1. Home
  2. >
  3. Press Release
  4. >
  5. Deflecting attacks against Israeli and Palestinian websites
Categories
DDoS Deflect Deflect Labs Press Release

Deflecting attacks against Israeli and Palestinian websites

Violence that engulfed Israel and Gaza in recent weeks has permeated the digital commons as well. Since Oct 7, 2023, Deflect recorded six significant DoS/DDoS attacks against Israeli human rights organizations (btselem.org) that culminated with 54 million attack events hitting our edge servers. We also recorded 11 significant DoS/DDoS attacks against the Palestinian news website (palestinechronicle.com), with a total of 7 million malicious hits in various attack formation.

DoS/DDoS attack report against Deflect protected websites between Oct 7 to Oct 22, 2023

INTRODUCTION

Violence that engulfed Israel and Gaza in recent weeks has permeated the digital commons as well. From horrifying footage of murder on our computer screens to hateful discourse throughout social media platforms. The Deflect infrastructure has for many years been a secure home for Israeli and Palestinian human rights groups, media and civic institutions. Deflect staff continue to apply our project’s principles and terms of service to ensure that the network is not used as a platform for promoting violence or hate. We also seek our clients’ explicit permission before publicizing their association with Deflect and reporting on attacks that aims to silence them.

Since Oct 7, 2023, Deflect recorded six significant DoS/DDoS attacks against Israeli human rights organizations (btselem.org) that culminated with 54 million attack events hitting our edge servers. We also recorded 11 significant DoS/DDoS attacks against the Palestinian news website (palestinechronicle.com), with a total of 7 million malicious hits in various attack formation.

COVERAGE

  1. This report covers only L7 HTTP/HTTPS logs. There may be more attack traffic below L7, but is not covered in this report. Therefore we don’t provide traffic size information (such as 1GB of traffic per second).
  2. Attack with a higher “Ban rate” might underestimate the original scale of the attack. As after the Deflect ban, attacking IP will be banned on the firewall level and preventing any further request from that IP to hit our server.
  3. Sites with different tech parameters may result in different logging behavior. Site with JS challenger constantly enabled, challenging every request but do not firewall ban IP that failed too many challenges, may result in more attack traffic logged.

METHODOLOGY

To identify attacks from normal traffic, we employ the following methodology:

  1. Identify if a spike of total traffic / ban log existed over a 24 hour window.
  2. Narrow down to that time range for anomaly, which often includes:
    1. Excessive request hitting certain URL (such as root /)
    2. Excessive request with identical User-Agent from different IPs
    3. Evenly distributed User-Agent / HTTP Method that is too perfect to be true
    4. Excessive unique query string (such as ?v={rand}) to avoid cache
  3. Confirm if top traffic IPs triggered any of our rate limiting rules.
  4. Cross check with Baskerville system, a machine learning  system that detects anomalous traffic.

ATTACK: BTSELEM.ORG

Parameters: JS Challenger: On / Fail challenger or hitting rate limit result: No ban

#DateStart (+0)Duration (s)HTTP ReqRPSUnique IPUnique bansBan rate
B110/9/202320:37:5199752,497,38052,64424516567.35%
B210/13/202315:37:262665291,19210911100.00%
B310/16/202315:02:08123146,0661,1861,8331,41677.25%
B410/16/202322:32:554831,068,4362,2113,6112,40366.55%
B510/18/20230:03:12141165,1711,1683,1332,75587.93%
B610/20/202313:24:30181133,9307392,6062,28187.53%

Chart A: Deflect / Banjax ban log visualization of attack #B1

Attack #B1 stands as the most potent attack documented in this report. It achieved an average Request Per Second (RPS) of 52,644. The top 6 originating IPs dispatched an average of 3 million requests within a 10-minute duration. The assailants deployed a “Randomized Nocache Flood” strategy, using varying query strings to bypass caching. Notably, the same query string was observed being used by different IPs from various global locations.

Attack #B2 originated from a single IP: 46.210.30.130. However, an apparent misconfiguration in the attacker’s tool resulted in all their requests being rejected by our server. 

Attack #B3 featured user-agent strings with minor variations in their version numbers, keeping a consistent foundational structure. Still, these weren’t entirely unique; the same user-agent string was detected being used by 37 different IPs.

Attack #B4 adopted a strategy akin to Attack #B3, but showcased a broader spectrum of user-agents and specifically targeted the /hebrew endpoint, as opposed to the website’s root directory (/).

Chart B: Baskerville Reaction to Attack #B4

Attack #B5 mirrored the tactics seen in Attack #B3 but employed a different set of user-agents.

Attack #B6 shared three identical User-agent string among the 2606 IPs.

ATTACK: PALESTINECHRONICLE.COM

Parameters: Js Challenger: Off / Hitting rate limit result: Firewall ban

#DateStart (+0)Duration (s)HTTP ReqRPSUnique IPUnique bansBan rate
P110/8/20238:26:5351588,0141711,87991748.80%
P210/8/202314:42:2692586,9919411100.00%
P310/9/202310:16:30299364,2411,2181,6321,44588.54%
P410/9/202322:34:091541,198,7527,76411100.00%
P510/10/202313:11:02739230,6433122,0021,72185.96%
P610/10/202317:06:396682,869,1764,29470853275.14%
P710/12/202320:27:52272711,5112,6131,50686757.57%
P810/12/202320:57:58248738,3802,9771,14293882.14%
P910/13/20230:32:16181458,3542,53382874690.10%
P1010/13/20239:25:37177291,2911,64875971093.54%
P1110/21/202316:31:55117269,0272,3052,2281,34760.46%

Chart C: Deflect / Banjax ban log visualization of attack #P6

Attack #P2 and #P4 was perpetrated by a single IP. Both targeted the HTTP port 80 and did not adhere to the 301 redirection to HTTPS. Excessive 301 requests were only subject to bans after October 14.

