1. Home
  2. >
  3. Deflect
Categories
DDoS Deflect Deflect Labs Press Release

Deflecting attacks against Israeli and Palestinian websites

DoS/DDoS attack report against Deflect protected websites between Oct 7 to Oct 22, 2023

INTRODUCTION

Violence that engulfed Israel and Gaza in recent weeks has permeated the digital commons as well. From horrifying footage of murder on our computer screens to hateful discourse throughout social media platforms. The Deflect infrastructure has for many years been a secure home for Israeli and Palestinian human rights groups, media and civic institutions. Deflect staff continue to apply our project’s principles and terms of service to ensure that the network is not used as a platform for promoting violence or hate. We also seek our clients’ explicit permission before publicizing their association with Deflect and reporting on attacks that aims to silence them.

Since Oct 7, 2023, Deflect recorded six significant DoS/DDoS attacks against Israeli human rights organizations (btselem.org) that culminated with 54 million attack events hitting our edge servers. We also recorded 11 significant DoS/DDoS attacks against the Palestinian news website (palestinechronicle.com), with a total of 7 million malicious hits in various attack formation.

COVERAGE

  1. This report covers only L7 HTTP/HTTPS logs. There may be more attack traffic below L7, but is not covered in this report. Therefore we don’t provide traffic size information (such as 1GB of traffic per second).
  2. Attack with a higher “Ban rate” might underestimate the original scale of the attack. As after the Deflect ban, attacking IP will be banned on the firewall level and preventing any further request from that IP to hit our server.
  3. Sites with different tech parameters may result in different logging behavior. Site with JS challenger constantly enabled, challenging every request but do not firewall ban IP that failed too many challenges, may result in more attack traffic logged.

METHODOLOGY

To identify attacks from normal traffic, we employ the following methodology:

  1. Identify if a spike of total traffic / ban log existed over a 24 hour window.
  2. Narrow down to that time range for anomaly, which often includes:
    1. Excessive request hitting certain URL (such as root /)
    2. Excessive request with identical User-Agent from different IPs
    3. Evenly distributed User-Agent / HTTP Method that is too perfect to be true
    4. Excessive unique query string (such as ?v={rand}) to avoid cache
  3. Confirm if top traffic IPs triggered any of our rate limiting rules.
  4. Cross check with Baskerville system, a machine learning  system that detects anomalous traffic.

ATTACK: BTSELEM.ORG

Parameters: JS Challenger: On / Fail challenger or hitting rate limit result: No ban

#DateStart (+0)Duration (s)HTTP ReqRPSUnique IPUnique bansBan rate
B110/9/202320:37:5199752,497,38052,64424516567.35%
B210/13/202315:37:262665291,19210911100.00%
B310/16/202315:02:08123146,0661,1861,8331,41677.25%
B410/16/202322:32:554831,068,4362,2113,6112,40366.55%
B510/18/20230:03:12141165,1711,1683,1332,75587.93%
B610/20/202313:24:30181133,9307392,6062,28187.53%

Chart A: Deflect / Banjax ban log visualization of attack #B1

Attack #B1 stands as the most potent attack documented in this report. It achieved an average Request Per Second (RPS) of 52,644. The top 6 originating IPs dispatched an average of 3 million requests within a 10-minute duration. The assailants deployed a “Randomized Nocache Flood” strategy, using varying query strings to bypass caching. Notably, the same query string was observed being used by different IPs from various global locations.

Attack #B2 originated from a single IP: 46.210.30.130. However, an apparent misconfiguration in the attacker’s tool resulted in all their requests being rejected by our server. 

Attack #B3 featured user-agent strings with minor variations in their version numbers, keeping a consistent foundational structure. Still, these weren’t entirely unique; the same user-agent string was detected being used by 37 different IPs.

Attack #B4 adopted a strategy akin to Attack #B3, but showcased a broader spectrum of user-agents and specifically targeted the /hebrew endpoint, as opposed to the website’s root directory (/).

Chart B: Baskerville Reaction to Attack #B4

Attack #B5 mirrored the tactics seen in Attack #B3 but employed a different set of user-agents.

Attack #B6 shared three identical User-agent string among the 2606 IPs.

ATTACK: PALESTINECHRONICLE.COM

Parameters: Js Challenger: Off / Hitting rate limit result: Firewall ban

#DateStart (+0)Duration (s)HTTP ReqRPSUnique IPUnique bansBan rate
P110/8/20238:26:5351588,0141711,87991748.80%
P210/8/202314:42:2692586,9919411100.00%
P310/9/202310:16:30299364,2411,2181,6321,44588.54%
P410/9/202322:34:091541,198,7527,76411100.00%
P510/10/202313:11:02739230,6433122,0021,72185.96%
P610/10/202317:06:396682,869,1764,29470853275.14%
P710/12/202320:27:52272711,5112,6131,50686757.57%
P810/12/202320:57:58248738,3802,9771,14293882.14%
P910/13/20230:32:16181458,3542,53382874690.10%
P1010/13/20239:25:37177291,2911,64875971093.54%
P1110/21/202316:31:55117269,0272,3052,2281,34760.46%

Chart C: Deflect / Banjax ban log visualization of attack #P6

Attack #P2 and #P4 was perpetrated by a single IP. Both targeted the HTTP port 80 and did not adhere to the 301 redirection to HTTPS. Excessive 301 requests were only subject to bans after October 14.

Attack #P6 was primarily executed by a single IP, which likewise did not adhere to the 301 redirects issued by Deflect.

Attacks #P7, #P8, #P9, and #P10 exhibited similarities in their approach; all employed a uniformly distributed user-agent string, implying that identical user-agent strings were observed across various IPs.

