Kazakhstan’s news website Tengrinews claims that it received “the biggest DDoS attack on a news resources of Kazakhstan” three days ago in reaction to its articles. It is not clear which one of their articles could have provoked such a cyber attack or who the attackers are. At 9 a.m. on March 20th their servers went down due to malicious attack traffic from more than 30 countries. Most of the bad traffic originated from infected machines they say, which indicates it has mainly been direct bot traffic from VPS mining systems that were compromised.
Tengrinews says it has been a “massive DDoS attack, aimed at causing a failure of its servers”, that the attack traffic originated from 700 different IP addresses and that “it is virtually impossible to stop such an attack by blocking a single IP address”. They say their IT department solved the issue together with KazakhTelecom (the largest ISP there) and that in an attempt to stop the DDoS attack, they blocked the traffic from all countries but Kazakhstan.
While the information above says little to nothing about the attack type or actual size, they later say that the attack “exceeded 3 gigabits per second,” which is a fairly small attack by today’s standards. Most booters you find on the internet generate between 5 and 15Gbps without much trouble. These types of attacks can easily be stopped by applying ACLs at the edge routers to block certain source or destination ports that normally no legit traffic comes from. The source ports of the attack traffic of a booter are always the same, because they usually use reflection DDoS attacks. This works by spoofing (“faking”) the source IP address, to make it look as if the packets originate from the IP address that is actually the target of the attack. The servers/services that were contacted by these spoofed packets then send their response packet(s) to the victim’s IP address, which never sent the initial packet to request the response in the first place. This makes these attacks pretty much untraceable, but they are limited to the ports that responding services run on. For example during an NTP reflection attack (which is also amplified, because the response is much larger than the “question” packet), the bad traffic will always originate from source port 123, which is the default NTP port. In this example case the ISP could easily block the attack by adding an ACL to drop every packet with source port 123.
But then again they said that it’s mostly been direct bot traffic, which means both the source and the destination ports can be completely randomized. This makes it harder to find attack patterns that can be blocked, but usually they are still there. What the IT department of Tengrinews doesn’t seem to know is that a) it’s really not a problem to block 700 IP addresses and that b) it is not common to block IP addresses in DDoS mitigation, but instead block certain patterns that attacks have, but legit traffic doesn’t. Due to the lack of information about the attack type it is hard to demonstrate possible mitigation methods in this case, but I’m very certain that there would have been a much better way than simply blocking all countries but Kazakhstan and it indicates that the IT department of Tengrinews wasn’t prepared to handle a cyber attack.
DDoS attacks on news websites are a common issue. They often publish political or biased articles that another party doesn’t agree on, which can be a cause of a DDoS attack. The problem with news websites is often that they lack funds for proper security measures to avoid DDoS and other cyber attacks in advance. Luckily there are free DDoS protection options to protect free expression online. One of the most sophisticated and free solutions to protect news, political and human rights related websites from DDoS attacks is Google’s Project Shield, which websites like Tengrinews can contact for assistance in order to stay online without going bankrupt. Protection of free speech is of great importance and people who are in need should make use of the solutions instead of relying on IT departments that are not prepared to deal with the issues that arise with DDoS attacks.