Distributed-Denial-Of-Service Attacks And DNS

Distributed-denial-of-service (DDoS) attacks have become the scourge of the internet. DDoS attacks use compromised internet devices to generate enormous volumes of data and direct that data at a particular target such as a web server or router. That target either keels over due to some critical resource becoming exhausted, or it finds its connection to the internet saturated by garbage traffic.

DDoS attacks are simultaneously cheap to carry out and expensive to defend against. Almost anyone can order a DDoS attack against any target with no technical knowledge required. All that’s necessary is a website from which to order the attack (yes, such things exist) and some bitcoins with which to pay for it. The attacks generally use botnets with devices that have been compromised and infected with malware. Building internet infrastructure capable of withstanding the volume of data generated by a botnet requires costly over-engineering, commercial DDoS mitigation services or both.

Unfortunately, DDoS attacks have a special relationship to the Domain Name System: DDoS attacks both target and exploit DNS servers. By “target,” I mean that attackers frequently direct DDoS attacks at an organization’s authoritative DNS servers. These are the DNS servers responsible for advertising your DNS data to the rest of the internet; a successful DDoS attack against them will render your customers unable to visit your website or send you email. Every organization with a presence on the internet must have a set of authoritative DNS servers, and given even the most basic information — for example, one of your email addresses or the domain name of your website — a would-be attacker can find the names and addresses of those DNS servers, giving them a list of targets.

A particularly notable DDoS attack on authoritative DNS servers was the attack on Dyn in October 2016.  Attackers used the Mirai botnet to overwhelm Dyn’s DNS servers with a whopping 1.2 terabits per second of traffic. Dyn’s DNS servers couldn’t respond to legitimate DNS queries under the load, which left Dyn’s customers — including the New York Times, Reddit, Tumblr and Twitter — unreachable.

However, DNS servers are not just opportune targets of DDoS attacks. Clever attackers will use DNS servers to make their attacks more effective and to conceal their origins. This is possible for two main reasons: 1) Relatively small DNS queries can elicit large responses, and 2) DNS works over a “connectionless” protocol that’s easily spoofed.

Let’s discuss the first issue: DNS queries are generally small (less than 100 bytes long). However, they can generate much larger responses (4,000 bytes or more). This is what we refer to as amplification. In this case, the amplification factor is 4,000 bytes/100 bytes, or 40x.

Amplification wouldn’t be a problem if DNS responses were always sent back to the source of the query. However, DNS’s use of the User Datagram Protocol (UDP) makes it easy to spoof queries — that is, to send queries that look as though they came from another address. UDP is connectionless: Each UDP “datagram” is independent, like a postcard sent through the postal service rather than a text message in a stream of such messages. All an attacker needs to do is to use the address of his target as the source address in the packet that contains a DNS query — like writing a bogus return address on a postcard — and the DNS server will send the reply to the target rather than the real source of the query.

This makes it easy to enlist DNS servers as unwitting accomplices in a DDoS attack. An attacker can use a botnet to generate a high volume of queries to well-connected DNS servers on the internet, spoofing the source address of their target, and the DNS servers amplify the query traffic into a larger volume of response traffic. Moreover, the traffic that arrives at the target comes from the DNS servers rather than the attacker, making it difficult to trace the attack back to its origin.

Thankfully, there are several mechanisms that can help DNS servers defend against DDoS attacks. One is “anycast,” a configuration technique that lets a distributed group of DNS servers share a single address. The internet’s routing infrastructure directs queries sent to that address to the closest DNS server in the anycast group. This is efficient, of course, but it also implies that an attack launched from one part of the internet can only reach a single DNS server in an anycast group at any time. For example, a DDoS attack using a botnet based in China and targeting the anycast address used by a group of DNS servers would find all of its traffic directed to the closest DNS server in the anycast group. As a result, many organizations, including most DNS hosting companies, use anycast to make their DNS infrastructures resistant to DDoS attacks.

Newer DNS servers also incorporate a mechanism called Response Rate Limiting (RRL) to prevent their use as amplifiers in DDoS attacks. RRL limits the rate at which a particular response is sent to the source of a query. For example, if a DNS server receives too many queries for any records about Infoblox.com from the same address, it will throttle responses to that address. If the source of the query is legitimate, this won’t cause a problem: It will cache the response, making duplicate responses unnecessary. But if the queries are spoofed and the DNS server is being used as an amplifier, this will limit the amplification and therefore the damage it can do.

