Media sites target of politically motivated DDoS attacks

The inclination to “shoot the messenger” bearing bad news is a well-known sentiment. In the online media world, news Web sites really are getting shot at — with massive denial-of-service attacks aimed at taking them offline.

‘Political’ cyberattacks hit half of large companies

Also see The DDOS attack survival guide

One large Web-hosting company in France is striving to protect the Web sites of its European media customers, which has meant fending off distributed denial-of-service attacks (DDoS) that have brought sites crashing down in the past. The enduring pattern of these DDoS attacks suggests they’re triggered by angry readers raging against political news that they don’t like.

“We’ve had a lot of DDoS attacks against mainly the newspaper sites,” says Salim Gasmi, CTO and the technical director for SdV Plurimedia. Its business customers include well-known European media companies such as Le Figaro and Les Echos and the television network ARTE, as well other industries such as banking.

While it’s not entirely clear who’s launching these DDoS attacks or why, they typically come when there’s news related to the Middle East, Gasmi says. “It’s political anger,” he says, adding that these kinds of attacks have gone on from time to time for more than a decade.

News related to the Middle East can trigger a slew of SYN floods from computers that appear to be located in many places around the world, including Brazil, Russia and China, and are controlled by an attacker in an unknown place, Gasmi says.

It appears easy to get hold of the attack tools to do this, and even a well-directed 10Mbps SYN flood attack (which would probably only require use of 100 PCs acting in attack mode) would be enough to put a Web site under huge duress and possibly temporarily wash it out. Some attacks can even get to be 3Gbps, he adds.

SvD Plurimedia is hardly alone in coping with online attacks that seem to have a political angle. A Symantec survey released this week asked enterprises if they had been hit by “politically minded attacks,” including possibly terrorist or state-sponsored cyberattacks aimed at stealing sensitive information or bringing down a network. The survey, entitled “Symantec 2010 Critical Infrastructure Protection Study,” found that half of the IT managers at 1,580 enterprises worldwide said they thought something like this had happened to them.

Gasmi says one thing for certain is that when SdV Plurimedia years ago decided to accept media businesses as customers, it became clear that these types of attacks were going to be a prevailing condition and that the Web-hosting firm would have to act defensively against DDoS — and fast.

The question was finding ways to detect the commencement of a DDoS attack and then effectively filter out bad traffic while trying not to disrupt the good. It’s not easy. One complexity is that massive SYN flood attacks can have a cascade effect on the data center’s servers.

“If a customer was targeted by an attack, and the attack was strong, the effect was to make all the sites nonresponsive. It was a nightmare,” Gasmi says. Over the years, the Web-hosting firm tried different server arrangements, network configurations, attack mitigation, intrusion-prevention systems and firewalls. The latest equipment in place for about a year, based on Arbor Network’s Peakflow SP and PeakFlow SP Threat Management System, has proven the most effective so far in filtering out attack traffic, especially since it can work with a traffic redirection technology to loosen an onslaught of unwanted IP traffic.

While highly effective, the anti-DDoS equipment isn’t perfect, and it’s possible some legitimate traffic may be dropped, Gasmi notes. But Web sites are staying up far better than before.

In the United States, there are some carriers, including AT&T, that have made anti-DDoS services available for a fee. Gasmi says he deals with nine carriers in France but none provides an anti-DDoS service, so he has had to invest and build his own line of defense. He wishes the ISPs and carriers would take on the DDoS issue more directly; Gasmi says the same kinds of DDoS attacks are hitting other Web-hosting firms in France, and he hears from businesses whose Web sites are underwater due to a DDoS flood. Gasmi has also heard of attackers who threaten to take down Web sites unless they get paid to leave them alone, though in his experience the blackmail attacks are not as common as the attacks against news media sites.

Read more about wide area network in Network World’s Wide Area Network section.