27 May 2009

BNP DDoS 'mega-assault' not actually mega in the least


It was eight, no ten really big lads that jumped me

A supposedly massive denial of service attack against the British National Party website has been exposed as a gross exaggeration.

The assault, which began on Friday, was described by the party in an email appeal for funds as the "largest cyber attack in recorded history" and comparable only to a 2001 assault against Microsoft*. Nick Griffin, leader of the controversial far-right political party, asked the party's supporters to stump up the £5,000 urgently needed to purchase hardware and servers supposedly needed to keep the site up and running.

Griffin's email appeal claims that the assault came from "eastern Europe and Russia" and that Clear Channel, a firm supplying Euro election billboard advertising services to the BNP, is also under attack and contemplating legal action.

However, Clear Channel, after checking with its US-based techies, said that it was not under any kind of cyber-attack, much less on the phone to its lawyers.

To confirm - we have had no attack and we have filed no lawsuits," a spokeswoman told El Reg. "The BNP booked a small poster campaign in the run up to the European Elections."

Clear Channel has a policy of carrying advertising "from all the legal political parties, without bias or favour, and regardless of the company’s own views, as long as the advertising is legal and clearly branded for the relevant party".

A BNP spokesman politely told us on Tuesday morning that he was too busy helping to run its Euro election campaign to bother about technology. He said IT guys were too busy reconfiguring servers to speak and had nothing to say about Clear Channel's response that its site was not under attack.

Security firms contacted by El Reg said that a botnet hosted in Romania was firing off attack traffic at the BNP's website, but were unable to confirm the size of the assault. Jose Nazario, manager of security research at anti-DDoS technology firm Arbor Networks, confirmed there was a DDoS attack but wasn't able to gauge its size.

The site's been moving around some in the past few days. here's some recent history, my guess is they're trying to fight the ddos:
bnp.org.uk | 87.117.239.66 | Thu, 01 May 2008 02:50:40 UTC | Sat, 23 May 2009 23:26:39 UTC bnp.org.uk | 87.117.239.84 | Sun, 24 May 2009 20:51:57 UTC | Sun, 24 May 2009 20:51:59 UTC

That .66 IP has come under a SYN flood from at least one botnet. in this case the botnet was hosted in Romanian IP space.

I have no data on the attack's magnitude (BPS, requests per second, etc). but so far everything is consistent with a legitimate attack.
A technically knowledgeable person at the hosting firm managing the site approached El Reg, and on condition of anonymity agreed to explain what had happened.

"There was some attack traffic against the BNP website on Sunday or Monday," our source told us. "But it was hardly noticeable except that one server was taken offline. It's not one to write home about.

"The attack traffic was around 600Mbps, a volume that hardly hits our radar."

We understand that a letter advising the BNP that the hosting package it had signed on for when it moved its servers a few days ago is "not suitable" is in the post.

"Given the content they host, and the volume of traffic, the party needs a package that includes DDoS protection. This will cost a lot more than £5,000," our source explained, adding that no extra servers or any other hardware had been added to the BNP's website since the attacks began late last week.

We understand that the matter of whether the BNP's website breaks the hosting firm's terms and conditions is under review.

Independent sources at web metrics firm Netcraft confirmed that the BNP's website has recently moved hosting provider and changed configuration, moving from Apache to nginx. Its stats on the BNP's website can be found here.

So the BNP's site did experience a minor attack, but the suggestion that it was under the biggest cyberassault ever are pure hype, possibly geared towards reinforcing a siege mentality that encourages supporters into throwing more money at the controversial party.

Arbor's Nazario added that a large attack on the scale claimed would get noticed more widely.

I love how the BNP is claiming this is the largest attack the internet has ever seen. Far from it. While I don't have exact numbers, the absence of alerts on too many other ISPs that serve as their upstream suggests it's not. The botnet behind the attacks isn't super massive, either.

It's either a lie or ill-informed for them to be saying it's the largest attack.
Bootnote

*The supposed DDoS attack against Microsoft is, incidentally, something we're unable to find any reports about. The most prominent DDoS attack around that time was Mafiaboy's assault on eBay, Amazon et al, in September 2000.

The Register

No comments: