Technical details on how PF tried to take down the Watchdog

Technical details on how PF tried to take down the Watchdog

PF government agents last Wednesday carried out their most ambitious attack on the Zambian Watchdog website with view of  destroying it.

“The site has been attacked using denial of service and no personal information has been compromised”
The attackers have used Optima/Darkness DDoS botnet that is popular in the Russian-speaking cybercrime black market.

The Attack caused inaccessibility to the news for close to 8 hours.

Other websites like http://www.tumfweko.com were also brought down that day.

Graph of the distribution of the PF zombies sent to attack watchdog

The International company which hosts the Watchdog and other news websites targeted by rogue and barbaric regimes like the PF of Zambia gave us the following details on the attack:

We can now confirm you some information about the attack. The attack started  Wed May 9 01:18:50 CEST 2012 with a User Datagram Protocol (UDP flooding that reached 5 Gbps and 800.000 packets per second.
Approximately 5000 computers were used in the UDP flooding. The attack used a technique known as “DNS amplification”.

We started to work in the case at 1:25 AM and managed to mitigate the large part of the attack at 5:30 AM. Once the first part of the attack was mitigated we identifed another botnet performing full HTTP connections to your site.

The attack also includes a not-less than 200 bots/zombies that are perfoming HTTP queries. We have geolocated the
attack of the zombies to Vietnam and Ukraine.

Although there are also small parts in Kazakhstan, Russia, and Latvia.
Once this botnet was identified and mitigated, we discovered a third botnet that was using another  infrastructure in Iceland. We have identified not less than 127 servers with bogus queries from that network.

These have been the most complex attack that we have seen in the latest months in size and complexity.

Share this post