ATTACK CORRELATION

We observed significant overlaps in attack IPs across various DDoS attacks on palestinechronicle.com and btselem.org websites, suggesting coordinated attempts by the perpetrators. Here are the findings:

  1. Attack #P9 and #P10 shared approximately 50 common attack IPs.
  2. Attack #P7 and #P8 had about 30 identical attack IPs.
  3. Notably, attack #P7, #P8, #P9, and #P10 seems to originate from the same attacking source, evidenced by a strong overlap of source IPs.
  4. Attack #P3 and #P6 had six IPs in common. While attack #P1 and #P5 also shared six identical IPs. The recurrence of shared IPs in separate attacks suggests a possible, albeit weak, connection of a common attack source or affiliated entities.
  5. Attack #B4, #B5 and #B6 had 32 shared attack IPs, hinting that they might be from the same attacking source.
  6. There were also IPs that attacked both sites:
    1. IPs 186.121.235.66, 187.141.184.235, 201.91.82.155, and 36.91.45.11 targeted both #B3 and #P6.
    2. IPs 186.121.235.66, 187.141.184.235, 201.91.82.155, 36.91.45.11, 123.126.158.50, 223.112.53.2, 5.95.66.74, 79.107.146.14, and 190.90.8.74 attacked both #B3 and #P3.
  7. Of the 13 IPs that targeted attack #B1, three also attacked atack #P6 and six targeted #P3.

TOP ATTACKING IPs

This is a list of IP with excessive request logged on Deflect, associated with individual indecent (See # for matching attack ID).

#IPASRequests Count
B1198.50.121.146iWeb Technologies Inc.3,936,297
B1202.134.19.50CMC Telecom Infrastructure Company3,077,579
B1209.126.124.140HEG US Inc.2,908,415
P6104.199.133.2Google LLC2,802,394
B1185.191.236.162Rack Sphere Hosting S.A.2,751,354
B1200.30.138.54MILLICOM CABLE EL SALVADOR S.A. DE C.V.2,502,015
B1103.74.121.88The Corporation for Financing & Promoting Technology2,480,702
P491.227.40.198Data Invest sp. z o.o. S.K.A1,198,752
B1113.125.82.11Cloud Computing Corporation848,330
B137.211.21.205Ooredoo Q.S.C.831,118
B1173.212.197.82Contabo GmbH662,370
B1212.92.204.54A1 Hrvatska d.o.o.589,828
B1193.41.88.58Kyiv National Taras Shevchenko University542,676
B1109.70.189.70JSC Elektrosvyaz497,125
B1186.121.235.66AXS Bolivia S. A.417,661
B193.180.220.67Intertelecom Ltd417,072
B1177.126.129.43Net Aki Internet Ltda399,074
B246.210.30.130Cellcom Fixed Line Communication L.P.291,192
P2223.233.84.97Bharti Airtel Ltd., Telemedia Services86,991
P723.247.35.2Global Frag Networks28,408
P9209.17.114.78Network Solutions, LLC25,476
P10209.17.114.78Network Solutions, LLC12,392

CONCLUSION

From October 7th to 22nd, 2023, both Israeli and Palestinian websites were subjected to coordinated and severe cyber-attacks, intended to overwhelm and take down these websites. These kinds of attacks, known as Distributed Denial of Service (DDoS) attacks, function like a traffic jam clogging up a highway, preventing regular users from accessing the website.

  1. Scale of Attacks: The Israeli human rights website faced attacks resulting in 54 million web requests, while the Palestinian news website experienced 7 million web requests. Think of these as millions of unwanted phone calls jamming up a hotline.
  2. Tactics and Techniques: The attackers adapted and used varied methods to bypass Deflect defences. Some tried to vary the attack requests in minute ways to fool manual rule-sets. Others used a more straightforward approach of sending a massive number of requests rapidly. In some instances, attackers tried to disguise their harmful requests by making them look like regular user visits.
  3. Shared Attack Patterns: We noticed that many of the attacks on both websites seemed to come from the same sources or groups. This is like recognizing the same group of troublemakers causing disruptions in multiple places. Specifically, the methods and even some of the internet addresses (IPs) used in the attacks were common across the two websites.
  4. Efficiency of Defenses: Our protective measures, think of them as security guards or filters, worked well in most cases. They were able to identify and block these harmful requests, preventing significant disruptions. However, attackers are persistent, and they keep trying various methods to bypass our defenses.

Over the recent period, our protective system, Deflect, has stood as a robust guardian for websites under its watch. Using sophisticated techniques, which include the power of machine learning, it has adeptly differentiated between regular and malicious traffic. This not only ensured that these cyber attackers were effectively thwarted but also maintained the uninterrupted service of the websites in question. It’s a testament to Deflect’s capability to handle intricate and aggressive cyber-attacks, safeguarding the essence and uninterrupted function of online platforms, and thereby supporting the freedom of expression online.

  1. Home
  2. >
  3. Deflect
Categories
Blog Deflect Press Release

Introducing Deflect-next

After several years of laborious effort, we are proud to announce the public release of the new Deflect software ecosystem. In our Github organization https://github.com/deflect-ca you will find all official Deflect related open source repositories that allow you to stand up an entire website protection infrastructure or its individual components. Deflect offers a high-performance content caching and delivery network, cyber attack mitigation tools powered by Banjax and the Baskerville machine learning clearinghouse, user dashboards, APIs and much else. You are reading this post on a rebuilt and refactored Deflect infrastructure and we’re very proud of that!

Below is the story of the how the new Deflect came to be and rationale for making various software choices.