Companies need to anticipate the possibility that their DNS services could be the target of these attacks. Without DNS, all internet applications and services are unreachable, bringing business to a grinding halt. In fact, recent research from Infoblox found that 24% of companies lost $100,000 or more due to downtime from their last DNS attack. Today, far too many businesses put all their eggs in one basket, relying on a single cloud-based DNS provider, leaving them vulnerable to an attack like we saw on Dyn.

Source: https://www.forbes.com/sites/forbestechcouncil/2017/11/15/distributed-denial-of-service-attacks-and-dns/#54fbe1036076

  • 0

Philippine government starts tracking down North Korean cyber-hackers

Manila: The Philippine government is tracking down North Korean hackers who were identified to have attacked a government-run cyber-security agency, a senior official said, prompting observers to assess that computer systems nationwide are vulnerable to attacks.

“The Department of Science and Technology (DOST) and its Advanced Science and Techonology Institute (ASTI) will launch an investigation on Monday following reports that North Korean hackers have launched cyber-attacks against DOST’s website,” said Department of Information and Communications Technology (DICT) Assistant Secretary Allan Cabanlong.

The DOST and ASTI will jointly look if the so-called distributed denial-of-service (DDoS) attacks that shut down websites have entered its cyber-system, said Cabanlong.

“It’s like a teargas or smoke grenade. Once it’s in the website that is under attack — the website shuts off for a specific period, allowing the attacker to send malware to the website in order to control its system,” explained Cabanlong.

The investigation was launched after Quartz, a news site, cited a study that “some North Korean users were conducting research, or possibly even network reconnaissance, on a number of foreign laboratories and research centers” including India’s Space Research Organization and the Philippines’ DOST,” said Cabanlong.

On Saturday, DOST and ASI have not yet detected the North Korean attackers in the cyber system. “If ever there was, it was not yet reported to us,” said Cabanlong, adding that hackers often target websites of research and academic institutions that are focused on content more than on security features

The reported DOST hackers could be part of North Korea’s efforts to attack perceived enemies, said Cabanlong.

They could be sympathisers of North Korea which is being pressured by the international community to stop its nuclear missile tests, other observers said.

Last year, DICT directed all banks, government agencies, hospitals, institutions, schools, and telecommunication companies to hire network security administrators and put in place systems that would regularly monitor possible cyber-attacks and breaches.

Looking forward, Cabanlong said DICT will put up its National Cyber-intelligence Centre to expand its capability to protect all computer systems nationwide.

Right now, “DICT is working on band-aid solutions to cyber-attacks; it is limited to oversight function; and it cannot protect all computer systems in the country,” admitted Cabanlong, adding, “No single agency can do it alone. The private sector and multi-government agencies must work together on this campaign.”

The DICT has yet to compile a record of government agencies and private companies in the Philippines that are vulnerable to breaches, other critics said.

Source: http://gulfnews.com/news/asia/philippines/philippine-government-starts-tracking-down-north-korean-cyber-hackers-1.2118823

  • 0

Man accused of cyber attacks on Skype and Google appears in court

A man accused of cyber crime offences linked to alleged online attacks targeting Skype and Google has appeared before magistrates in Birmingham.

Alex Bessell faces a total of 11 allegations, including a charge of possessing a quantity of cocaine when he was arrested in September.

The 21-year-old, of Allington Street, Aigburth, Liverpool, spoke only to confirm his personal details during a ten-minute court appearance on Monday.

Prosecutors allege Bessell set up a web business which made more than 700,000 US dollars (£532,000) in sales from IT viruses.

It is also alleged the defendant infected and controlled more than 9,000 “zombie” computers to orchestrate Distributed Denial of Service (DDoS) attacks on firms including Skype, Pokemon and Google in an attempt to crash their online operations.

Bessell, who appeared in the dock dressed in a blue hooded coat, black jeans and trainers, faces two charges of carrying out unauthorised acts to impair the operation of a computer between August 2011 and November 2013.

He is also accused of causing a computer over the same time period to secure unauthorised access to data with intent to facilitate fraud by obtaining 750 passwords.

Further charges brought against Bessell allege that he gave a false address in Milton Keynes to Companies House, and possessed criminal property – namely 129,822 US dollars (£98,000) from selling illegal items – between May 2014 and September 2016.