Attack #P6 was primarily executed by a single IP, which likewise did not adhere to the 301 redirects issued by Deflect.

Attacks #P7, #P8, #P9, and #P10 exhibited similarities in their approach; all employed a uniformly distributed user-agent string, implying that identical user-agent strings were observed across various IPs.

ATTACK CORRELATION

We observed significant overlaps in attack IPs across various DDoS attacks on palestinechronicle.com and btselem.org websites, suggesting coordinated attempts by the perpetrators. Here are the findings:

  1. Attack #P9 and #P10 shared approximately 50 common attack IPs.
  2. Attack #P7 and #P8 had about 30 identical attack IPs.
  3. Notably, attack #P7, #P8, #P9, and #P10 seems to originate from the same attacking source, evidenced by a strong overlap of source IPs.
  4. Attack #P3 and #P6 had six IPs in common. While attack #P1 and #P5 also shared six identical IPs. The recurrence of shared IPs in separate attacks suggests a possible, albeit weak, connection of a common attack source or affiliated entities.
  5. Attack #B4, #B5 and #B6 had 32 shared attack IPs, hinting that they might be from the same attacking source.
  6. There were also IPs that attacked both sites:
    1. IPs 186.121.235.66, 187.141.184.235, 201.91.82.155, and 36.91.45.11 targeted both #B3 and #P6.
    2. IPs 186.121.235.66, 187.141.184.235, 201.91.82.155, 36.91.45.11, 123.126.158.50, 223.112.53.2, 5.95.66.74, 79.107.146.14, and 190.90.8.74 attacked both #B3 and #P3.
  7. Of the 13 IPs that targeted attack #B1, three also attacked atack #P6 and six targeted #P3.

TOP ATTACKING IPs

This is a list of IP with excessive request logged on Deflect, associated with individual indecent (See # for matching attack ID).

#IPASRequests Count
B1198.50.121.146iWeb Technologies Inc.3,936,297
B1202.134.19.50CMC Telecom Infrastructure Company3,077,579
B1209.126.124.140HEG US Inc.2,908,415
P6104.199.133.2Google LLC2,802,394
B1185.191.236.162Rack Sphere Hosting S.A.2,751,354
B1200.30.138.54MILLICOM CABLE EL SALVADOR S.A. DE C.V.2,502,015
B1103.74.121.88The Corporation for Financing & Promoting Technology2,480,702
P491.227.40.198Data Invest sp. z o.o. S.K.A1,198,752
B1113.125.82.11Cloud Computing Corporation848,330
B137.211.21.205Ooredoo Q.S.C.831,118
B1173.212.197.82Contabo GmbH662,370
B1212.92.204.54A1 Hrvatska d.o.o.589,828
B1193.41.88.58Kyiv National Taras Shevchenko University542,676
B1109.70.189.70JSC Elektrosvyaz497,125
B1186.121.235.66AXS Bolivia S. A.417,661
B193.180.220.67Intertelecom Ltd417,072
B1177.126.129.43Net Aki Internet Ltda399,074
B246.210.30.130Cellcom Fixed Line Communication L.P.291,192
P2223.233.84.97Bharti Airtel Ltd., Telemedia Services86,991
P723.247.35.2Global Frag Networks28,408
P9209.17.114.78Network Solutions, LLC25,476
P10209.17.114.78Network Solutions, LLC12,392

CONCLUSION

From October 7th to 22nd, 2023, both Israeli and Palestinian websites were subjected to coordinated and severe cyber-attacks, intended to overwhelm and take down these websites. These kinds of attacks, known as Distributed Denial of Service (DDoS) attacks, function like a traffic jam clogging up a highway, preventing regular users from accessing the website.

  1. Scale of Attacks: The Israeli human rights website faced attacks resulting in 54 million web requests, while the Palestinian news website experienced 7 million web requests. Think of these as millions of unwanted phone calls jamming up a hotline.
  2. Tactics and Techniques: The attackers adapted and used varied methods to bypass Deflect defences. Some tried to vary the attack requests in minute ways to fool manual rule-sets. Others used a more straightforward approach of sending a massive number of requests rapidly. In some instances, attackers tried to disguise their harmful requests by making them look like regular user visits.
  3. Shared Attack Patterns: We noticed that many of the attacks on both websites seemed to come from the same sources or groups. This is like recognizing the same group of troublemakers causing disruptions in multiple places. Specifically, the methods and even some of the internet addresses (IPs) used in the attacks were common across the two websites.
  4. Efficiency of Defenses: Our protective measures, think of them as security guards or filters, worked well in most cases. They were able to identify and block these harmful requests, preventing significant disruptions. However, attackers are persistent, and they keep trying various methods to bypass our defenses.

Over the recent period, our protective system, Deflect, has stood as a robust guardian for websites under its watch. Using sophisticated techniques, which include the power of machine learning, it has adeptly differentiated between regular and malicious traffic. This not only ensured that these cyber attackers were effectively thwarted but also maintained the uninterrupted service of the websites in question. It’s a testament to Deflect’s capability to handle intricate and aggressive cyber-attacks, safeguarding the essence and uninterrupted function of online platforms, and thereby supporting the freedom of expression online.