Deflect-next

Created in 2011 Deflect was a relatively simple solution to the many-against-one problem of distributed denial of service (DDoS) attacks targeting civil society’s web servers. By running Deflect’s caching and mitigation software on constantly rotating edge servers strategically located in some of the world’s biggest data centers, we offered a many-against-many scenario, utilizing the widespread nature of the Internet in a similar manner to those organizing attacks against our clients – leveling the playing field and bringing a little more ‘equalitie’ for our clients’ rights to freedom of expression and association with our audience. Deflect edges memorized previous requests for website data (by virtue of reverse-proxy caching techniques) and removed the load from our clients’ web servers. To block the onslaught of bot-driven attacks, we developed rule based attack mitigation software – Banjax – identifying algorithmic behavior that we considered malicious and banning the IPs that exhibited them. 

As we scaled our infrastructure and hundreds of independent media, human rights groups and other non-profits joined the service, millions of daily requests were received on the Deflect network from around the world. This growth was matched by a higher frequency and sophistication of attacks. The Deflect infrastructure was continuously and laboriously patched, improved and upgraded multiple times. As often the case, the software code underpinning the service became cumbersome and replete with complicated configurations and fixes. Moreover, we moved further and further away from our secondary project ambition – to see other technology groups run their own instances of Deflect using our code base. The software stack required a lot of manual configuration and ‘insider knoweledge’. Beginning in 2019 we began to architect and develop a new version of Deflect, using an entirely new method of provisioning, managing and configuring network components, maintaining our agility and adding reproduce-ability as a primary design philosophy.

From ATS to Nginx

The primary tool for serving Deflect clients’ websites is the caching software installed on every network edge. It does all the heavy lifting in our design – fielding requests from the Internet on behalf of our clients’ websites in a reverse proxy fashion. Initially we had opted for the Apache Traffic Server (ATS) built by Yahoo and released open source in early 2000s. The choice was made primarily for its performance levels under stress tests. The software itself was not yet widespread and a little more difficult to set-up and maintain, with configuration for single actions often spread across multiple files. It required every Deflect network operator to dig deep into documentation and source code to figure out what will happen with every change.

Another caching and proxy solution – Nginx – was a more attractive choice for our new network design, with expressive configuration formats and a much larger technical userbase.

From Ansible and Bash to Python and Docker

Deflect clients customize their caching and attack mitigation settings via the Deflect Dashboard, which sends snapshots of these settings to the network controller. Previously, the configuration engine was a mix of Ansible and Bash, and it had overgrown in logic and depth more than what was destined to be managed in these languages. We have now rebuilt the configuration module in Python, supporting better scaling in the future and API communications.

We rebuilt the orchestration module of Deflect – for installing packages, starting and stopping processes, and sending new configuration to network edges, using Docker.

The benefits of containerization are well-known, but in short the advantages to us were: decoupling applications from the host OS (upgrading between Debian versions has historically been a pain point), making our various development and staging environments more reproducible, and letting us create and destroy multiple copies of a container on the same server easily. Once our applications were containerized, we needed a way to start and stop these containers, deciding to write it imperatively in our go-to general-purpose language, Python. There’s a library, docker-py, which connects to the Docker daemon on remote hosts over SSH and provides an API for building images, creating volumes, starting/stopping containers, and everything else we needed. The result is not as simple as Docker Compose or Swarm, but not as complicated as Kubernetes, and is written in a language everyone on our dev team already knows.

From Banjax to Banjax-go

Our primary method of mitigation – Banjax – was previously an ATS plugin, and as such was tightly coupled to the internal details of ATS’s request processing state machine and event loop. Written as C++ code it was tightly coupled with ATS internals and often limited in functionality by the caching server itself. Answering a simple question like “does a request count against a rate limit even if the result has previously been cached, or only if the request goes through to the origin?” required a close reading of Banjax and ATS source code. To port our attack mitigation logic to another server like Nginx would require a similarly detailed understanding of its internals. In addition, we wanted to share Banjax tooling with others – but could not decouple it from ATS – no one from our partners and peers were running this caching software.

We explored an alternate architecture: where attack mitigation logic lives in a separate process (developed in any language, and decoupled from the internals of any specific server) and talks to the server over some inter-process communication channel. We explored using an Nginx plugin which was specialized for this purpose (and developed a proof-of-concept ATS plugin in Lua which did the same thing) but found that a combination between the very widely used `proxy_pass` directive and `X-Accel-Redirect` header was more flexible (authentication responses can redirect the client to arbitrary locations) and probably more portable across servers. As for the choice of language for the authentication service, Python and the Flask framework would have been nice because we use it elsewhere in our stack, but some benchmarks showed Go and Gin being a lot faster (we were aiming for a worst-case overhead of about 1ms on top of requests with a 50th percentile response time of 50ms, and Go/Gin achieves this).

The interface between Nginx and Banjax-go is a good demonstration of Nginx’s expressive configuration file. This first code block says to match on every incoming request (`/`) and proxy the request to `http://banjax-go/auth-request`.

location / {
    proxy_pass http://banjax-go/auth_request
}

Banjax-go then checks the client IP and site name against its lists of IPs to block or challenge. It responds to Nginx with a header that looks like `X-Accel-Redirect: @access_granted` or `X-Accel-Redirect: @access_denied`. These are names of other location blocks in the Nginx configuration, and Nginx performs an internal redirect to one of them.

location @access_granted {
    proxy_pass https://origin-server
}
location @access_denied {
    return 403 "access denied";
}

This is already a lot easier to understand than a plugin which hooks into the internals of Nginx’s or ATS’s request processing logic (reading and writing a configuration file is easier than reading and writing code). Furthermore it composes nicely with the other concepts that can be expressed with Nginx’s scoped configuration: you can control the logging, caching, error-handling and more in each location block and its clear whether it applies to the request to banjax-go, the request to the origin server, or the static 403 access denied message.