Bessell was not asked to enter any pleas and was granted unconditional bail to appear at Birmingham Crown Court on November 27.

The charges against him were authorised after an investigation by detectives at the Birmingham-based West Midlands Regional Organised Crime Unit.

Source: http://www.itv.com/news/granada/2017-10-30/man-accused-of-cyber-attacks-on-skype-and-google-appears-in-court/

  • 0

DDoS Attacks Cause Train Delays Across Sweden

DDoS attacks on two separate days have brought down several IT systems employed by Sweden’s transport agencies, causing train delays in some cases.

The incidents took place early in the mornings of Wednesday and Thursday, October 11 and 12, this week.

The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday. According to local press, the attack brought down the IT system that manages train orders. The agency had to stop or delay trains for the time of the attack.

Trafikverket’s email system and website also went down, exacerbating the issue and preventing travelers from making reservations or getting updates on the delays. The agency used Facebook to manage the crisis and keep travelers informed.

Road traffic maps were also affected, an issue that lingers even today, at the time of publishing, according to the agency’s website.

Three Swedish transportation agencies targeted

Speaking to local media, Trafikverket officials said the attack was cleverly aimed at TDC and DGC, the agency’s two service providers, but they were both aimed in such a way to affect the agency’s services.

Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations.

While initially, some might have thought this was a random incident, the next day, a similar DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden.

Cyber-warfare implications

In perspective, both incidents give the impression of someone probing various parts of Sweden’s transportation system to see how the country would react in the face of a cyber-attack and downtime.

The DDoS attacks come a week after a report that Russia was testing cyber-weapons in the Baltic Sea region.

In April 2016, Swedish officials blamed Russia for carrying out cyber-attacks on the country’s air traffic control infrastructure that grounded flights for a day in November 2015.

Source: https://www.bleepingcomputer.com/news/security/ddos-attacks-cause-train-delays-across-sweden/

  • 0

As US launches DDoS attacks, N. Korea gets more bandwidth—from Russia

Fast pipe from Vladivostok gives N. Korea more Internet in face of US cyber operations.

As the US reportedly conducts a denial-of-service attack against North Korea’s access to the Internet, the regime of Kim Jong Un has gained another connection to help a select few North Koreans stay connected to the wider world—thanks to a Russian telecommunications provider. Despite UN sanctions and US unilateral moves to punish companies that do business with the Democratic People’s Republic of Korea, 38 North’s Martyn Williams reports that Russian telecommunications provider TransTelekom (ТрансТелеКо́m) began routing North Korean Internet traffic at 5:30pm Pyongyang time on Sunday.

The connection, Williams reported, offers a second route for traffic from North Korea’s Byol (“Star”) Internet service provider, which also runs North Korea’s cellular phone network. Byol offers foreigners in North Korea 1Mbps Internet access for €600 (US$660) a month (with no data caps).

Up until now, all Byol’s traffic passed through a single link provided by China Unicom. But the new connection uses a telecommunications cable link that passes over the Friendship Bridge railway bridge—the only connection between North Korea and Russia. According to Dyn Research data, the new connection is now providing more than half of the route requests to North Korea’s networks. TransTelekom (sometimes spelled TransTeleComm) is owned by Russia’s railroad operator, Russian Railways.

A Dyn Research chart showing the new routing data for North Korea's ISP.

A Dyn Research chart showing the new routing data for North Korea’s ISP.

According to a Washington Post report, The Department of Defense’s US Cyber Command had specifically targeted North Korea’s Reconnaissance General Bureau—the country’s primary intelligence agency—with a denial-of-service attack against the organization’s network infrastructure. That attack was supposed to end on Saturday, according to a White House official who spoke with the Post.

While the unnamed official said the attack specifically targeted North Korea’s own hacking operations, North Korea has previously run those operations from outside its borders—from China. So it’s not clear whether the attack would have had any impact on ongoing North Korean cyberespionage operations.

Source: https://arstechnica.com/information-technology/2017/10/as-us-launches-ddos-attacks-n-korea-gets-more-bandwidth-from-russia/

  • 0

How Artificial Intelligence Will Make Cyber Criminals More ‘Efficient’

The era of artificial intelligence is upon us, though there’s plenty of debate over how AI should be defined much less whether we should start worrying about an apocalyptic robot uprising. The latter issue recently ignited a highly publicized dispute between Elon Musk and Mark Zuckerberg, who argued that it was irresponsible to “try to drum up these doomsday scenarios”.

