I’ve noticed a trend over the past 6 months: DDoS traffic associated with elections. A quick sampling of news will show the following:
- http://www.opendemocracy.net/od-russia/irina-borogan-andrei-soldatov/kremlin-and-hackers-partners-in-crime <-Russia
- http://www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/ <-Hong Kong
- http://www.theregister.co.uk/2011/12/07/korean_election_ddos_row/ <-Korea
- http://www.cbc.ca/news/politics/story/2012/03/27/pol-ndp-voting-disruption-deliberate.html <-Canada (rybolov: yikes!)
- http://www.csoonline.com/article/700523/ddos-attackers-target-russian-election-webcams <-Russia again
Last week it picked up again with the re-inauguration of Vladimir Putin.
And then yesterday, Ustream and their awesome response: which, in the Rybolov-paraphrased version read something like: “We shall go on to the end. We shall fight in France, we shall fight on the Interblagosphere, we shall fight with growing confidence and growing strength in our blocking capabilities, we shall defend our videostreams, whatever the cost may be. We shall fight on the routers, we shall fight on the load balancers, we shall fight in the applications and in the databases, we shall fight by building our own Russian subsite; we shall never surrender!!!!1111” (Ref)
Afghanistan Presidential Elections 2004 photo by rybolov.
So why all this political activity? A couple of reasons that I can point to:
- Elections are a point-in-time. It’s critical for one day. Anything that has a short window of time is a good DDoS target.
- DDoS is easy to do. Especially for the Russians. Some of them already have big botnets they’re using for other things.
- Other DDoS campaigns. Chaotic Actors (Anonymous and their offshoots and factions) have demonstrated that DDoS has at a minimum PR value and at the maximum financial and political value.
- Campaign sites are usually put up very quickly. They don’t have much supporting infrastructure and full/paid/professional staffing.
- Elections are IRL Flash Mobs. Traffic to a campaign site increases slowly at first then exponentially the closer you get to the day of the election. This stresses what infrastructure is in place and design ideas that seemed good at the time but that don’t scale with the increased load.
So is this the future of political campaigns? I definitely think it is. Just like any other type of web traffic, as soon as somebody figures out how to use the technology for their benefit (information sharing => eCommerce => online banking => political fundraising), a generation later somebody else figures out how to deny that benefit.
How to combat election DDoS:
- Have a plan. You know that the site is going to get flooded the week of the election. Prepare accordingly. *ahem* Expect them.
- Tune applications and do caching at the database, application, webserver, load balancer, content delivery network, etc.
- Throw out the dynamic site. On election day, people just want to know a handful of things. Put those on a static version of the site and switch to that. Even if you have to publish by hand every 30 minutes, it’s better than taking a huge outage.
- Manage the non-web traffic. SYN and UDP floods have been around for years and years and still work in some cases. For these attacks, you need lots of bandwidth and something that does blocking: these point to a service provider that offers DDoS protection.
It’s going to be an interesting November.