swath of the Internet. Adapting botnet classification tooling to automated defense mechanisms will allow us to notify peers about established and confirmed botnets in advance of an attack. By slowly chipping away at the impunity of botnet controllers, we hope to reduce the prevalence of DDoS attacks as a method for suppressing online voices.

eQualit.ie is inviting organizations interested in this collaboration to reach out.

 



[1] A WordPress pingback attack uses a legitimate function within WordPress, notifying other websites that you are linking to them, in the hope for reciprocity. It calls the XML-RPC function to send a pingback request. The attacker chooses a range of WordPress sites and sends them a pingback request, spoofing the origin as the target website. This feature is enabled by default on WordPress installations and many people run their websites unaware of the fact that their server is being used to reflect a DDoS attack.
[2] http://www.useragentstring.com/index.php

  1. Home
  2. >
  3. Blog
Categories
Blog DDoS Deflect Labs

Deflect Labs Report #1

Botnet attack analysis covering reporting period February 1 – 29 2016
Deflect protected website – kotsubynske.com.ua

This report covers attacks against the Kotsubynske independent media news site in Ukraine, in particular during the first two weeks of February 2016. It details the various methods used to bring down the website via distributed denial of service attacks. The attacks were not successful.

General Info

Kotsubynske is a media website online since 2010 created by local journalists and civil society in response to the appropriation and sale of public land (Bylichaniski forest) by local authorities. The website publishes local news, political analysis and exposes corruption scandals in the region. The site registered for Deflect protection during an ongoing series of DDoS attacks late in 2015. The website is entirely in Ukrainian. The website receives on average 80-120 thousands daily hits, primarily from Ukraine, the Netherlands and the United States.

image1

Attack Profile

Beginning on the 1st of February, Deflect notices a rise in hits against this website originating primarily from Vietnamese IPs. This may be a probing attack and it does not succeed. On the 6th of February, over 1,300,000 hits are recorded against this website in a single day. Our botnet defence system bans several botnets, the largest of which comprises just over 500 unique participants (bots).

Using the ‘Timelion’ tool to detect time series based anomalies on the network, such as those caused by DDoS attacks, we notice a significant deviation from the average pattern of visitors to the Kotsubynske website (on the diagram below, hits count on the website are in red, while the blue represents a 7-day moving average plus 3 times standard deviation, yellow rectangles mark the anomalies). The fact that the deviation from the normal is produced over a week (Feb 1 to Feb 8) points to the attack continuing over several incidents. This report attempts to figure out whether these separate attacks are related and display attack characteristics and makes assumptions about its purpose and origin.

Illustration 1: Timelion graph showing a prolonged attack
Illustration 1: Timelion graph showing a prolonged attack period between February 1 and 8

February 06, 2016 Attack profile

This incident lasted 1h 11min and was the most intensive attack during this period, in terms of hits per minute.

Incident statistics
Here are listed part of the incident statistics that we get from the deflect-labs system. They show the intensity of the attack, the type of the attack (GET/POST/Wordpress/other), targeted URLs, as well a number of GEOIP and IP information related to the attacker(s):

  • client_request host:”www.kotsubynske.com.ua”
  • Hits between 24000 and 72000 per minute
  • Total hits for the attack period: 1643581
  • Attack Start: 2016-02-06 13:34:00
  • Attack Stop: 2016-02-06 14:45:00
  • Type of attack: GET attack (bots requested page from website)
  • Targeted URL: www.kotsubynske.com.ua
  • Primary botnet request: “http://www.kotsubynske.com.ua/-”

Illustration 2: Geographic distribution of bots
Illustration 2: Geographic distribution of bots

The majority of hits on this website came from Vietnam, Ukraine, India, Rep of Korea, Brazil, Pakistan. Herewith are the stats for the top five countries starting with the most counts and descending:

geoip.country_name Count
Vietnam 817,602
Ukraine 216,216
India 121,405
Romania 70,697
Pakistan 61,201

Cross-incident analysis

We’ve researched three months of incidents on the Kotsubynske website, namely from January to March 2016. We have detected five incidents between February 01 – 08 and present a detailed analysis of botnet characteristics and the similarities between each incident. The point is to figure out if the incidents are related. This may help us define whether the actors behind this attack were common between all incidents. For example, we see relatively few IPs appearing in more than one incident, while each incident shares a similar botnet size and attack pattern.

