Investigation DDoS



At the initiative of ProtectMaster, investigate DDoS attacks. We deducted from and began to analyze logs of their servers during the attacks during the Revolution Benefits. During the analysis, we found the following.

First, an attempted attack Censor usual type of attack - HTTP-flood. Bots were scattered all over the page, the order for such an attack could make anyone who had a $ 30-50 for services. Naturally, it does not deliver any problems censor and was "repulsed" by introducing a number of javascript-checks. 

Further attack steel "heavy", in terms of load, site locations. Introducing additional filtering measures and connecting AntiDDoS-services Censor again went online.. 

Most interesting is that we found out - that's what started DDoS Crimea, literally the whole Crimea suddenly became one large botnet, which was to attack the Censor server. Company specialists ProtectMaster penetrated detail in the analysis of logs and began to understand how this happened so that the whole Crimea was suddenly crowded with infected machines.

After analyzing logs and network traffic, we were able to detect spoofing attacks, to be more precise, it was a DNS-spoofing. The thing is, that someone has replaced all the inhabitants of the Crimea the IP-addresses of popular services statistics visits to the site and a number of highly resource. The essence of the attack on the censor was to ensure that someone on the level of service providers replaced address popular services LiveInternet statistics and Google Analytics, which has nearly every site on the Censor address. This led to the fact that when the user is out of the Crimea revealed any page that had a counter code, it automatically opens another page and the Censor, and update it dozens of times per minute. Thus, all traffic avalanche Crimean residents attacked the Censor server.

The investigation revealed the alleged identity as a customer and performers involved in this, and the methods they have used for this attack.

Share or save it: