Last April 7, several Israeli websites were targeted by the hacker group Anonymous. Based from reports, certain government and private Israeli websites were not accessible and were possibly victims of a DDoS attack.
Media coverage of DDoS attacks tend to cover on whether or not the targeted site is knocked offline, and not particularly how they are carried out. This is a mistake, as this ignores the fact that many of the “attackers” are actually systems that have been infected with malware and used to carry out attacks. We will use the data gathered by the Smart Protection Network.
On a typical day, the traffic to one of the websites targeted in this attack overwhelmingly (more than 90%) comes from within Israel itself. On the day of the attack, however, this was reversed, with only 9% of the traffic we saw coming from inside the country:
This increase in non-Israeli traffic was well distributed, with users from 27 countries (beside Israel itself) accessing the target site. The chart below highlights the significant spike in traffic on and around the 7th:
Examining the IP addresses that had accessed the target site, we noticed that some of these were known to be parts of various botnets under the control of cybercriminals. In addition, further investigation revealed that these IP addresses had been previously identified as victims of other attacks like FAKEAV, ransomware, and exploit kits.
These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as “harmless” as some would think.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.