Illustration 3: GeoIP location of bots over the 5 incidents
Illustration 3: GeoIP location of bots over the five recorded incidents

Table 1. Identical IPs across all the incidents

We identify, in sequence of incidents, botnets IPs which re-appeared from a previous attack.

ID Incident start Incident end Duration botnet IPs Recurring botnet IPs Attack type Attack pattern (URL request)
1 2016-02-02 12:0700 2016-02-02 12:21:00 14 min 224 GET 163224 hits: /-
2 2016-03-02 08:27:00 2016-03-02 08:31:00 4 min 120 22 GET 35991 hits: /-
3 2016-05-02 21:10:00 2016-05-02 22:00:00 50 min 99 0 GET 49197 hits : /-
23 hits: /wp-admin/admin-ajax.php
4 2016-06-02 13:34:00 2016-06-02 14:45:00 1h 11 min 484 0 GET 1557318 hits: /-
5 2016-08-02 12:20:00 2016-08-02 16:40:00 4 h 20 min 361 0 GET 392658 hits: /-

Table 2. Pairs of incidents with significant numbers of identical IPs banned by Deflect

Here we correlate each incident against all other incidents to see whether any common botnet IPs reappear and present the incident pairs where there is a match

incident id banned IPs incident id banned IPs recurring IPs % of recurring botnet IPs
in the smaller incident
1 224 2 120 22 18.3%
3 99 4 484 15 15.2%

Analysis of the five attacks shows thats very few botnet IPs were reused in subsequent attacks. The presence of any recurring IPs however suggests that they either belong to a subnet of the same botnet or are victims whose computers have been infected by more than one botnet malware. Furthermore, each botnet’s geoIP characteristics and behaviour is almost identical. For example, whilst traffic during this period followed the normal trend, both in terms of number of visitors and their geographic distribution, banned IPs were primarily from Vietnam, India, Pakistan and other countries that do not normally access kotsubynske.com.ua

This is a reliable indicator of malicious traffic and a transnational botnet.

  • 71.1% of banned IPs come from Vietnam, India, Iran, Pakistan, Indonesia,Saudi Arabia, Philippines, Mexico, Turkey, South Korea.
  • 99.9% of banned IPs have identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”.
  • The average hit rate of IPs with the exact identical user agent string is significantly higher: 61.9 hits/minute vs 4.5 hits/minute for all other traffic.

Illustration 4: Banned machines from 'unusual' countries
Illustration 4: Banned machines from ‘unusual’ countries for kotsubynske.com.ua

The user agent (UA) string seems to be identical in all five incidents, when comparing banned and legitimate traffic. In the diagram below, Orange represents the identical user agent string, whilst blue represents IPs with other user agent strings. The coloured boxes contain 50% of IPs in the middle of each set and the lines inside the boxes indicates the medians. The markers above and below the boxes indicate the position of the last IP inside 1.5 height of the box (or inside 1.5 inter quartile range).

Illustration 5: Hit rate distribution for the IPs with the same identical user agent string
Illustration 5: Hit rate distribution for the IPs with the same identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”

Even though there are not many identical botnet IPs across all of the 5 incidents, the behaviour of botnet IPs from different incidents is very similar. The figure below illustrates some characteristics of the botnet (different colours) in comparing with regular traffic (blue colour).

Scatter plot of sessions in 3-dimensional space:

  • Request interval variance
  • Error rate
  • HTML to image ratio

image7

Report Conclusion

On the 2nd of February, the Kotsubynske website published an article from a meeting of the regional administrative council where it stated that members of the political party ‘New Faces’ were interfering with and trying to sabotage the council’s work on stopping deforestation. The party is headed by the mayor of the nearby town Irpin. Attacks against the website begin thereafter.

Considering the scale of attacks often witnessed on the Deflect network, this was neither strong nor sophisticated. Our assumption is that the botnet controller was simply cycling through the various bots (IPs) available to them so as to avoid our detection and banning mechanisms. The identical user agent and attack pattern used throughout the five attacks is an indication to us that a single entity was orchestrating them.

This is the first report of the Deflect Labs initiative. Our aim is to strip away the impunity currently enjoyed by botnet operators the world over and to aid advocacy efforts of our clients. In the near future we will begin profiling and correlating present-day attacks with our three year back log and with the efforts of similarly minded DDoS mitigation efforts.