In the near-term however, it seems more than likely that AI will be weaponized by hackers in criminal organizations and governments to enhance now-familiar forms of cyberattacks like identity theft and DDoS attacks.

A recent survey has found that a majority of cybersecurity professionals believe that artificial intelligence will be used to power cyberattacks in the coming year. Cybersecurity firm Cylance conducted the survey at this year’s Black Hat USA conference and found that 62 percent of respondents believe that “there is high possibility that AI could be used by hackers for offensive purposes.”

Artificial intelligence can be used to automate elements of cyber attacks, making it even easier for human hackers (who need food and sleep) to conduct a higher rate of attacks with greater efficacy, writes Jeremy Straub, an assistant professor of computer science at North Dakota State University who has studied AI-decision making. For example, Straub notes that AI could be used to gather and organize databases of personal information needed to launch spearphishing attacks, reducing the workload for cybercriminals. Eventually, AI may result in more adaptive and resilient attacks that respond to the efforts of security professionals and seek out new vulnerabilities without human input.

Rudimentary forms of AI, like automation, have already been used to perpetrate cyber attacks at a massive scale, like last October’s DDoS attack that shut down large swathes of the internet.

“Hackers have been using artificial intelligence as a weapon for quite some time,” said Brian Wallace, Cylance Lead Security Data Scientist, to Gizmodo. “It makes total sense because hackers have a problem of scale, trying to attack as many people as they can, hitting as many targets as possible, and all the while trying to reduce risks to themselves. Artificial intelligence, and machine learning in particular, are perfect tools to be using on their end.”

The flip side of these predictions is that, even as AI is used by malicious actors and nation-states to generate a greater number of attacks, AI will likely prove to be the best hope for countering the next generation of cyber attacks. The implication is that security professionals need to keep up in their arms race with hackers, staying apprised of the latest and most advanced attacker tactics and creating smarter solutions in response.

For the time being, however, cyber security professionals have observed hackers sticking to tried-and-true methods.

“I don’t think AI has quite yet become a standard part of the toolbox of the bad guys,” Staffan Truvé, CEO of the Swedish Institute of Computer Science said to Gizmodo. “I think the reason we haven’t seen more ‘AI’ in attacks already is that the traditional methods still work—if you get what you need from a good old fashioned brute force approach then why take the time and money to switch to something new?”

Source: https://www.idropnews.com/news/fast-tech/artificial-intelligence-will-make-cyber-criminals-efficient/49575/

  • 0

America’s Cardroom, WPN Hit by DDoS Attack Again

It had been a while, but America’s Cardroom seemed due for another cyber attack. Yup, leading into the Labor Day weekend, ACR and its network, the Winning Poker Network, were hit with a Distributed Denial of Service (DDoS) attack, something that is unfortunately not a unique event for either the online poker room or the network.

The attack began Thursday evening, affecting, among many other games, ACR’s Online Super Series (OSS) Cub3d. Problems continued all the way through Saturday.

America’s Cardroom initially tweeted about the issues at about quarter after eight Thursday night, writing, “We are currently experiencing a DDOS attack, all running tournaments have been paused. Will keep you updated.”

A half hour later, ACR announced that it was cancelling all tournaments in progress and providing refunds per the site’s terms and conditions. At about 9:00pm, the site was back up, but the DDoS attacks continued, causing poker client interruptions less than two and a half hours later. Problems continued well into Friday morning until ACR and WPN finally got things under control (temporarily) close to noon.

The pattern continued that evening, with games going down after 6:00pm Friday and then resuming, and going down again after 7:00pm. Finally, around noon Saturday, ACR’s techs seemed to get a handle on things “for good.”

In a Distributed Denial of Service attack, the attacker (or attackers) floods a server with millions of communications requests at once. It’s not a virus or a hack or anything malicious like that, but the communications overwhelm the server and grind it to a halt. Think of it like the traffic jam to end all traffic jams.

