The PopVote attack aftermath

The PopVote attack aftermathAs the voting period draws an end on PopVote – the website hosting Hong Kong's unofficial online referendum on political reform—Computerworld Hong Kong talked with its cloud provider CloudFlare and other security vendors to find out the lesson learned from dealing with massive DDoS attacks.

With traffic reaching 300Gbps at the peak of the attack, PoPVote experienced a massive scale of DDoS attack last month, paralyzing the system. Though the scale is larger than the regional average and the largest in Hong Kong, according to the site’s organizer The University of Hong Kong, it is not a scale unheard of.

 “On average, DDoS attacks are about 20 Gpbs in traffic,” said Sudeep Charles, product marketing manager at Akamai Technologies. “[This attack] was far larger than the ones observed in S.E. Asia.”

“The attack against PopVote was a very large and sophisticated attack,” said Matthew Prince, CEO of CloudFlare. “However, we’ve seen other attacks at similar scale.”

Prince told Computerworld Hong Kong, one of the victims was the European-based spam-fighting group Spamhaus, who experienced similar scale of DDoS attack in March 2013. At the time, the scale was considered the largest DDoS in history, causing “a widespread congestion and jamming crucial infrastructure around the world,” according to the New York Times.

Source of attack

Although local media has widely reported that mainland companies and organizations launched these attacks through botnets in Hong Kong, security experts noted it is unable to prove so.

“We have no technical evidence that points to the attacker being located in any particular country,” said Prince from CloudFlare.

He added the botnet traffic of this attack was found from nearly every country in the world, with a large amount from Brazil, Indonesia, Turkey, the US and China. The infected machines are also running on a network around the world, including in Hong Kong.

“In general, DDoS of this size are launched from global botnet, it is not likely that this attack originated from within Hong Kong,” said Phil Rodrigues, director of security architecture for Asia-Pacific, Middle East and Africa, BT Global Service.

“One cannot really say for certain that one entity is attacking another from a single location or region, without inspecting and analyzing the logs,” added Coden Hau, technical director at Trend Micro.

Unique attack with sophistication

With experience of seeing thousands of large scale DDoS on a weekly basis, Prince added that the PopVote attack was a sophisticated one compare with the other.

“What was unique about this attack was the sophistication of the attacker,” he added. “The attacker did not just use a limited number of techniques in the attack but instead tried a number of different strategies.”

Apart from using multiple botnets comprised of hundreds of thousands of infected machines, Prince said the attacker also used DNS reflection—an amplification technique to magnify the size of attack—and leverage other cloud servers like Amazon Web Services and Softlayer to launch the attack.

Computerworld Hong Kong on June 24 reached out to Amazon Web Services, and UDomain to inquire about their services for PopVote. There has been no response from either of these companies as at press time.