On February 27, as CNN Philippines prepared to broadcast live a debate between candidates running in the country’s presidential election, its website went dead. It was the second time in a few months that the site had been hit.
Since June 2021, opposition politicians, independent media and fact-checking websites in the Philippines have been consistently hit by brute force cyber attacks known as distributed denial of service or DDoS attacks. CNN, major news network ABS-CBN, Rappler (the company founded by 2021 Nobel Peace Prize winner Maria Ressa) and VERA Files, a fact-checking organization, have all been targeted along with Vice President Leni Robredo’s website. who is an outspoken critic of current President Rodrigo Duterte.
Over the past 10 months, attacks have increased in frequency and aggression as the country moves towards the May vote. Some of the organizations have faced a constant barrage of DDoS attempts. “It’s like being under siege,” said Ellen Tordesillas, President of VERA Files rest of the world. “You’re always on the alert.”
DDoS is one of the oldest forms of cyberattacks. Attackers build a network of compromised machines and use them to flood the target’s server with thousands upon thousands of data requests, overloading it and forcing it offline.
“At the beginning, [DDoS] has been used as a tool for social activists,” said Dmitri Vitaliev, director and co-founder of eQualitie, a coalition of cybersecurity experts and developers helping civil society organizations, including VERA Files, defend against cyberattacks. Now, he said, the polarity has reversed. It has become a tool of intimidation and censorship aimed at civil society groups and independent media. “Our customers receive attacks every day. We see two to three significant attacks every week,” he said rest of the world.
More than 20 years have passed since the first documented DDoS attack, when in 1999 a network of 114 computers infected with the Trin00 script were used to take down a computer system at the University of Minnesota, with 4chan discussion boards popularizing its use .
In the US, people using the Anonymous name coordinated attacks that took down websites belonging to neo-Nazis, the Church of Scientology and the billionaire oil tycoons and political donors, the Koch Brothers. Their activities were not always political or salutary – and often selfish – but the targets of their anger were often those who had challenged the general of the collective Belief that the internet should be free and uncensored.
In 2009, following the Green Movement protests in Iran, Anonymous attacked Iranian government websites to support the political opposition. Hackers claiming to be connected to the group later hacked government servers and stole thousands of emails. In 2011, in the early days of the Arab Spring, Anonymous led attacks on government websites in Tunisia and Egypt, including the website of President Hosni Mubarak’s political party, the National Democratic Party. Leaderless groups, which formed and quickly disbanded under the name Anonymous, attacked government facilities and services in Zimbabwe, Malaysia, Israel, Nigeria, Myanmar and the Philippines.
In February 2022, after Russia used DDoS attacks to take down the websites of Ukrainian government agencies and banks before invading the country, people rallied again under the name “Anonymous” to target Russia in retaliation.
Anonymous’ crowdsourced, collective approach was made possible by the availability of tools to launch a DDoS attack, such as easily accessible scripts. Meanwhile, the universe of devices that can be infected and botnetted to launch such an attack has grown significantly. The Internet of Things has brought hundreds of thousands of new processors in home appliances and commercial systems online, often vulnerable to cyberattacks. For example, a cybercriminal can relatively easily co-opt a smart energy meter in Ukraine to join a botnet targeting a human rights organization in the Philippines.
Today, a 24-hour DDoS attack can be procured for a few hundred dollars, and the economics of attacks have changed so much that supply is driving demand, Vitaliev said. “So we’re seeing the full range of attacks, you know, from script kiddies to nationalists to commercial corporations.”
It has become a constant threat in the Philippines, where large, organized digital groups — some directly linked to the government, others likely working for hire — routinely target opponents of the Duterte regime with bots and trolls that spread misinformation and cyberattacks. Several of the attacks this year were claimed by the hacking group Pinoy Vendetta.
