BNP DDoS 'mega-assault' not actually mega in the least

It was eight, no ten really big lads that jumped me


A supposedly massive denial of service attack against the British National Party website has been exposed as a gross exaggeration.

The assault, which began on Friday, was described by the party in an email appeal for funds as the "largest cyber attack in recorded history" and comparable only to a 2001 assault against Microsoft*. Nick Griffin, leader of the controversial far-right political party, asked the party's supporters to stump up the £5,000 urgently needed to purchase hardware and servers supposedly needed to keep the site up and running.

Griffin's email appeal claims that the assault came from "eastern Europe and Russia" and that Clear Channel, a firm supplying Euro election billboard advertising services to the BNP, is also under attack and contemplating legal action.

However, Clear Channel, after checking with its US-based techies, said that it was not under any kind of cyber-attack, much less on the phone to its lawyers.

"To confirm - we have had no attack and we have filed no lawsuits," a spokeswoman told El Reg. "The BNP booked a small poster campaign in the run up to the European Elections."

Clear Channel has a policy of carrying advertising "from all the legal political parties, without bias or favour, and regardless of the company’s own views, as long as the advertising is legal and clearly branded for the relevant party".

A BNP spokesman politely told us on Tuesday morning that he was too busy helping to run its Euro election campaign to bother about technology. He said IT guys were too busy reconfiguring servers to speak and had nothing to say about Clear Channel's response that its site was not under attack.

Security firms contacted by El Reg said that a botnet hosted in Romania was firing off attack traffic at the BNP's website, but were unable to confirm the size of the assault. Jose Nazario, manager of security research at anti-DDoS technology firm Arbor Networks, confirmed there was a DDoS attack but wasn't able to gauge its size.

The site's been moving around some in the past few days. here's some recent history, my guess is they're trying to fight the ddos:

bnp.org.uk | 87.117.239.66 | Thu, 01 May 2008 02:50:40 UTC | Sat, 23 May 2009 23:26:39 UTC bnp.org.uk | 87.117.239.84 | Sun, 24 May 2009 20:51:57 UTC | Sun, 24 May 2009 20:51:59 UTC

That .66 IP has come under a SYN flood from at least one botnet. in this case the botnet was hosted in Romanian IP space.

I have no data on the attack's magnitude (BPS, requests per second, etc). but so far everything is consistent with a legitimate attack.

A technically knowledgeable person at the hosting firm managing the site approached El Reg, and on condition of anonymity agreed to explain what had happened.

"There was some attack traffic against the BNP website on Sunday or Monday," our source told us. "But it was hardly noticeable except that one server was taken offline. It's not one to write home about.

"The attack traffic was around 600Mbps, a volume that hardly hits our radar."

We understand that a letter advising the BNP that the hosting package it had signed on for when it moved its servers a few days ago is "not suitable" is in the post.

"Given the content they host, and the volume of traffic, the party needs a package that includes DDoS protection. This will cost a lot more than £5,000," our source explained, adding that no extra servers or any other hardware had been added to the BNP's website since the attacks began late last week.

We understand that the matter of whether the BNP's website breaks the hosting firm's terms and conditions is under review.

Independent sources at web metrics firm Netcraft confirmed that the BNP's website has recently moved hosting provider and changed configuration, moving from Apache to nginx. Its stats on the BNP's website can be found here.

So the BNP's site did experience a minor attack, but the suggestion that it was under the biggest cyberassault ever are pure hype, possibly geared towards reinforcing a siege mentality that encourages supporters into throwing more money at the controversial party.

Arbor's Nazario added that a large attack on the scale claimed would get noticed more widely.

I love how the BNP is claiming this is the largest attack the internet has ever seen. Far from it. While I don't have exact numbers, the absence of alerts on too many other ISPs that serve as their upstream suggests it's not. The botnet behind the attacks isn't super massive, either.

It's either a lie or ill-informed for them to be saying it's the largest attack.

®

Bootnote

*The supposed DDoS attack against Microsoft is, incidentally, something we're unable to find any reports about. The most prominent DDoS attack around that time was Mafiaboy's assault on eBay, Amazon et al, in September 2000.

Similar topics

Broader topics


Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Microsoft sounds the alarm on – wait for it – a Linux botnet
    Redmond claims the numbers are scary, but won't release them

    Microsoft has sounded the alarm on DDoS malware called XorDdos that targets Linux endpoints and servers.

    The trojan, first discovered in 2014 by security research group MalwareMustDie, was named after its use of XOR-based encryption and the fact that is amasses botnets to carry out distributed denial-of-service attacks. Over the last six months, Microsoft threat researchers say they've witnessed a 254 percent spike in the malware's activity. 

    "XorDdos depicts the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices," Redmond warned

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Vehicle owner data exposed in GM credential-stuffing attack
    Car maker says miscreants used stolen logins to break into folks' accounts

    Automaker General Motors has confirmed the credential stuffing attack it suffered last month exposed customers' names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts.

    Continue reading
  • Enemybot botnet uses Gafgyt source code with a sprinkling of Mirai
    Keksec malware used for DDoS attacks, may spread to cryptomining, Fortinet says

    A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

    The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet's FortiGuard Labs team.

    Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022