Kaspersky identified a significant increase in DDoS attacks year-on-year.
According to cybersecurity firm Kaspersky, it’s been a busy year for cybercriminals who favour DDoS as their method of attack.
The Russian firm’s DDoS protection tool reportedly blocked 44 percent more attacks in Q4 2019 than in the same period the previous year.
Sundays were also busier than ever, highlighting the ever present nature of the threat posed by cybercrime. More than a quarter (28 percent) of all attacks happened on weekends, and the share of attacks performed on Sundays grew by 2.5 percent (to 13 percent overall).
Despite DDoS attacks growing year-on-year, they haven’t risen dramatically quarter-on-quarter. There was a “marginal” 8 percent increase between Q3 and Q4 2019, Kaspersky says.
A more notable rise (27 percent) was spotted in so-called smart DDoS attacks, which focus on the application layer and are usually carried out by skilled attackers.
“Despite the significant growth in general, the season turned out to be quieter than expected,” said Alexey Kiselev, Business Development Manager on the Kaspersky DDoS Protection team.
“Attackers can still find a way to spoil your leisure time, as cybercrime is not an ordinary nine-to-five job, so it is important to ensure that your DDoS prevention solution can automatically protect your web assets.”
American tech firm Cloudflare is providing cybersecurity services to at least seven designated foreign terrorist organizations and militant groups, HuffPost has learned.
The San Francisco-based web giant is one of the world’s largest content delivery networks and boasts of serving more traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Founded in 2009, it claims to power nearly 10 percent of Internet requests globally and has been widelycriticized for refusing to regulate access to its services.
Among Cloudflare’s millions of customers are several groups that are on the State Department’s list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers’ Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC). These organizations own and operate active websites that are protected by Cloudflare, according to fournational security and counterextremism experts who reviewed the sites at HuffPost’s request.
In the United States, it’s a crime to knowingly provide tangible or intangible “material support” — including communications equipment — to a designated foreign terrorist organization or to provideservice to an OFAC-sanctioned entity without special permission. Cloudflare, which is not authorized by the OFAC to do business with such organizations, has been informed on multiple occasions, dating back to at least 2012, that it is shielding terrorist groups behind its network, and it continues to do so.
The Electronic Frontier Foundation and other free speech advocates have long been critical of material support laws. The foundation described them as tools the government has used to “chill First Amendment protected activities” such as providing “expert advice and assistance” ― including training for peacefully resolving conflicts ― to designated foreign terrorist organizations. Many of the designated groups, the EFF has argued, also provide humanitarian assistance to their constituents.
But so far, free speech advocates’ arguments haven’t carried the day — which means that Cloudflare still could be breaking the law.
‘We Try To Be Neutral’
“We try to be neutral and not insert ourselves too much as the arbiter of what’s allowed to be online,” said Cloudflare’s general counsel, Doug Kramer. However, he added, “we are very aware of our obligations under the sanctions laws. We think about this hard, and we’ve got a policy in place to stay in compliance with those laws.” He declined to comment directly on the list of websites HuffPost provided to Cloudflare, citing privacy concerns.
Cloudflare secures and optimizes websites; it is not a domain host. Although Cloudflare doesn’t host websites, its services are essential to the survival of controversial pages, which would otherwise be vulnerable to vigilante hacker campaigns known as distributed denial-of-service attacks. As the tech firm puts it, “The size and scale of the attacks that can now easily be launched online make it such that if you don’t have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline.”
Some of the terrorist sites that HuffPost identified on its server have been used to spread anti-state propaganda, claims of responsibility for terrorist attacks, false information and messages glorifying violence against Americans and civilians. But none of that really matters: Even if al-Shabab were posting cat videos, it would still be a crime to provide material support to the group.
“This is not a content-based issue,” said Benjamin Wittes, the editor in chief of Lawfare and a senior fellow at the Brookings Institution. “[Cloudflare] can be as pure-free-speech people as they want — they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not — but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.”
Intermediary websites are shielded from liability for illicit third-party content on their platforms, thanks to the U.S. Communications Decency Act (meaning, for example, that Twitter cannot be held legally accountable for a libelous tweet). This immunity is irrelevant with regard to the material support statute of the USA Patriot Act, which pertains strictly to the provision of a service or resource, not to any offending content, explained Wittes. In this case, Cloudflare’s accountability would not be a question of whether it should be monitoring its users or their content but, in part, whether the company is aware that it is serving terrorist organizations.
“If and when you know or reasonably should know, then you’re in legal jeopardy if you continue to provide services,” said University of Texas law professor Bobby Chesney.
There is a law — a criminal statute — that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.Benjamin Wittes, senior fellow at the Brookings Institution
Cloudflare’s services range in price from completely free to north of $3,000 per month for advanced cybersecurity. (Kramer declined to say if the sanctioned entities HuffPost identified are paying customers. Material support law applies to both free and paid services.) Its reverse proxy service reroutes visitors away from websites’ IP addresses, concealing their domain hosts and giving them a sense of anonymity. This feature has made Cloudflare especially appealing to neo-Nazis, white supremacists, pedophiles, conspiracy theorists — and terrorists.
Cloudflare has knowingly serviced terrorist-affiliated websites for years.In 2012, Reuters confronted Cloudflare about websites behind its network that were affiliated with al-Quds Brigades and Hamas. Prince argued that Cloudflare’s services did not constitute material support of terrorism. “We’re not sending money, or helping people arm themselves,” he said at the time. “We’re not selling bullets. We’re selling flak jackets.”
That analogy bears little relevance. “Material support,” as defined in 18 U.S.C. § 2339B, refers to “any property, tangible or intangible, or service,” excluding medicine and religious materials. Contrary to Prince’s suggestion, it applies to more than money and weapons. A New York man who provided satellite television services to Hezbollah was sentenced in 2009 to 69 months in prison for material support of terrorism. And although the definition is broad, “it really covers anything of value,” Chesney said. “It’s meant to be like a full-fledged embargo.”
In 2013, after journalist James Cook learned Cloudflare was securing a website affiliated with al Qaeda, he wrote an article arguing that the web giant was turning “a blind eye to terrorism.” Prince published his responses to Cook’s questions about serving terrorist groups in a Q&A-style blog post titled “Cloudflare and Free Speech.”
Cook asked what safeguards Cloudflare had in place to ensure it was not supporting illegal terrorist activity; Prince listed none. Cook inquired whether Cloudflare would investigate the website he had identified; Prince suggested it would not. The site is still online and is still secured by Cloudflare.
“A website is speech. It is not a bomb,” Prince wrote in his post. “We do not believe that ‘investigating’ the speech that flows through our network is appropriate. In fact, we think doing so would be creepy.”
Creepy or not, if a company receives a tip that it has customers who are sanctioned terrorists or has reason to believe that could be the case, it should absolutely investigate so as not to risk breaking the law, experts said. (Kramer noted Prince’s remarks are “from six years ago” and said Cloudflare does take such tips seriously.)
“This is a criminal statute that we’re talking about, so companies bear a risk by putting their heads in the sand,” said Georgetown Law professor Mary McCord, a former head of the Justice Department’s national security division. “A company has got to spend money, resources [and have] lawyers to make sure it’s not running afoul of the law. The risk it takes if it doesn’t is a criminal prosecution.”
President Donald Trump’s administration also urges due diligence. “We encourage service providers to follow the lead of the big social media companies, whose terms of service and community standards expressly enable them to voluntarily address terrorist content on their platforms, while exploring ways to more expeditiously tackle such content,” a White House official told HuffPost.
The international hacktivist group Anonymous accused Cloudflare of serving dozens of ISIS-affiliated websites in 2015, which Prince shrugged off as “armchair analysis” by “15-year-old kids in Guy Fawkes masks.” In media interviews, he maintained that serving a terrorist entity is not akin to an endorsement and said only a few of the sites on Anonymous’ list belonged to ISIS. Prince hinted that government authorities had ordered Cloudflare to keep certain controversial pages online. The FBI, Justice Department, State Department, Treasury Department and White House declined to comment on that assertion.
Last year, Cloudflare disclosed that the FBI subpoenaed the company to hand over information about one of its customers for national security purposes. The FBI, which also uses Cloudflare’s services, rescinded the subpoena and withdrew its request for information after Cloudflare threatened to sue. Neither Cloudflare nor the FBI would comment on this matter.
