Share This Article
Well, that was fun wasn’t it?
On the morning of Thursday, Feb. 16th the Mountain Home Observer fell victim to a cyberattack known as DDoS or Distributed Denial of Service.
This sort of attack is a malicious attempt to cripple or bring down our online publishing operation through an increased number of simultaneous fake connections whose sole purpose is to overwhelm the technology that is hosting our online newspaper.
These fake connections are distributed, meaning they originate from thousands of IP (Internet Protocol) addresses and networks across the world.
In the IT (Information Technology) world, it’s easy to block one bad actor from abusing your website and eating up memory resources.
It’s another thing entirely to be faced with thousands of IP addresses to blacklist. Many DDoS attacks when blocked in one area, will just appear in another, or change IPs and proxy addresses.
DDoS attacks are frustrating because most of the time there is nothing gained from the attack and typically nothing is hacked.
Why do it at all?
There could be several motivations behind a DDoS attack:
- People and groups making a political point
- Targeted attacks on a specific business or service provider to cause monetary harm
- Ransom scheme in order to collect money
- The bored technical savvy person
The last point is the most unlikely scenario given that these activities are illegal in most countries, including the U.S.
The Observer did not receive any ransom demands within the entire duration of the attack between Thursday and Friday.
One does not need to be technically savvy to launch a DDoS attack. DDoS-for-hire services exist and are advertised in online forum communications. These services are highly illegal and have been busted by the FBI in the past.
Computer Fraud and Abuse Act
In 2018, criminal charges were filed in Los Angeles and Alaska in conjunction with the seizure of 15 internet domains associated with DDoS-for-hire services.
In conjunction with the seizure warrants, the U.S. Attorney’s Office for the Central District of California on Dec. 19, 2018 charged Matthew Gatrel, 30, of St. Charles, Illinois, and Juan Martinez, 25, of Pasadena, California, with conspiring to violate the Computer Fraud and Abuse Act through the operation of services known as Downthem and Ampnode.
According to the criminal complaint filed in Los Angeles, Downthem offered DDoS services directly to users who wished to attack other internet users, and Ampnode offered resources designed to facilitate the creation of standalone DDoS services by customers.
Between October 2014 and November 2018, Downthem’s database showed over 2,000 customer subscriptions, and had been used to conduct, or attempt to conduct, over 200,000 DDoS attacks.
The targets ranged from homes and schools, to universities, municipal and local government websites, and financial institutions from all over the world.
Gatrel offered expert advice to customers of both services, providing guidance on the best attack methods to “down” different types of computers, specific hosting providers, or to bypass DDoS protection services. Gatrel himself often used the DownThem service to demonstrate to prospective customers the power and effectiveness of products, by attacking the customer’s intended victim and providing proof, via screenshot, that he had severed the victim’s internet connection.
Gatrel faced a possible statutory sentence of 35 years in federal prison. In January 2022, after a nine-day trial, a federal jury found him guilty of one count of conspiracy to commit unauthorized impairment of a protected computer, one count of conspiracy to commit wire fraud, and one count of unauthorized impairment of a protected computer.
Gatrel was ultimately sentenced to 2 years in federal prison.
Co-defendant Martinez pleaded guilty in August 2021 to one count of unauthorized impairment of a protected computer and was sentenced to five years’ probation. Martinez was one of Gatrel’s customers and became a co-administrator of the site in 2018.
Regardless of whether someone launches a DDoS attack using their own command-and-control infrastructure or hires a booter and stresser service like the one Gatrel provided, the action is illegal and may result in criminal charges, punishable under the Computer Fraud and Abuse Act.
“Whether you launch the DDoS attack or hire a DDoS service to do it for you, the FBI considers it criminal activity,” said FBI Assistant Director Gorham in 2018. “Working with our industry and law enforcement partners, the FBI will identify and potentially prosecute you for this activity. We will use every tool at our disposal to combat all forms of cybercrime including DDoS activity. We encourage all DDoS victims to contact your local FBI field office or file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov.”
The Observer filed a complaint with the FBI on Friday Feb. 17, attaching sample access logs and U.S. based IP addresses that took part in the attack.
Defense against cyberattacks
Admittedly, the Observer was not fully prepared for a sophisticated DDoS attack. In a city of 14,000ish people, and a county of 44,000, our current coverage area is quite small. Our monthly readership is around 10-12k people on average.
Our peak readership in a single month so far is 36,134 people occurring last month, but weekly we have an average of about 2,500 people reading our stories.
Back in November 2021 when we were setting up our infrastructure, typical security measures were put in place for a small-scale website such as ours. The usual stuff you would find to protect against hacking: brute force protection, a basic firewall protecting against common attacks, forcing HTTPS protocol, and ensuring our tech stack is up to date.
While we have a Web Application Firewall (WAF) on the host server, it doesn’t do any good if that is being attacked via DDoS techniques.
After the initial attack, we quickly got work implementing a third-party WAF outside of our primary host to filter traffic before it got to the target server. Kind of like building a wall around a property with security at the front gate checking everyone’s ID coming inside.
The first implementation was not enough. It combated the attacks at first, but several hours later they increased in intensity with about 50k attempted connections within a minute. Not only did the frequency of the attacks increase, but the delivery method changed to where not even the firewall was recognizing it as a DDoS attack.
The attack came from all over the place, a truly distributed attack: the Russian Federation, China, Indonesia, Germany, the Philippines, South Korea, the United States and dozens of other countries all at the same time.
After adjusting our new firewall rules manually, the attacks were completely blocked. We were attacked again around 9:15 p.m. on the 16th, topping about 70k connections in a minute. Then at 6 a.m. on the 17th, the last and biggest attack occurred with over 100k connections in a single minute. All of them were blocked and our tiny digital paper still stands.
With our new firewall rules comes a bit of an adjustment period. Currently, we do not accept any VPN usage from overseas IP addresses. There are also some outlier local networks that were mistakenly blocked from the firewall.
These have been corrected though there may be some hiccups that we’ll need to overcome within the coming weeks. If you are having issues, we apologize! Please reach out to me via [email protected] and I’ll get it sorted.
As a reminder, all financial information collected by the Observer is stored safely in a PCI-compliant server operated by Stripe, our payment gateway provider. The Observer does not directly store credit or debit card information and cannot see full card information.