Here’s a diagram that shows the above proxy_pass + X-Accel-Redirect flow (follow the red numbers 1, 2, and 3) along with the other interfaces Banjax-go has: the log tailing and the Kafka connection. The log tailing enforces the same regex + rate limit rules that the ATS plugin did, but asynchronously (outside of the client’s request and response) rather than synchronously. The Kafka channel is for receiving decisions from Baskerville (“challenge this IP”) and for reporting
 whether a challenged IP then passed or failed the challenge.

Baskerville client

The machine lead anomaly prediction clearinghouse – Baskerville – is an innovative infrastructure that has been working in production on Deflect for over a year. It is a complicated set-up reliant on edge servers reporting logs to the clearinghouse, where the pre-processing for feature extraction (looking for anomalous behavior in web logs) creates vectors which are then run through the learning model. An anomaly prediction is generated and communicated back to the network edge. The clearinghouse runs on a Kubernetes cluster and requires a large amount of resources for processing.

Recently, we have split the software base into two components – the clearinghouse and the client software (operating on any Linux+nginx web server). The idea was to allow third-party clients, not using Deflect, to benefit from the clearginhouse’s predictions and the Banjax mitigation tool. In this new model, the Baskerville client is installed independently of Deflect and performs:

  • Processes nginx web server logs and calculates statistical features.
  • Sends features to a clearing house instance of Baskerville.
  • Receives predictions from a clearing house for every IP.
  • Issues challenge commands for every malicious IP in a separate Kafka topic.
  • Monitors attacks in Grafana dashboards.
Anyone can benefit from Baskerville’s anomaly predictions and Banjax’s mitigation tools

Deflect-next open source components

  • Deflect – all necessary components to set up your network controller and edge servers – essentially acting as a reverse proxy to you or your clients’ origin web servers.
  • Deflect-API – an interface to Deflect components
  • Edgemanage – a tool for managing the HTTP availability of a cluster of web servers via DNS. If a machine is found to be under-performing, it is replaced by a new host to ensure maximum network availability.
  • Banjax – basic rate-limiting on incoming requests according to a configurable set of regex patterns.
  • Baskerville – an analytics engine that leverages machine learning to distinguish between normal and abnormal web traffic behavior. Used in concert with Banjax for challenging and banning IPs that breach an operator defined threshold.
  • Baskerville client – edge software for pre-processing behaivoural features from web logs and communicating with the Baskerville clearinghouse for anomaly predictions.
  • Baskerville dashboard – A dashboard for users running the Baskerville Client software offering setup, labeling behavior and communicating feedback to the clearinghouse

Happy coding everyone!

  1. Home
  2. >
  3. Deflect
Categories
DDoS Deflect News from Deflect Labs Uncategorized

Updates from Deflect – 3 – 2022

This was a busy month for Deflect’s mitigation tooling, with Banjax blocking almost 12 million malicious requests launched by 108,294 different bots. Due to the war in Ukraine, many people turned to Deflect protected Ukrainian media sites for information. Throughout the month Deflect served 1,128,751,920 requests (almost double than the previous month) of which 283,570,50 came from Ukraine – around 20% of our global traffic. 1,277,053 Ukrainians read Deflect protected websites – also a testament to the stability of the Internet there.

Ukrainian readership in March, by city

The biggest attack recorded this month was against informator.ua – a pan-Ukrainian news website with a focus on the Donbas region.

On the 31st of March, between 07:45-8:50 GMT+0 about 1,300 unique IPs were blocked by Deflect as they attacked informator.ua with GET /ru?8943563843054274 and POST /ru?829986440416200 requests, utilizing cache-busting techniques. These bots were from Brazil, USA, Indonesia, India, Bangladesh and many other countries, almost 1,000 of them seems to be infected MikroTik routers. Several hundred were compromised webservers and SOCKS proxies. There was a partial downtime for this website for about an hour as Deflect was not able to mitigate this attack fast enough to be sure no malicious requests are hitting the origin. The Baskerville system did not react as expected (this has been fixed). We enabled Challenger for this domain to be sure we can mitigate future attack without any issues for the origin. Our log aggregation and analysis system was affected by the overall amount of requests and was out of sync for a short period of time.

Over 300,000 requests per minute were generated by the attackers. As you can see – a significant amount of bots originated from the United States. This is another important reminder for patching your computer systems and other Internet connected devices. Otherwise it could be your system attacking Ukrainian websites too!
Top banned unique IPs by vendor

    912 MikroTikRouter
    232 Unknown
     51 UbuntuServer
     44 Torrouter
     33 DebianServer
     16 WindowsServer
      6 WindowsSystem
      6 RedHatServer
      4 CentOSLinuxServer

Top banned unique IPs by service

    875 MikroTik
    232
     49 Ubuntu-ssh
     44 TorExitRouterHTTPheader
     33 Debiansshheader
     13 MikroTikSNMPinfo
     10 MikroTikFTPserver
      8 MikroTikPPTPserver
      7 WindowsRDPServer
      7 MSIISheader
      6 WindowsNetBIOS
      6 RedHatDNSheader
      5 MikrotikRouterOSconfigurationpage
      4 ApacheCentOS
      2 WindowswithMSHTTPAPIWebServer

by client_url:

199940     /ru
102142     /ru/category/biznes/login
37312      /ru/ukraino-rossiyskie-peregovory-v-stambule-itogi
3          /ru/post-prev/45573
  1. Home
  2. >
  3. Deflect
Categories
Blog Deflect Uncategorized

Updates from Deflect – 2 – 2022

Since the beginning of this year, we have served over 1.5 billion website requests to approximately 13.5 million unique readers the world over! We mitigated over 17 distinct and significant attacks and kept our clients online 100% of the time! Our combined bot banning technology (machine lead predictions from Baskerville and confirmed anomalies by Banjax) blocked 5,794,533 malicious hits originating from 1,668,388 zombie bots. That’s quite a lot for this early in the season 🙂

Some of the biggest attacks were directed at a Colombian independent journalist website Los Danieles, a Filipino news media Verafiles, a Latin American information agency and an Indian feminist rights portal.

Attacks during January and February 2022. Colours represent different Deflect clients.

In what is a rather unusual occurence, the deflect.ca website itself was attacked on February 07th. Around 11:00-11:03 GMT+0 about 10,000 unique IPs were sending GET / requests to deflect.ca None of these requests were banned as the attack window was too small. Baskerville worked well in classifying about 5,700 of them as malicious. Some requests returned 502 codes but these were generally malicious requests. eQPress behaved well serving up to 2,620 requests per second on nginx with 5,000RPS to the database and 100 mbps of outgoing traffic. No collateral damage was detected to other eQPress clients. We investigated and improved some of our caching logic as a result of this incident.

  1. Home
  2. >
  3. Deflect
Categories
Blog DDoS Deflect Uncategorized

Deflect – a year in summary

Once again, the Deflect network grew in size and audience in 2021. Apart from the continuously stellar work of our clients, what stood out the most for the Deflect team tasked with network monitoring and adversary mitigation – was the increasing sophistication and ‘precision’ of Baskerville, outperforming human rule sets written for the Banjax mitigation toolkit request rate-limiting library. Yes, the machine is outperforming humans on Deflect. We won’t get into the philosophical nature of this reality, rather share some statistics and interesting attacks we witnessed this year, with you.

Year in stats

Legitimate no. of requests served10,152,911,060
Legitimate no. of unique readers (IP)77,011,728
Total requests banned – Banjax3,326,915
Total requests challenged by Baskerville2,606,927
% of Deflect clients also using eQpress hosting34 %
Total amount of complete Deflect outage0
Lowest up-time for any Deflect client99.8%
% of clients increase year-on-year21.62%
Largest botnet, by number of bots 19,333
Number of significant DDoS events103

Deflected attacks

What an attack looks like

On November 04, 2021 – a DDoS attack on a Vietnamese media (also hosted on EQPress) began around 16:50 UTC. Between 2,000-2,500 unique IPs where blocked, as originating from United States, Canada, Germany, France and other countries. These bots issued about 825 thousand GET / and GET https://website.com// requests during this attack. Most IPs involved were detected as proxies, and many of them revealed an IPs in X-Forwarded-For header. The underlying WordPress instance received up to 5,000 requests per second, forcing the EQPress server to send up to 30 megabits per second of html responses. Thanks to the FasctCGI cache and overall configuration hardening, the hosting network cluster had enough resources to serve requests until all bots were blocked without any significant issues for the website itself or its neighbors.

Baskerville detected this attack and issued challenge commands to 2,200+ IPs.

Baskerville’s traffic light classification system

This attack targeted an independent investigative journalism website from the Philippines. The attack began on November 15th and continued throughout the next two weeks. Large portions of attack traffic were not accessible to Deflect, targeting the hosting data center with L3/L4 floods.

Almost 4,000 unique IP addresses issued more than 70 millions “GET /” and “GET /?&148294400498e131004165713TT117859756720Q106417752262N” requests against the website, using `cache busting` techniques with random query_string parameters. Attackers also reverted to using forged User-Agents in request strings. Obviously this attack was adapted against Deflect caching defenses. Many of the participating IPa were proxies possible revealing the original sender with X-Forwarded-For header.

Unfortunately, this attack was not fully mitigated in a quick way and caused several hours of downtime for real users. After manually enabling Deflect’s advanced protection mechanisms and adjusting the origin’s configuration, the website became stable again.

A Zambian democratic watchdog organization was attacked twice between August 08-09 and 11-12. It seems that when the attackers came back a second time round, they hadn’t learned their lessons and tried a similar technique and an almost identical botnet.

Servers from different countries (mostly Unites States, Germany, Russia, France) were sending more than 16 millions of GET / and /s=87675957 requests (with random numbers to bypass caching) during the first round of attacks. During the following incident over 137 million malicious requests were recorded and blocked.

Most of these IPs are known as compromised servers that could be used as proxies and MikroTik routers. 383 unique User-Agent headers were used, all of them were Google Chrome variations. We can also see about 400 TOR exit nodes which were used for this attack.

Millions of hits per minute

The first attack was not completely mitigated due to its profile and some traffic was able to hit the origin server, resulting in several hours of partial downtime for real visitors during different phases of this attack. The second attack was completely mitigated as we had already updated our mitigation profiles.

  1. Home
  2. >
  3. Deflect
Categories
Blog Deflect Press Release Uncategorized

Deflect partners with technology and media groups

June 01, 2021 – Deflect partners with technology and media groups

Since 2010, Deflect has specialized in protecting online platforms from cyber attacks. Today, our mission and time-tested tooling reaches further and wider than ever before! We are honoured to announce strategic partnerships with well-known Internet Service Providers and digital media entrepreneurs in the Americas and Europe. Our combined service offering includes all manner of web hosting and online collaboration platforms, technical consultancy and web security services. With over a hundred years of collective technology expertise and a dozen common languages between us, this is a partnership that will serve a global clientele and meet the challenges of shrinking online spaces for expression and self-determination.

Our mission is strengthened through this mutually beneficial partnership. We stand together, stronger and ever more resilient, to protect our clients’ platforms with ethical technology solutions, multilingual human resources and a common belief in principles before profits.

Dmitri Vitaliev, Founder deflect.ca

Find out more about our partners’ individual services and mission from the list below. Check out Deflect’s partnership opportunities and write to us!

@colnodo

Colnodo is a non for profit organization working since 1994 providing Internet infrastructure services to activists and civil society organizations.  Colnodo’s main objective is the access, use and appropriation of information and communication technologies (ICT) for social development, human development and the improvement of people’s living conditions through the strengthening of capacities and competencies, education for work, information and knowledge exchange, increased citizen participation, sustainable development and innovation.

@greenhost

Greenhost (Netherlands) is an established infrastructure provider focusing on digital human rights and sustainability. By providing (infrastructure) services to a wide range of organisations supporting human rights, free press and/or censorship circumvention while preserving privacy guarantees. Greenhost makes sure to keep the internet an open and innovative space.

@greennetisp

GreenNet (UK) have been networking people and activist groups for peace, the environment, equality and human rights since 1986 – providing internet services, web design and hosting. Our hardware and software choices are based on expert technical judgment, our ecological sustainability and ethical business values.

@cloud68hq

(Tirana, Tallinn, Worldwide) Cloud68.co provides reliable open source digital infrastructure to for-purpose small & medium teams, organizations and individuals with responsive and friendly support. As a team of long time contributors to digital privacy and open knowledge projects we are committed to help you migrate from big tech as easy as possible.

@sembramedia

SembraMedia is a nonprofit dedicated to empowering diverse voices in Spanish media to publish news and information with independence, journalistic integrity, and a positive impact on the communities they serve. They conduct research, provide training, consulting, and financial support to help media leaders develop more sustainable business models in Latin America, Spain, and the U.S. Hispanic market.

At MainMicro, our goal is to ensure customer satisfaction by providing ongoing support and cost effective solutions for our partners. We take great pride in having a customer retention rate that is among the highest in the industry. For us, when you become a customer you also become a friend, and we become the one-stop shop for all of your IT related needs.

At Black Crow Labs we construct your brand’s ecosystem and tell your story.  By engaging with prospective customers on targeted platforms we integrate your brand into their lives and conversations.

  1. Home
  2. >
  3. Deflect
Categories
Blog DDoS Deflect

Go Banjax-Go!

The Deflect service is built around defense-in-depth principles to keep your website online, no matter the traffic coming in. Our network edges are located with multiple providers in data centers around the globe. Every edge on the Deflect network caches static webpage resources and can reply very quickly to a multitude of simultaneous requests. As traffic arrives at the edge, two separate modules are always on the lookout for malicious bots and attacks. One of these is Baskerville – powered by machine lead anomaly predictions. We have a dedicated page explaining how that works. The other is Banjax – a curated list of regex patterns with associated rate limits. This allows us, for example, to instantly block IPs sending requests with user agents from a list of vulnerability scanners. Or we can block IPs that request an expensive /search/ endpoint too often, or send an unreasonable amount of POST or GET requests to the network. It’s simple but very efficient.

Banjax was originally coded in C++ and created as an Apache Traffic Server (ATS) plugin. These initial choices have made it difficult for third parties (who were not running ATS) to adopt. In refactoring Banjax we decided to use Go – a more modern language that still provided all the necessary functionality and made it easier to maintain the library in the long term. So now, we are please to present Banjax-Go built to for the 2020s and working happily in concert with Baskerville and Deflect caching or as a standalone module in your nginx setup.

So the list of decisions Banjax can make are: Allow, Block, or Challenge. The decision lists are populated from the config file (useful for allowlisting or blocklisting known good or bad IPs), from the results of the regex rate limit rules (so breaking a rule can result in a Block or a Challenge, or even an Allow), and from messages received on a Kafka topic (this is how Baskerville talks to banjax-next).

In addition to blocking requests (at the HTTP level) or blocking IPs (at the iptables/ netfilter level), Banjax also supports sending a “challenge” HTML page which contains either a basic password challenge (useful as an extra line of defense in front of admin sections) or a proof-of-work challenge (useful for blocking bots that cannot execute JavaScript, while allowing web browsers through).

An intitial concern with moving away from C++ was performance – during an attack, Banjax often has to processes thousands of requests per second, on every edge. We ran a set of synthetic tests to see how Banjax-Go performed. We used a series of worst-case scenarios, coming from our past experiences on Deflect. Our goal was to process 1,000 unique IPs per second, on an average virtual machine (a Digital Ocean droplet).

We first tested iptables directly to see how quickly it can process direct requests – deleting 2000 rules – without any other system interfering. We ended up with the following results:

Next, we tested how quickly Banjax-Go is able to process different types of common requests (again, under worst-case scenario conditions):

  • Every request generates a challenge: 800 req/sec
  • Every request passes through to the origin without any caching: 1200 req/sec
  • Every request passes through and is served a cached version of a web page: 2800 req/sec

At the same time we decided to evolve our caching mechanism from using Apache Traffic Server to Nginx. These and many other modules will make up our release of Deflect-Core – a project deliverable that we hope to present by the end of spring. For now our efforts concentrate on the mitigation toolkit banjax-next.

  1. Home
  2. >
  3. Deflect
Categories
Blog DDoS Deflect

Everything you always wanted to know about protecting your website with Deflect* (*But were afraid to ask)

Whether you are the owner of an independent media site telling the stories no one else will, a non-profit or community organization informing its members of available resources and events, or a company of any size, ensuring that your website stays protected and online is of the utmost importance. 

