In June 2018, our two magazine suffered a DDoS attack that resulted in the disruption of the two services for approximately two weeks.
We asked the Swedish technology organization Qurium to investigate the attack. They released an investigative report on July 10, 2018. Below is the report without source code cited by Qurium. Please click here to read the full version.
Denial of service attacks started the 11th of June 2018 at 21 PM against luatkhoa.org and thevietnamese.org. The attacks started just a few hours before Vietnam passed the cybersecurity law despite privacy concerns. The graphs shows the bandwidth that hit the website and how still traffic leaked into the backend after Cloudflare setup the 14th of June.
The 11th of June attacks that originally lasted a few hours continued during the whole week. The application layer attacks consisted in thousand of GET and POST web requests coming from a botnet.
A large botnet composed of infected computers
In order to avoid detection and blocking, the botnet changes constantly the IP addresses and a single IP address will not use many “User Agents”.
[Source code]
Botnet uses many different User-Agents without a distinctive pattern
The 30 most common User-Agents used by the botnet GET flood are:
[Source code]
A POST attack used the following agents
[Source code]
Botnet Geolocation
The botnet is also widely geo-located with bots even hosted inside Vietnam. Some of the bots are hosted in locations like Guadalupe, Kenya or Salvador. The IP recorded indicate that the malware is hosted in consumer connections behind ADSLs.
[Source code]
Conclusions
One month after the denial of service attacks (10th July 2017), we have not yet successfully identified which botnet has been used for the attacks. If you have any hints please reach out!