It wouldn’t be THAT big of a deal if the attack was coming from one source, but since it is “distributed,” the attacker arranges it so that it originates from literally millions of IP addresses. It makes defending one’s network insanely difficult. To use another brilliant illustration, if you are trapped in a house and a zombie horde is coming for your juicy brains, it’s scary and awful, but if all the zombies decide to come in through the front door, you can probably handle it if properly equipped. If they surround you and just crash in through every door, window, and mouse hole like in Night of the Living Dead, might as well develop a taste for human flesh because you’re screwed.

As with other DDoS attacks, the network was contacted by the aggressor, who demanded a ransom of some sort. WPN CEO Phil Nagy went on Twitch and said he refused to cave to any demands. He even posted a brief series of messages from the attacker, who said he was doing it on behalf of a competing poker room (all spelling mistakes what-not his):

this is my job
anouther site give me money
for doos you
and i ddos you
:D
this is my job

Nagy said that he hoped that by at least making it public that it may be another site responsible for the DDoS attack that it will make someone nervous that they could get caught and the attacks will subside.

WPN first experienced a major DDoS attack in December 2014, during its Million Dollar Sunday tournament, when it caused disconnections, lag, and registration problems. It happened again in September 2015 and again in October 2015.

The network will be re-running many of the tournaments, including the OSS and MOSS, and will cut the buy-in of the million dollar guaranteed OSS tourney in half as well as add an extra Sunday Million.

Source: https://www.pokernewsdaily.com/americas-cardroom-wpn-hit-ddos-attack-30342/

  • 0

What is Pulse Wave? Hackers devise new DDoS attack technique aimed at boosting scale of assaults

The new attack method allows hackers to shut down targets’ networks for longer periods while simultaneously conducting attacks on multiple targets.

Hackers have begun launching a new kind of DDoS attack designed to boost the scale of attacks by targeting soft spots in traditional DDoS mitigation tactics. Dubbed “Pulse Wave”, the new attack technique allows hackers to shut down targeted organisations’ networks for prolonged periods while simultaneously conducting attacks on multiple targets.

The new attacks may render traditional DDoS mitigation tactics useless, experts say. Some of the pulse wave DDoS attacks detected lasted for days and “scaled as high as 350 Gbps”, according to security researchers at Imperva, who first spotted the new threat.

“Comprised of a series of short-lived pulses occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017,” Imperva researchers said in a report.

The researchers said they believe that the pulse wave technique was “purposefully designed” by “skilled bad actors” to boost hackers’ attack scale and output by taking advantage of “soft spots in hybrid ‘appliance first, cloud second’ mitigation solutions.”

Traditional DDoS attacks involve a continuous barrage of assaults against a targeted network, while pulse wave involves short bursts of attacks that have a “highly repetitive pattern, consisting of one or more pulses every 10 minutes”. The new attacks last for at least an hour and can extend to even days. A single pulse is large and powerful enough to completely congest a network.

“The most distinguishable aspect of pulse wave assaults is the absence of a ramp-up period — all attack resources are committed at once, resulting in an event that, within the first few seconds, reaches a peak capacity that is maintained over its duration,” the Imperva researchers said.

ulse wave takes advantage of appliance-first hybrid mitigation solutions by preying on the “Achilles’ heel of appliance-first mitigation solutions”, – the devices’ incapability of dealing with sudden powerful attack traffic surges.

The Imperva researchers said the emergence of pulse wave DDoS attacks indicates a significant shift in the attack landscape. “While pulse wave attacks constitute a new attack method and have a distinct purpose, they haven’t emerged in a vacuum. Instead, they’re a product of the times and should be viewed in the context of a broader shift toward shorter-duration DDoS attacks,” researchers said.

The Imperva researchers predicted that such attacks will continue, becoming more persistent and growing, boosted via botnets.

Source: http://www.ibtimes.co.uk/what-pulse-wave-hackers-devise-new-ddos-attack-technique-aimed-boosting-scale-assaults-1635423

 

  • 0

Kids these days: the 16-year-old behind 1.7 million DDoS attacks

Teenagers have typically not been known as the most motivated demographic, napping through classes and slouching through shifts at McDonald’s.

While yelling at a 16-year-old four times just to get him to unload the dishwasher is annoying, consider the other end of the spectrum: the ambitious 16-year-old who earned over $500,000 USD by building a DDoS stresser responsible for 1.7 million attacks, causing millions of dollars in damages.

It’s cool Brayden, you can unload the dishwasher later.

Dirty dealings

A successful distributed denial of service or DDoS attack is one in which a website or online service is overwhelmed by malicious traffic or requests, pushing the site or service offline so it’s unavailable to its users. DDoS attacks have been big news the last few years. Big news to website owners who have had users frustrated by downtime, to business owners who have suffered reputation damage and monetary losses, to the public at large who have been unable to use websites and services big and small because of these attacks, and big news to the media itself who have been devoting headlines to the ever-growing scourge of attacks.

One of the main reasons for the increase in attacks has been DDoS for hire servers, otherwise known as booters or stressers. For as little as a few dollars, anyone with an internet connection can buy access to a service that allows them to aim a DDoS attack at the targets of their choosing. Stressers are so named because they masquerade as a legitimate tool, one that stresses a server to test its reliability.

This is where Adam Mudd comes in.

In the Mudd

When Adam Mudd was just 16 years old he went to work on the computer in his bedroom and created what he called the Titanium Stresser. Mudd himself carried out 594 distributed denial of service attacks, including an attack against his former college, but those nearly 600 attacks were but a drop in the bucket compared to how busy his stresser got when he opened it up as a DDoS for hire service.

In just over two years the Titanium Stresser racked up 112,000 registered users who launched 1.7 million DDoS attacks against 660,000 IP addresses. There were obviously many repeat targets amongst those 660,000 IP addresses, perhaps most notably the company behind the online game RuneScape which was hit 25,000 times and led to the company spending roughly $10 million in mitigation efforts. Other notable targets of the Titanium Stresser included Sony, Xbox Live, Microsoft and Team Speak. Mudd reportedly earned over $500,000 from his stresser service.

It all came to an end for Mudd in March of 2015 when the police arrived at his parents’ house. Mudd refused to unlock his computer until his father intervened. He has since pleaded guilty to three charges under the United Kingdom Computer Misuse Act, and one charge of money laundering. He was sentenced to 24 months in jail.

The big picture

Mudd was nothing more than a teenager in the bedroom of his parents’ house, yet his stresser service caused millions of dollars in quantitative damages and untold further damages when it comes to lost productivity, lost user loyalty and lost revenue in both the short and long term. There are Adam Mudds all over the world, many more experienced, running stresser services that are just as successful as the Titanium Stresser and even more so.

Further, while Mudd’s arrest and conviction is a success for law enforcement, he joins a list of recent DDoS-related arrests that include members of the famed Lizard Squad, owners of the vDos botnet, and three dozen patrons of stresser services. Hackforums, the biggest hacking forums in the world, also recently banned DDoS for hire services. All seemingly good things. Yet the number of DDoS attacks being perpetrated hasn’t gone down. When the FBI or Interpol shuts down a stresser service, another stresser service simply scoops up its customers.

The lesson here has to be that DDoS attacks can be perpetrated by anyone and aren’t going anywhere anytime soon. With stresser services so affordable and accessible, almost every website on the internet is a potential target, and potentially a repeat target. Without professional DDoS protection, websites will be left picking up the pieces and paying exorbitant sums in order to do so.

Source: http://www.bmmagazine.co.uk/in-business/kids-days-16-year-old-behind-1-7-million-ddos-attacks/

  • 0

FCC has no documentation of DDoS attack that hit net neutrality comments

Records request denied because FCC made no “written documentation” of attack.

The US Federal Communications Commission says it has no written analysis of DDoS attacks that hit the commission’s net neutrality comment system in May.

In its response to a Freedom of Information Act (FoIA) request filed by Gizmodo, the FCC said its analysis of DDoS attacks “stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation.” Gizmodo had asked for a copy of any records related to the FCC analysis that concluded DDoS attacks had taken place. Because there was no “written documentation,” the FCC provided no documents in response to this portion of the Gizmodo FoIA request.

The FCC also declined to release 209 pages of records, citing several exemptions to the FoIA law. For example, publication of documents related to “staffing decisions made by Commission supervisors, draft talking points, staff summaries of congressional letters, and policy suggestions from staff” could “harm the Commission’s deliberative processes,” the FCC said. “Release of this information would chill deliberations within the Commission and impede the candid exchange of ideas.”

The FCC also declined to release internal “discussion of the Commission’s IT infrastructure and countermeasures,” because “It is reasonably foreseeable that this information, if released, would allow adversaries to circumvent the FCC’s protection measures.”