Understanding the difference between indirect and direct vulnerability

Many indirect cybersecurity attacks – malware, phishing, trojans, data breaches, and ransomware – can be prevented by raising awareness in an organization and cultivating best practices around clicking on suspect links or downloading files from unreliable sources. 

However, your website can also be subjected to direct DDoS attacks. This is why its security should be managed by a dedicated technical support team that you trust, one that matches your values of transparency, privacy, and social responsibility. 

What is a DDoS attack?

Unlike attacks that rely on individuals clicking on suspicious links in their email or downloading files from untrusted sites, DDoS attacks are direct assaults on the IT infrastructure of an organization.

A DDoS (distributed denial of service) attack is like the early pandemic grocery store rush of customers piling up and blocking the door in a mad rush for that last roll of toilet paper. Except, when all that traffic hits your site, they are not customers – they are bots. And their main purpose is to overwhelm your site and knock it off the web. Without protection, your site can be incapacitated by an attack and shut down completely. 

My site won’t get attacked because we’re too small

A DDoS attack can happen to anyone, no matter the size of your site or the number of visitors. In fact, many small sites, especially independent media and grassroots organizations, are particularly vulnerable to attacks because their voices often oppose a powerful government, a military, or a popular consensus. In some cases, these sites are targeted by hate groups, as was the case when we protected Black Lives Matter from attacks which occurred over 100 times a day on their site for seven months in 2016.

One good question to ask: would anyone like to silence your voice? If the answer is yes, you likely already know the importance of DDoS protection. We provide the same level of protection for non-profits and independent media sites as we do for commercial clients. Learn more about our free protection for eligible groups here

There aren’t many DDoS attacks, so I’m not likely to need protection

According to a recent white paper released by CISCO, DDoS attacks have been getting larger and more frequent each year. In 2018, there were 7.9 million DDoS attacks, and by 2023, they estimate the number will double to 15.4 million.

Aren’t bigger names better when it comes to DDoS protection?

No. Deflect has the capacity to handle protection of any site, and our experience mitigating attacks on some of the most vulnerable sites in countries all around the world has made us experts in the field.

According to Ali Reza, “IPOS directly benefited from Deflect’s expertise and professionalism when our main website was subject to an unprecedented attack. At the time the services of similar companies including CloudFlare and Google PageSpeed failed to protect IPOS’ election tracking poll against a major DDOS attack during the 2013 presidential elections in Iran. However, Deflect were able to quickly set up a CDN front and accept traffic from IPOS’ main domain and fight back against the attack.”

My industry won’t be attacked. It’s banks and governments that are most often subjected to DDoS attacks

While banks and governments have indeed been subjected to DDoS attacks, no industry is DDoS-proof. According to a 2019 global DDos Threat Landscape report by Imperva, attacks have occurred in most markets, including adult entertainment, gaming, news, society, lifestyle, retail, travel, and gambling. If your site is not in those markets, it does not mean you are safe from a DDoS attack. 

Motivations for DDoS attacks

As the same report points out, the motivations for DDoS attacks are many, and may include: 

Business competition – a competitor might hire a botnet to bring down your site. 

Extortion – ecommerce sites are particularly dependent on the uptime of their sites for generating revenue. This makes them particularly susceptible to extortion for the promise not to attack their site.

Hacktivism – political, media, or corporate websites can be targeted by hacktivists to protest against their actions.

Vandalism – disgruntled users or random offenders often attack gaming services or other high profile clients.

To this list, we would add:

Censorship – these attacks could be committed by individuals, governments, or militaries against groups for their social, environmental, human rights, or political movements with the goal of silencing their voices. As you can imagine, outside of North America, some of the most consistent attacks against the most vulnerable peoples and groups, like our client ARNO, in Myanmar, are of this type.

Transparent, Trusted, Ethical Protection

But I’m already protected by one of the more popular guys for “free.” 

Large providers often claim to offer DDoS protection for “free.” To provide that service, however, many enter into agreements with venture capitalists, and the trade-off for their “free” protection is the privacy of your data, which can be shared or sold. 

Before the Cambridge Analytica scandal, many of us would mindlessly scroll down and agree to all terms and conditions, but for independent media, nonprofit and community organizations, and companies, data should always be kept safe and private. When choosing who will protect you from DDoS attacks, read policies carefully to find out if you’re giving up anything for “free” protection. Our protection for non-profits, NGO’s, and independent media really is free.

Deflect Pricing

At Deflect, we have always provided our services for free to eligible non-profits and independent media groups, without compromising your data privacy. Our principles, privacy policy, and conditions are transparent. For commercial sites, our pricing is transparent. Unlike most of our competitors, we charge for the number of unique monthly IPs to your site, not for multiple visits from one IP, or traffic from attacks. 

There are other limits to the “free” protection provided by some of our competitors. On more than one occasion, clients who were protected by our competitors have come to us after being attacked and told they either needed to upgrade to a premium service or leave, just at the moment when they were most vulnerable. 

We at Deflect consider ourselves to be the #1 ethical cybersecurity protection company in the world. We have over 10 years experience protecting the most vulnerable and most attacked non-profit and independent media voices across the world in over 80 countries. 

In addition to our commitment to transparent policies and privacy, we have a clear no-hate, no-incitation-of-violence policy. For us, this is a no-brainer. If your site breaks this policy, you will be asked to leave. 

We are socially responsible. For every paying commercial client we protect, we are able to extend the same protections for free to important groups that otherwise could not afford protection, or may get kicked off the “free” protection of our competitors because the work they do makes them more vulnerable to attacks. 