Pinoy Vendetta, although apparently independent, has received vocal support and encouragement by members of the government’s National Task Force to End Local Communist Armed Conflict, or NTF-ELCAC. The NTF-ELCAC, whose purpose is reminiscent of the McCarthy-era communist purge of the “reds under the bed” in the US, regularly accuses members of the opposition or the media of being communists and terrorists, sometimes with deadly consequences. In August 2021, investigations by the Philippine Ministry of Information and Communications Technology revealed that DDoS attacks on two independent media sites, AlterMidya and Bulatlat, come from IP addresses assigned to the Philippine Armybut the report of the incident was not widely circulated and there was no follow-up.
A forensic analysis of the attacks on Rappler in December 2021, carried out by digital rights organization Qurium, revealed that traffic was primarily coming from nearly 14,000 IP addresses open proxies – General use proxy servers that allow a user to disguise their identity – located in the US, China, Germany, Indonesia, Russia and Vietnam. Qurium’s investigation also revealed that Pinoy Vendetta was referring supporters to pay-to-play botnets on its social media accounts.
As the May election approaches, attacks are becoming more frequent and widespread, particularly against the media and politicians who have criticized the Duterte administration’s signature policies — its “anti-Communist” campaign and brutal “war on drugs” — by thousands extrajudicial violence have died.
Distributed Denial of Service Attacks: From Protest Tool to Government Censorship
DDoS is a simple but often very effective way to take a website offline.
- A distributed denial of service, or DDoS attack, disrupts a website or service by overloading its servers with bogus requests.
- The attacker must have access to a massive network of computers that they can use to send the hundreds of thousands of requests they need to disrupt the target’s servers.
- Often, an attacker or someone who builds a hired “botnet” illegally installs malware on computers using simple phishing attacks that trick users into clicking compromised links.
- Botnets are becoming increasingly easy to build due to the proliferation of internet-connected devices—including “Internet of Things” hardware—with weak cybersecurity.
- Free services like virtual private networks also sometimes include software that can be used to build botnets that can be rented or hijacked for DDoS attacks.
- Criminal groups are now offering botnets as a service. Privacy Matters The Dark Web Price Index puts the cost of an hour-long attack on an unprotected website at $15.
- The attacker instructs their botnet to send thousands of repeated requests to a specific website address. The sheer volume of traffic overwhelms the server, which cannot process the information fast enough.
- DDoS attacks have been used as a form of protest and for financial gain by shutting down websites and demanding a ransom. But they are increasingly being used by governments and political actors to harass and disrupt civil society.
- Civil society and independent media groups from the Philippines, Vietnam, Azerbaijan and Iran have been regularly targeted by DDoS attacks.
Tordesillas didn’t want to speculate who might be targeting their organization. She just said, “Perhaps those who have been hurt by what we have published; Maybe they are the ones who have the motivation to disrupt our operations.”
It’s fairly rare for DDoS attacks to shut down independent media sites for any length of time, but that doesn’t mean they aren’t effective. The targets of these attacks speak of a grueling, grueling process of ongoing mitigation. It’s not always technically complicated, but it wastes their resources and wears them down — which is probably the point, said Joris van Duijne, the executive director of Zamaneh Media, a website and radio station founded by exiled Iranians Rest of the world. He said that curbing relentless DDoS attacks is just another item in the organization’s budget. You pay a premium for robust web hosting, but at least the costs are predictable.
Van Duijne also said that the steady backbeat of DDoS is complemented by other attacks where the blunt force attacks create openings for more targeted hacks. For example, behind the DDoS barrage, Zamaneh’s journalists are the target of spear phishing attacks – attempts to hack their email and social media accounts – at least once a month. Social media accounts are spreading hateful rumors, particularly about women journalists, and employees are receiving calls and messages threatening them and their families in Iran.
These more targeted attacks are more difficult to budget for because “you don’t know when they will happen and what the costs will be,” said van Duijne. “Psychology is even more difficult to budget for.”
Among constant attacks, the emotional cost is perhaps the most widespread and least measurable. “I know this applies to other exile media initiatives I’ve spoken to… sick leave is generally quite high,” said van Duijne. “Burnouts are more common than in other organizations. And that has everything to do with the pressure.”