DDoS on Internet Archive

13028435864?profile=RESIZE_400xThe Internet Archive has come back online, in slightly degraded mode, after repelling an 9 October DDoS attack and then succumbing to a raid on users' data.  For several days after the attack, the Archive loaded into the basic page depicted below.

Currently, it is seen that the site sometimes load that page, but sometimes load another that's closer to the Archive's usual busy home page, but omits many items.  It is unclear why the site is switching between the two (and yes, we cleared caches and used multiple browsers).

DDoS detectives deduce Mirai used to do the deed, using home entertainment boxes in Korea, China, and Brazil

On 13 October the org's digital librarian, Brewster Kahle, advised that the Archive's services were "coming back up when they can, safely. e.g. Email working."  A day later, on the afternoon of 14 October, Kahle proclaimed the Wayback Machine, the service that preserves snapshots of web pages, was "running strong."  But he added: "Still working to bring archive items & other services online safely."[1]

Network visibility outfit Netscout has shared its view of the incident, suggesting the DDoS ran for around three hours and twenty minutes and saw around five gigabits per second of traffic directed towards the site.

13028435497?profile=RESIZE_400xNetscout analysis of Internet Archive DDoS

Netscout's analysts watched that traffic target three IP addresses used by the Archive, and wrote "The DDoS attacks were mostly composed of two attack vectors: TCP RST floods and HTTPS application layer attacks."  The org also "discovered characteristics and shared open ports indicative of Mirai variants."  Readers may recall that Mirai is nasty malware that subverts Linux-based devices and turns them into a botnet.  Netscout asserted, with moderate confidence, that the attack came from "a modern Mirai variant … which incorporates packet-spoofing features."  For what it's worth, Akamai also recently spotted new Mirai variants.

Netscout also reckons much of the DDoS traffic involved "a well-known home entertainment and IoT product."  Most of the hosts spewing traffic at the Archive were devices "in Korea and China, followed by Brazil."  No actor has been named as driving the DDoS.

Kahle and the Archive have not yet detailed the incident, or any steps taken to harden the site against future heists.  Fair enough; they have been busy getting back online. But the 31 million users whose data leaked and the millions more users of the Archive and will likely be keen to know more before too much time passes.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://www.theregister.com/2024/10/16/internet_archive_recovery/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!