If you have more questions, or you’d like more information about Deflect’s non-profit, business, or partner programs, you can reach out to us by sending us a message here or by reach out to terry@deflect.network for non-profit questions, and garfield@deflect.network for business and partner programs. 

  1. Home
  2. >
  3. Deflect
Categories
Blog Deflect Uncategorized

Updates from Deflect – 2 – 2021

Traffic & Attacks

Since the beginning of this year, we have served over 2 billion website hits to approximately 18 million unique readers the world over! We mitigated over 30 distinct attacks and kept our clients online 100% of the time! The Banjax bot banning technology blocked 291,898 malicious hits originating from 58,181 zombie bots. Our machine lead anomaly prediction system Baskerville was further able to identify and challenge suspiciously behaving IPs 1,182,084 times out of which only 16,755 proved to be legitimate readers and were allowed to access the requested website. This equates to 98.58% precision – which is pretty good for a machine!

Most popular countries reading Deflect protected websites

These attacks have helped us confirm that our prior implementation of the Shapley value estimation in Baskerville had lead to positive results. This is a general way to explain the output from the machine learning model by feature importance ranking – to help us decide which feature works best. We used this algorithm to compare an older machine model with a model that uses only the features Shapley values say are important, on a data set that contained the latest attacks. The model with only the most important features outperformed the older model.

Deflect referral program

Financial survival and independence on today’s Internet is tough. Big Tech permeates and controls virtually every aspect of our digital experience. When it comes to Internet infrastructure and network services, corporate giants such as Akamai, AWS and Cloudflare dominate the space. These handful of companies have managed to create an ecosystem where they profit from virtually every transaction or advertising campaign. While we choose our destiny as consumers, the growing problem is a lack of choices. One way or another, we are being pushed towards a handful of companies.

We want to do things differently. Our goal is to succeed in lockstep with our clients, not simply profit from them. The Deflect referral program creates a mutually beneficial commercial opportunity – by registering for this program and installing a ‘Protected by Deflect’ badge on your website with a unique hyperlink, you will receive 50% of the first full month’s fees charged to every new client that subscribed from this link. Write to partner@deflect.network if you want to participate in this program or read more about this and other collaborative opportunities on the Partner Programs page.

New Website

You are reading this update on our freshly minted website – powered by WordPress and hosted on the secure eQpress platform. We decided to build it using the default 2020 theme. This code is supported by the WordPress team, built according to best practices. That’s important when it comes to running the popular (but often compromised) WordPress platform – the ease of installation for new themes and plugins lowers the barrier for entry and makes it highly functional and customizable. At the same time, custom code developments become outdated, insecure and often lead to website hacking and unintended DDoS attacks. Our set-up configuration comes with the following:

  • Protection from DDoS attacks and password brute-force
  • Daily snapshots and differential backup
  • Long term theme support from WordPress
  • SEO management, chat support, Matomo Analytics, Polylang translations

Over 25% of Deflect clients also host their website on eQpress. The service is detailed on the eQpress page and you can request it from the Dashboard, or contact us with questions. 

  1. Home
  2. >
  3. Deflect
Categories
Blog Deflect News from Deflect Labs Uncategorized

Updates from Deflect – January 2021

Giant leaps in our machine-lead mitigation tooling have removed some of the heavy load in mitigating attacks from our support team this month. We’re very pleased with the machine’s performance but it won’t replace the humans! Below, we share some traffic highlights, Deflect relevant events and stories from our clients.

January Traffic

Throughout the month of January, Deflect served over 884 million requests to more than 9 million unique readers around the world. Much of the traffic was bound for Los Danieles – a new and very popular independent media publication in Colombia. Every Sunday, their website attracts between 5 and 9 million legitimate hits! Thankfully, Deflect was able to serve over 94% of these requests directly from its edge cache.

Content served from Deflect cache

Another notable traffic event this month coincided with the release of an online report, investigating torture of thousands of Belarus protesters at the hands of the incumbent government forces. Published by the renowned Committee Against Torture, this is a visual investigation, suitable for mature audiences only.

Notable Attacks in January

Sixteen distinct attacks were recorded against Deflect protected websites this month. Of these, five were notable for their strength and consistency, with two attacks continuing over a four-day period. The largest attack, with over 5000 bots participating, was targeting the Vietnamese independent new site Tiếng Dân. This is not the first time their website has been targeted. Approximately half of the attacking bots were discovered and challenged by Baskerville, whilst the other half were blocked by our manual rule sets. Overall, Deflect maintained 100% network up-time in January.

Kandinsky theme options for eQpress

Deflect clients who run or would like to migrate to our secure WordPress hosting platform can now request the installation of a new theme called Kandinsky. Developed by our friends at «Теплица социальных технологий» (Greenhouse for Social Technology) in response to needs expressed by civil society groups, wishing to have an effective and well designed online presence Kandinsky offers three templates and guides website creators with helpful tips and check lists. You can read our full interview with Kandinsky here.

Deflect and the World Social Forum

On January 29th, Deflect staff participated in a live panel during the World Social Forum together with our partners Colnodo and the Foundation for Freedom of the Press (FLIP). Julian Casasbuenas from Colnodo presented the use case of a Colombian independent media site losdanieles.com as an example of Deflect protection and its importance to the development of free journalistic expression in Colombia. The losdanieles.com project was launched by a group of highly reputable journalists who had been implicated in the Colombian parapolitics scandal.

To finish this newsletter, we wanted to share a lovely thank-you video sent to us by LosDanieles.com columnist Daniel Samper Ospina.

Find the Daniels on Twitter @DanielSamperO, @DanielsamperP and @DCoronell