All 5 Turkish NICs taken down in 40 Gigabit/second DDoS attack

Rayzer Rayzer at riseup.net
Sun Dec 20 09:01:37 PST 2015


I wonder who could be doing this...


*Turkish Internet hit with massive DDoS attack*

By Efe Kerem Sozeri

/Last updated Dec 17, 2015, 10:07am /

Turkey <http://dailydot.com/tags/turkey> is under massive cyberattack. 

Since Monday morning, the country's official domain name servers have
been under a Distributed Denial of Service (DDoS) attack
<http://turk-internet.com/portal/yazigoster.php?yaziid=51709>. The
attack’s perpetrators are unknown, but it reveals the vulnerabilities of
the country’s Internet infrastructure.

All domain names that end with Turkey’s two-letter country code .tr
<https://en.wikipedia.org/wiki/.tr> must be registered by NIC.tr
<https://www.nic.tr/index.php?USRACTN=STATICHTML&PAGE=about_corpident>,
an administration office in Turkey’s capital of Ankara. Besides its
registration duties, NIC.tr maintains the academic internet backbone for
Turkish universities. It’s also the main service for .tr domain names,
making it a valuable target.

On Monday morning Turkish time, traces of an attack became noticeable.
By noon, NIC.tr’s five nameservers, ns1.nic.tr through ns5.nic.tr,
werecompletely down <http://daghan.net/tr-alan-adlari-problemi.dgn>
under a 40 Gigabits per second DDoS <http://dailydot.com/tags/ddos> attack.

    . at adililhan <https://twitter.com/adililhan> Two of the routes
    hosting nic.tr experienced instability yesterday
    pic.twitter.com/OHk3dF0Bxo <https://t.co/OHk3dF0Bxo>

    — Dyn Research (@DynResearch) December 15, 2015
    <https://twitter.com/DynResearch/status/676782506172162048>

Europe’s regional Internet registry, the RIPE Network Coordination
Centre, serves as a secondary Domain Name System to Nic.tr. RIPE was
also severely affected
<https://www.ripe.net/ripe/mail/archives/dns-wg/2015-December/003184.html>.
As noted
<https://www.ripe.net/ripe/mail/archives/dns-wg/2015-December/003184.html> by its
manager of the Global Information Infrastructure, Romero Zwart, the
attack was “modified to evade” RIPE's mitigation measures. As of this
writing, the attack is still going on at around 40 Gbps, disrupting
working hours
<https://stat.ulakbim.gov.tr/ulaknet/omurga_details.php?name=internet-toplam&type=bps&dev=anauc&place=omurga&details=yes>
in Turkey.

DDoS attacks, which overload servers with requests for information, are
a simple way of disrupting a website for a brief amount of time. The
cost of hiring attacking
<http://www.dailydot.com/business/botnet-rent-stress-test-paid-ddos-attacks/> botnets
<http://dailydot.com/tags/botnets>, huge armies of compromised computers
that can all visit a site at the same time, is getting cheaper, and the
size of attacks is growing each year
<http://www.scmagazine.com/report-shows-42-percent-of-attacks-leveraged-more-than-1-gbps-of-attack-traffic/article/399206/>. In
2013, an average DDoS attack was about 2 Gbps. In 2014, it’s nearly 8 Gbps.

While a 40 Gbps attack still sounds huge, security experts
<http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/>
say that even 400 Gbps attacks, like one recently reported
<https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/>
by DDoS mitigation service Cloudflare, are “the new normal.”

What makes the Turkish attack so damaging is the attackers’
sophisticated choice of target. By focusing on a relatively small group
of IP addresses, the five nameservers of NIC.tr, the attackers managed
to “take down the DNS system of a whole country with a 40 Gbps attack:”

    @ozgit <https://twitter.com/ozgit> 40GBitlik saldirida butun bir
    ulkenin alan adlari sisteminin cokmesi kabul edilemez #nictr
    <https://twitter.com/hashtag/nictr?src=hash> @METU_ODTU
    <https://twitter.com/METU_ODTU> #nictr
    <https://twitter.com/hashtag/nictr?src=hash>

    — Mehmet Akcin (@mhmtkcn) December 15, 2015
    <https://twitter.com/mhmtkcn/status/676692198738366464>

As the country’s official domain suffix, .tr domain names are very
popular in Turkey, and many local companies want their businesses
officially recognized for their local audience. There are about 400,000
websites <https://www.nic.tr/index.php?USRACTN=STATISTICS> with
localized Turkish domain names, including 300,000 companies. It's also
used by government institutions, schools, municipalities, Turkish e-mail
servers <https://www.nic.tr/forms/eng/policies.pdf>, and the Turkish
military.

When the attack left NIC.tr’s DNS service non-responding, practically
all .tr domain names became unreachable. Besides the private Turkish
companies, official government businesses such as vital population
registry queries, remained interrupted for more than a day. Internet
access at university campuses are still down or extremely slow.

On Monday evening, Turkey’sNational Response Center for Cyber Events
<https://www.usom.gov.tr/> closed all incoming traffic to NIC.tr from
outside of Turkey, which made 400,000 websites with .tr domain names
unreachable from the rest of the world, all e-mails sent to companies
and organisations with .tr domains bounced back with the “unknown host”
error.

Response Center changed its policy late Monday night, and NIC.tr has
since been running a selective block policy for a number of suspected
root IP addresses. DNS service for .tr domains were also re-configured
<http://turk-internet.com/portal/yazigoster.php?yaziid=51709> to
distribute the queries among public and private servers, including a
Turkish Internet service providers Superonline and Vodafone.

It’s notoriously difficult to attribute where a cyberattack comes from.
Many Turkish commentators have pointed to Russia
<http://dailydot.com/tags/russia> as the source of the attack. Russia’s
cyber warfare capabilities
<http://cyberwardesk.com/5-russian-weapons-of-war-turkey-should-fear/>
are an established weapon, believed to be used against Estonia in 2007
<https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia>, Georgia in
2008
<https://en.wikipedia.org/wiki/Cyberattacks_during_the_Russo-Georgian_War>,
and Ukraine in 2014
<http://www.csmonitor.com/Commentary/Global-Viewpoint/2014/0312/Russia-s-cyber-weapons-hit-Ukraine-How-to-declare-war-without-declaring-war>.

With Turkey’s recent downing of a Russian jet
<http://www.bbc.com/news/world-middle-east-34912581> near Syrian border,
and with the ongoingtroll wars
<http://www.dailydot.com/politics/russia-turkey-missle-turkey-troll-war-twitter/>
between Erdoğan’s and Putin’s social media campaigners, DDoS botnets
could be the next battleground. Some experts have speculated this is a
response to Turkey’s nationalist cyber teams, who stand accused of
organising aDDoS attack on Russia’s Sputnik news
<http://in.sputniknews.com/russia/20151208/1016691128/sputnik-turkey-ddos-attack.html>.

    It's highly probable that ddos attacks on nic.tr and tr ISPs are
    retaliation to recent @sputnik_TR <https://twitter.com/sputnik_TR>
    ddos attacks

    — Umut Simsek (@umutsimse_k) December 15, 2015
    <https://twitter.com/umutsimse_k/status/676711878136102912>

DDoS attacks are by nature distributed, therefore the identity of the
attackers could never be found out; but the consequences identified the
vulnerabilities of the target very well.

http://www.dailydot.com/politics/turkey-ddos-attack-tk-universities/

-- 
RR

"You might want to ask an expert about that - I just fiddled around
with mine until it worked..."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 10633 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151220/d82507a5/attachment-0002.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151220/d82507a5/attachment-0002.sig>


More information about the cypherpunks mailing list