Connectivity at MTN’s Gallo Manor data centre has been fully restored after the Johannesburg site was hit by a distributed denial of service (DDoS) attack earlier this afternoon.

MTN alerted clients just after 3pm today that it had suffered a DDoS attack, which resulted in packet loss and a disturbance to clients’ cloud services.  At the time the company said MTN Business’ network operations centre was working on resolving the problem to avoid any further attacks.

This comes less than two days after a power outage at the same data centre caused loss of connectivity.

MTN chief technology officer Eben Albertyn says, while the DDoS attack today hampered the company’s ability to provide connectivity services, engineers worked “fervently” to fully restore services and avert further attacks, and connectivity was restored soon after.

“The interruption lasted only a few minutes and is completely unrelated to the outage experienced on Monday. MTN wishes to apologise profusely to its customers for any inconvenience caused.”

On Sunday evening just after 6pm, MTN’s Gallo Manor data centre went offline, causing major disruptions to clients’ services, including Afrihost.

MTN put the outage down to a power outage. The problem persisted until the next day, with services being restored around 11am on Monday.

Digital Attack Map defines DDoS attack as: “An attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.”  The live data site notes these attacks can target a wide variety of important resources, from banks to news Web sites, and present a major challenge to making sure people can publish and access important information.


The recent DDoS attacks aimed at GreatFire, a website that exposes China’s internet censorship efforts and helps users get access to their mirror-sites, and GitHub, the world’s largest code hosting service, have been linked to the Great Cannon, an attack tool co-located with the Great Firewall of China.

“A report released by fingered malicious Javascript returned by Baidu servers as the source of the attack. Baidu denied that their servers were compromised,” Citizen Lab researchers noted, then explained: “The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”

GreatFire says that the attack against their servers started on March 17, and Citizen Lab pinpoints their end to April 8, 2015. A blog post published on Friday by Niels Provos, an engineer with Google’s Security Team, shows this information is correct, as its Safe Browsing infrastructure picked up this attack, too.

“While Safe Browsing does not observe traffic at the network level, it affords good visibility at the HTTP protocol level. Using Safe Browsing data, we can provide a more complete timeline of the attack and shed light on what injections occurred when,” he noted.

The data shows that content injections against domains on March 3, 2015, and ended on April 7. Also, that the attack was carried out in multiple phases:

Phase 1: March 3 – March 6. Target: This was a testing stage.
Phase 2: March 10 – March 13. Targets: Hosts under the and domains.
Phase 3: March 14 – March 17. Target: Another host under the domain.
Phase 4: March 18 – March 25. Targets: Additional Five cloudfront hosts. “At some point during this phase of the attack, the cloudfront hosts started serving 302 redirects to as well as other domains. Substitution of Javascript ceased completely on March 20th but injections into HTML pages continued.”
Phase 5: March 25 – April 7. Targets:,,, and

All in all, eight domains and corresponding IP addresses were injected with Javascript replacement payloads and HTML injections.

Apart from giving more insight in the attacks, this report shows that hiding such attacks from detailed analysis after the fact is difficult. Even though this data can’t be used to identify the attackers, it is Provos’ hope that “external visibility of this attack will serve as a deterrent in the future.”

“Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication,” he noted. “Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic.”


According to Neustar’s 2015 North American Denial of Service (DDoS) Attacks & Impact Report, 32 percent of U.S. companies say a DDoS attack would cost them more than $100,000 in revenue per hour.

Eleven percent say DDoS attacks can lead to more than $1 million in hourly revenue losses.

The report, based on a survey of more than 500 U.S. executives and senior professionals, also found that 40 percent of businesses say DDoS attacks are a growing threat to their organization.

Among companies that have been hit by DDoS attacks, 85 percent were hit multiple times, and 30 were attacked more than 10 times per year. Over a quarter of those attacked said they suffered a loss of customer trust and brand damage as a result.

“A website attack that was once considered to be an IT problem now reverberates and can cause significant brand damage that affects all organizational employees and its customers,” Neustar director of security services Margee Abrams said in a statement.

The Neustar report also found that 51 percent of respondents say they’re investing more in DDoS protection solutions than they were a year ago.

Notably, 45 percent of businesses say it takes them more than an hour to detect a DDoS attack — and after detection, 51 percent say it takes them more than an hour to respond.

But according to NSFOCUS’ biannual DDoS Threat Report, that response would come far too late in the vast majority of cases — the report states that 90 percent of DDoS attacks in 2014 lasted less than 30 minutes in total.

“This shorter attack strategy is being employed to improve efficiency as well as distract the attention of IT personnel away from the actual intent of an attack: deploying malware and stealing data,” the NSFOCUS report states. “These techniques indicate that today’s attacker continues to become smarter and more sophisticated.”

In one attack event in December 2014, NSFOCUS found that one third of attack sources were smart devices such as webcams and routers.

Such devices, the NSFOCUS report notes, offer several key benefits to attackers, including relatively high bandwidth, a long upgrade cycle (many are never upgraded after deployment), and 24/7 online availability.

“In 2H 2014, the reflective amplification distributed denial of service attacks that abuse the Simple Service Discovery Protocol (SSDP) emerged as the most potent and increasingly favored attack vector,” the report states.

NSFOCUS says more than 7 million smart devices could be exploited globally to launch such attacks, which can amplify attack bandwidth by as much as 75 times.

“With IoT bringing billions of such devices online, there will be an exponential growth in SSDP-type attacks,” the report notes.

The NSFOCUS report also predicts that 2015 will see the peak traffic of DDoS attacks reach 1 Tbps.


Indian telecom regulator TRAI’s official website was on Monday brought down by a hacker group called Anonymous India following the public release of email IDs from which the government body received responses regarding net neutrality.
The group also warned TRAI of being hacked soon.
“TRAI down! Fuck you  for releasing email IDs publicly and helping spammers. You   will be hacked soon,” AnonOpsIndia tweeted.
The group claimed to launch a DDoS (distributed denial-of-service) attack on the website to make it inaccessible.
Slamming the government portal, the group posted: “#TRAI is so incompetent lol They have any clue how to tackle a DDoS?”
“But just an alarm for whole #India. You trust incompetent #TRAI who don’t know how to deal with DDoS? Seriously sorry guys. Goodluck!,” it added.
Taking a dig at the personnel at TRAI, it tweeted: “Somebody call ‘brilliant minds’ at TRAI and tell them to stop eating samosas and get back to work coz DDoS attack has stopped from here.”
In a response to a Twitter user about the attack, Anonymous India said it was “just preventing spammers from accessing those Email IDs posted by Trai publicly.”
It said that TRAI is incompetent in dealing with internet.
“So those who still think that #TRAi can “handle” the Internet, we just proved you wrong.They just got trolled by bunch of kids.#Incompetence,” the hacker group tweeted.
Following tweets suggesting the hacker group to stop their actions, Anonymous India did same. However, the group compalined that no action was taken on those email ids which were revealed.
“Guys  is back online and they still haven’t done anything about those Email IDs. You guys told us to stop. We did,” it tweeted.
“So if you guys still think you can have a chat with incompetent #TRAi, go ahead. But WE ARE WATCHING!,” the group posted.

Distributed denial of service attacks have morphed from a nuisance to something more sinister.

In a DDoS attack, heavy volumes of traffic are hurled at a website to halt normal activity or inflict damage, typically freezing up the site for several hours. Such exploits achieved notoriety in the fall of 2012 when large banks were hit by a cyberterrorist group.

But the Operation Ababil attacks were simply meant to stop banks’ websites from functioning. They caused a great deal of consternation among bank customers and the press, but little serious harm.

Since then, the attacks have become more nuanced and targeted, several recent reports show.

“DDoS is a growing problem, the types of attack are getting more sophisticated, and the market is attracting new entrants,” said Rik Turner, a senior analyst at Ovum, a research and consulting firm.

For example, “we’re seeing lots of small attacks with intervals that allow the attackers to determine how efficiently the victims’ mitigation infrastructure is and how quickly it is kicking in,” he said. This goes for banks as much as for nonbanking entities.

Verisign’s report on DDoS attacks carried out in the fourth quarter of 2014 found that the number of attacks against the financial industry doubled to account for 15% of all offensives. DDoS activity historically increases during the holiday season each year.

“Cybercriminals typically target financial institutions during the fourth quarter because it’s a peak revenue and customer interaction season,” said Ramakant Pandrangi, vice president of technology at Verisign. “As hackers have become more aware of this, we anticipate the financial industry will continue to see an increase in the number of DDoS activity during the holiday season year over year.”

In a related trend, bank victims are getting hit repeatedly.

“If you have an organization that’s getting hit multiple times, often that’s an indicator of a very targeted attack,” said Margee Abrams, director of security services at Neustar, an information services company. According to a report Neustar commissioned and released this week, in the financial services industry, 43% of bank targets were hit more than six times during 2014. Neustar worked with a survey sampling company that gathered responses from 510 IT directors in the financial services, retail and IT services, with strong representation in financial services. (The respondents are not Neustar customers.)

The average bandwidth consumed by a DDoS attack increased to 7.39 gigabits per second, according to Verisign’s analysis of DDoS attacks in the fourth quarter of 2014. This is a 245% increase from the last quarter of 2013 and it’s larger than the incoming bandwidth most small and medium-sized businesses, such as community banks, can provision.

At the same time, DDoS attacks are shorter, as banks have gotten relatively adept at handling them. Most (88%) detect attacks in less than two hours (versus 77% for companies in general), according to Neustar’s research. And 72% of banks respond to attacks in that timeframe.

Some recent DDoS attacks on banks have been politically motivated. Last year, a hacker group called the European Cyber Army claimed responsibility for DDoS attacks against websites run by Bank of America, JPMorgan Chase, and Fidelity Bank. Little is known about the group, but it has aligned itself with Anonymous on some attacks and seems interested in undermining U.S. institutions, including the court system as well as large banks.

But while attacks from nation-states and hacktivists tend to grab headlines, it’s the stealthy, unannounced DDoS attacks, such as those against Web applications, that are more likely to gum up the works for bank websites for short periods and are in fact more numerous, Turner noted. They’re meant to test the strength of defenses or to distract the target from another type of attack.

For example, a DDoS attack may be used as smokescreen for online banking fraud or some other type of financially motivated fraud. In Neustar’s study, 30% of U.S. financial services industry respondents said they suffered malware or virus installation and theft as a result of a DDoS attack.

“What I hear from our clients is that DDoS is sometimes used as a method to divert security staff so that financial fraud can get through,” said Avivah Litan, vice president at Gartner. “But these occurrences seem to be infrequent.”

Her colleague Lawrence Orans, a research vice president for network security at Gartner, sounded skeptical about the frequency of DDoS-as-decoy schemes.

“I think there is some fear-mongering associated with linking DDoS attacks with bank fraud,” he said. However, “the FBI has issued warnings about this in the past, so there is some validity to the issue of attackers using DDoS attacks as a smokescreen to distract a bank’s security team while the attacker executes fraudulent transactions.”

According to Verisign’s iDefense team, DDoS cybercriminals are also stepping up their attacks on point-of-sale systems and ATMs.

“We believe this trend will continue throughout 2015 for financial institutions,” Pandrangi said. “Additionally, using an outdated operating system invites malware developers and other cyber-criminals to exploit an organization’s networks. What’s worse is that thousands of ATMs owned by the financial sector in the U.S. are running on the outdated Windows XP operating system, making it vulnerable to becoming compromised.”

Six-Figure Price Tag

DDoS attacks are unwelcome at any cost. Neustar’s study puts a price tag on the harm banks suffer during such attacks: $100,000 an hour for most banks that were able to quantify it. More than a third of the financial services firms surveyed reported costs of more than that.

“Those losses represent what companies stand to lose during peak hours of transactions on their websites,” said Abrams. “That doesn’t even begin to cover the losses in terms of expenses going out. For example, many attacks require six to ten professionals to mitigate the attack once it’s under way. That’s a lot of salaries going out that also represent losses for the company.”

Survey respondents also complained about the damage to their brand and customer trust during and after DDoS attacks. “That gets more difficult to quantify in terms of losses to an overall brand, but it’s a significant concern,” Abrams said.

To some, the $100,000 figure seems high. “Banks have other channels for their customers — mainly branch, ATM and phone — so I don’t see that much revenue being lost,” said Litan.

Other recent studies have also attempted to quantify the cost of a DDoS attack.

A study commissioned by Incapsula surveyed IT managers from 270 North American organizations and found that the average cost of an attack was $40,000 an hour: 15% of respondents put the cost at under $5,000 an hour; 15% said it was more than $100,000.

There’s no question banks have had to spend millions in aggregate to mitigate DDoS risks.

“They created more headroom by buying more bandwidth and by scaling the capacity of their web infrastructure — for example, by buying more powerful web servers,” said Orans. “And they continue to spend millions on DDoS mitigation services. That’s where the real pain has been — the attackers forced the banks to spend a lot of money on DDoS mitigation.”