Coordinated DDoS attack during Russian Duma elections

DDoS and other sorts of cyber attacks on independent media have been common in recent years. One of the difficult things about understanding the cause and impact of DDoS attacks is that it is rarely clear who is behind the attacks. We have little or no evidence, for instance, that the Russian government is involved in these or other attacks. This is partly due to the nature of DDoS attacks, which often come from large collections of infected computers and so are very difficult to track back to the responsible actor. Governments have also avoided taking responsibility for these sorts of attacks, in constrast to the way that many government happily defend their filtering practices, perhaps because the attacks are often associated with the cyber-criminal gangs who build and run botnets.

What makes these attacks different is the number of sites attacked at the same time, and their close timing around the elections. We asked our friends at Arbor Networks, a leading provider of DDoS monitoring and protection services for Internet service providers and large content hosts, for any data they have on these attacks. Among other DDoS monitoring systems, Arbor has a large collection of taps installed in botnets, through which they are able to listen to the commands sent to the botnets. Jose Nazario reported back to us that starting on December 1 and continuing through the election on December 4, they saw commands come from just two botnet controllers to attacks the following list of sites, nearly all of which are independent media or election monitoring sites:


 * New Times (Oppositional news site The New Times)
 * Echo of Moscow (Leading Independent radio station Echo of Moscow)
 * Novaya Gazeta (Major oppositional newspaper Novaya Gazeta, often critical of the Kremlin)
 * Novaya St. Petersburg (St. Petersburg Novaya Gazeta site)
 * Kommersant (Major Russian news daily)
 * Public Post (online news site, had published stories about map of violations and Golos)
 * Slon (Online News site, partnered with Golos to publish ‘map of violations’ after Gazeta backed out)
 * Bolshoi Gorod (St. Petersburg news site)
 * Golos (Website of independent election monitor Golos)
 * Ikso (an outlier, the election commission of Sverdlovsk region)
 * Ridus (online news/citizen journalism site)
 * Zaks (a popular political website in St. Petersburg)
 * Pryaniki (a popular portal in Tula)
 * Map of Violations (Golos crowdsourced election violations map/site)
 * files.kartanarusheniy.ru (sub domain of ‘map of violations’ site)
 * LiveJournal (Major Russian blog platform)
 * Kotlin Forum (not accessible: Yandex search indicates a forum related to Kronshdat)
 * Kotlin (not accessible, Yandex search indicates news and info related to Kronshdat region)
 * GosZakupki (another apparent outlier in the group, a portal for Russian federal and local government tenders)
 * The Other Tver (oppositional Tver news and analysis site)
 * RosAgit (Web site connected to activist and blogger Alexey Navalny, which today is focused on promoting protests across Russia scheduled for December 10).

Botnets are often rented out for a variety of reasons, including spam, click fraud, and credit card theft, as well as DDoS attacks. It could be a coincidence that two botnet controllers were independently rented by a collection of actors to attack these sites during the election, but that coincidence seems highly unlikely. It is much more likely that some one or two actors was trying to take down a broad swatch of the Russian independent media landscape during the critical period of the election. We have see many, many attacks against individual media sources in the past in Russia, but we are not aware of any previous coordinated attacks against this number of sites at the same time.

The Arbor data, of course, says nothing about why these sites were attacked, but one argument put forward by editor-in-chief of Echo of Moscow Alexey Vendediktov (and many others), certainly seems plausible: “The attack on the website on election day is clearly an attempt to inhibit publication of information about violations.” Several, if not most, of these sites invited users to submit information on election violations, especially Golos, their violations map, Slon and Echo of Moscow. The timing of the attacks is also hard to see as coincidental, overlapping closely with the times that polls were open on Election Day. Most of the attacks also ended once the polls were closed. As is usual for these types of attacks, no one has claimed responsibility, even though they seem to clearly serve the interests of the government.

As the Berkman Center noted in its DDoS report last year, for media and NGOs that think they might be subject to a DDoS attack, putting data and information on major social media and Internet sites (like Twitter, Facebook, YouTube, Google, etc.) is a good back up plan, especially for smaller organizations with limited tech staff, since these major hosting sites are far more well prepared to defend against these types of attacks. For example, to our knowledge, the Google doc with over 5000 election violations created by Golos after its site was disabled, was never taken down. Alexei Sidorenko also has other details of how sites like Novaya Gazeta that were better prepared for the attack were able to help host Echo of Moscow blogs, which argues for these groups to support each other and host one another’s content, acting as a sort of ‘mutual aid society,’ which Jonathan Zittrain has written about. Also, we checked with one prominent Russian independent media site that we had worked with during the writing of the DDoS report about whether they had been attacked, and that site responded that they had used Twitter for all of their election coverage, specifically to avoid DDoS attacks. That site’s strategy was successful, as Twitter was either not attacked or withstood any attack during the election.