The FCC did release 16 pages of records, “though none of them shed any light on the events that led to the FCC’s website crashing on May 8,” Gizmodo wrote yesterday. “The few e-mails by FCC staff that were actually released to Gizmodo are entirely redacted.”

The Gizmodo article comes in the same week that the FCC refused to release the text of more than 40,000 net neutrality complaints that it has received from Internet users since June 2015. Pai has claimed that net neutrality rules were a response to “hypothetical harms and hysterical prophecies of doom,” but most complaints to the FCC about potential net neutrality violations by ISPs are being kept secret. (The FCC did release 1,000 of the complaints to the National Hispanic Media Coalition, which had filed a FoIA request.)

Pai has claimed that his proposed repeal of net neutrality rules is using a “far more transparent” process than the one used to implement net neutrality rules in 2015.

UPDATE: The FCC released a statement this afternoon claiming that it is “categorically false” to suggest that “the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system.” The FCC statement said there is publicly available written analysis in the form of a letter to Congress (which we quoted and linked to in the next section of this article). The FCC statement also said it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” which has not been released publicly.

But again, the FCC refused to provide its internal analysis of the attack, which is what Gizmodo requested. The FCC’s new statement says that “Gizmodo requested records related to the FCC analysis cited in [CIO] David Bray’s May 8 public statement about this attack. Given that the Commission’s IT professionals were in the midst of addressing the attack on May 8, that analysis was not reduced to writing. However, subsequent analysis, once the incident had concluded, was put in writing.”

We asked the FCC to provide this “subsequent analysis,” and haven’t heard back yet.

The FCC’s position seems to be that it wasn’t asked to provide any analysis that was written down after May 8. But Gizmodo requested “A copy of any records related to the FCC ‘analysis’ (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place.” The FCC’s analysis after May 8 did not change—the commission continues to say it was hit by DDoS attacks. Yet the FCC refused to provide records related to its analysis that it was hit by DDoS attacks.

“We asked for all records ‘related to’ this analysis (emails, etc.), not just the analysis itself, which they claim does not exist,” Gizmodo reporter Dell Cameron wrote on Twitter.

Ars’ FoIA request denied

Separately, Ars filed a FoIA request on May 9 for e-mails and other communications and records related to the attack on the net neutrality comment system and related downtime. The FCC denied our request on June 21, saying that “due to an ongoing investigation we are not able to release records associated with this incident.”

Ars appealed that decision to the FCC on June 30 in light of Chairman Ajit Pai’s statement to US senators that the FBI is not investigating the comment system attack.

“In speaking with the FBI, the conclusion was reached that, given the facts currently known, the attack did not appear to rise to the level of a major incident that would trigger further FBI involvement,” Pai wrote to Senate Democrats who asked for more details about the attacks and the FCC’s response to the attacks.

The FCC has not responded to our FoIA appeal or to a followup e-mail we sent on Tuesday this week.

UPDATE: The FCC responded to our FoIA appeal two hours after this story published, saying it won’t release the e-mails and other records because of an internal investigation.

“An internal investigation into the matter is under consideration,” the FCC told us. “Agency staff have concluded that release of the records you requested could be reasonably expected to impede and interfere with this investigation.”

Comment system failure and DDoS analysis

The FCC’s website failure temporarily prevented the public from commenting on Pai’s controversial proposal to dismantle net neutrality rules. The downtime coincided with a heavy influx of comments triggered by comedian John Oliver’s HBO segment criticizing Pai’s plan, but the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks.”

We published an analysis of the FCC’s statements in May, concluding that the incident was caused either by “an unusual type of DDoS or poorly written spam bots.” Cloudflare, which operates a global network that protects websites from DDoS attacks, supported the FCC’s statements. The FCC’s descriptions are consistent with “a ‘Layer 7′ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars.

“In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said.

The FCC also refused to release server logs related to the attack because they might contain private information such as IP addresses. Security experts who spoke to Ars supported this decision.

There are now more than 10 million comments on Pai’s plan to overturn net neutrality rules, though many contain the same text because they come from spam bots or from campaigns urging people to submit pre-written comments. Pai has said that the number of comments opposing or supporting his plan “is not as important as the substantive comments that are in the record.”

Source: https://arstechnica.com/information-technology/2017/07/fcc-has-no-documentation-of-ddos-attack-that-hit-net-neutrality-comments/

  • 0