Over the past two years, the Counter Extremism Project, a nonpartisan international policy organization, has sent Cloudflare four detailed letters identifying a total of seven terrorist-operated websites on its server. HuffPost has viewed these letters, which explicitly address concerns about material support of terrorism, and Kramer acknowledged that Cloudflare received them.
“We’ve never received a response from [Cloudflare],” said Joshua Fisher-Birch, a content review specialist at the Counter Extremism Project. Five of the seven flagged websites remain online behind Cloudflare today, more than a year after they were brought to the firm’s attention.
“I think they’re doubling down on free speech absolutism at all costs,” he added. “In this case, that means they’re going to allow terrorist and extremist organizations to use their services and to possibly spread propaganda, try to recruit or even finance on their websites.”
‘Assholes’ vs. Terrorists
Kramer said he was not able to comment in detail on specific cases in which outside actors such as journalists and Anonymous informed Cloudflare about possible terrorist organizations using its services, but he noted that Cloudflare works with government agencies to comply with its legal obligations.
“Our policy is that if we receive new information that raises a flag or a concern about a potentially sanctioned party, then we’ll follow up to figure out whether or not that’s something that we need to take action on,” he said. “Part of the challenge is really to determine which of those are legitimate inquiries and which of those … are trying to manipulate the complaint process to take down people with whom they disagree.”
Cloudflare was flooded with such complaints in August 2017, when activists pleaded with the firm to terminate its services for the Daily Stormer, a prominent neo-Nazi website that was harassing the family of a woman who had recently been killed in violence surrounding a neo-Nazi rally in Charlottesville, Virginia.
Prince initially refused to drop the Daily Stormer, but as public outrage intensified, he reluctantly pulled the plug. “The people behind the Daily Stormer are assholes and I’d had enough,” he later said in an email to his team. The rationale behind that decision raised questions among Cloudflare’s staff, according to Wired.
“There were a lot of people who were like, ‘I came to this company because I wanted to help build a better internet … but there are some really awful things currently on the web, and it’s because of us that they’re up there,’” one employee said. Another wondered why Cloudflare would consider shutting down Nazis but not terrorists.
An Akron man is facing federal charges after he was arrested Thursday morning for allegedly hacking the city of Akron and Akron Police Department websites last year.
According to an FBI spokesperson, 32-year-old James Robinson was charged with knowingly causing the transmission of a program, information, code and command, and intentionally causing damage to a protected computer.
Authorities say Robinson carried out the cyber attacks on Aug. 1, 2017. The distributed denial of service (DDoS) attack overwhelmed both websites and took them down for a period of time.
On the day of the attack, a Twitter user named @AkronPhoenix420 tweeted a link to a YouTube video claiming credit for taking the websites out of service. The tweets included the hashtags #Anonymous and #TangoDown, authorities said.
The video showed a person in a Guy Fawkes mask and the statements “it’s time to teach the law a lesson,” and “Akron PD abuses the law.” The video also stated, “this week the city of Akron experienced system failures on multiple domains including their emergency TCP ports.”
Evidence linked the attack’s point of origin to an internet connection registered to Robinson. Additional evidence showed his phone was associated with the @AkronPhoenix420 Twitter account, police said.
The same Twitter account also claimed responsibility for numerous other DDoS attacks targeted at the Ohio Department of Public Safety, Department of Defense, and others. Police said the characteristics of those attacks had similarities with the one carried out in Akron.
Police executed a search warrant on Robinson’s home on May 9. Inside, they found a Guy Fawkes mask and a cell phone with a cracked screen that was seen in the video. Authorities said Robinson told them he was responsible for the Akron cyber attack as well as the DDoS attacks against the Department of Defense.
A crowdfunding initiative run by Together for Yes has suffered a DDoS attack.
The digital campaigning element of the imminent referendum in Ireland has seen a massive amount of change in a relatively short time.
Only this week did Facebook and Google place curtailments on digital advertising around the referendum, as Google banned all online ads relating to the Eighth Amendment from its platforms, while Facebook restricted advertising to registered Irish organisations and groups. As the online advertisements mention abortion, they would be restricted by Twitter’s existing ad policies.
Crowdfunding site hit
In another twist, a crowdfunding website for the national civil society group campaigning for a Yes vote was hit by a DDoS attack yesterday evening (9 May). The website, hosted by CauseVox, experienced a DDoS attack from within Ireland. It momentarily disrupted service and brought down CauseVox’s security infrastructure. The attack took place at 5.45pm, which would ordinarily have been a peak time for donations, and the website shut down for 30 minutes.
CauseVox also hosts crowdfunding pages for Amnesty International Ireland and Terminations for Medical Reasons – both groups that are campaigning for a Yes vote later in the month. Amnesty Ireland director Colm O’Gorman confirmed its website was down for approximately 45 minutes.
Sarah Monaghan, Together for Yes spokesperson, said: “We are continuing to investigate this extremely serious incident and are actively consulting security experts in the field to help identify the specific source of the attack, and have made a report to Gardaí.
“Together for Yes is a national grassroots movement which relies on small donations from large numbers of people. Our crowdfund initiative is a core element of the manner in which we resource our campaign and therefore we would take extremely seriously any attempt to undermine it.”
A spokesperson for Amnesty International explained the issue further to Siliconrepublic.com: “We were informed by CauseVox, the hosting platform, that there was a DDOS attack originating from Ireland. The website was interrupted at 5.45pm for around 45 minutes.
“This is obviously a serious issue, but also an indication of the lengths some will go to try shut down our efforts to counter such misinformation. We will continue our online campaign to counter misinformation across as many platforms as possible.”
The spokesperson noted that CauseVox is a reputable platform and that the site was up and running soon after the initial attack. They added that CauseVox had assured them that steps to mitigate such attacks in future were being taken. The incident is still under investigation.
A DDoS (distributed denial of service) attack’s main aim is to make a target website, machine or network resource unavailable.
Usually, this type of cyberattack is accomplished by drowning a system (a server, for example) with data requests. This can then cause the website to crash. A database could also be hit with a massive volume of queries. In this particular case, the result is an overwhelmed website.
Impact from DDoS attacks can vary from mild disruption to total denial of service to entire websites, apps or even businesses.
DDoS attacks have grown exponentially in scale, and occur quite often in the cybercrime world. In the 1990s, a DDoS incident would have typically involved 150 requests per second, but attacks these days can exceed 1,000Gbps.
The Mirai botnet is a prime example of a modern DDoS attack. A massive attack also occurred on GitHub earlier in 2018, using a new technique called ‘memcaching’.
Updated, 4.28pm, 10 May 2018: This article was updated to include comments from an Amnesty International spokesperson.
Updated, 6.21pm, 10 May 2018: A correction has been made to clarify that individual websites hosted by CauseVox, and not the entire platform, were affected by this attack.
A German hacker who launched DDoS attacks and tried to extort ransom payments from German and UK firms was sentenced last month to one year and ten months of probation.
The hacker, identified by authorities only as 24-year-old Maik D., but known online as ZZb00t, was fingered for attacking companies such as eBay.de, DHL.de, billiger.de, hood.de, rakuten.de, DPD.de, EIS.de, ESL.eu, but also some UK firms.
Hacker would launch DDoS attacks and then extort victims
ZZb00t would act following the same pattern. He’d first warn companies via Twitter, and then launch DDoS attacks, taking down services from hours to up to a day.
Maik, who in real life was an IT security consultant, would often criticize companies for their poor security practices.
“Sadly but true @[REDACTED] your servers just sucks,” he wrote in one tweet. “Never thought that [REDACTED] was so extremely poorly protected. It’s more than embarrassing,” he wrote in another.
He’d often claim his actions were only for the purpose of exposing security weakness, claiming he was a vulnerability hunter.
But Maik wouldn’t launch DDoS attacks just out of the kindness of the kindness of his heart so that companies would improve security. The hacker would often send emails promising to stop attacks for a payment in Bitcoin.
Hacker arrested after one company pressed charges
His DDoS and extortion campaigns have been tracked all last year by German blog Wordfilter.de [1, 2, 3, 4]. A recently released Link11 report details the hacker’s tactics.
The hacker was active at the same time as another DDoS extortion team named XMR Squad, and Link11 claims in its report that there was a working relationship and coordination of attacks between ZZb00t and XMR Squad members.
Link11 says it documented over 300 of ZZb00t’s tweets related to attacks he carried out before German authorities arrested the suspect on May 23, last year, putting an end to his attacks.