Can we draw solid conclusions from the Liberian DDoS attack?
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

February 10, 2016 in Monrovia, Liberia. Photo credit: John Moore/Getty Images Israel

February 10, 2016 in Monrovia, Liberia. Photo credit: John Moore/Getty Images Israel

Motives behind DDoS attacks are a wilderness of mirrors

A Liberian telecom is the latest victim of a massive denial of service (DDoS) attack which again made use of a Mirai-based botnet, dubbed botnet #14, to shut down web traffic.

The attack was detected by IT security researcher Kevin Beaumont, who described it as a series of “continued short duration attacks” that “intermittently” disrupted access nationwide over the past week or so. According to, the impact, and reactions, have been mixed: “Many said they couldn’t distinguish the cyber attacks from the regular ups and downs of Liberia’s notoriously inconsistent internet coverage. Others said it’s been bad.”

Botnet #14 was reportedly just half the strength of the 1,100 Gbps DDoS that downed Twitter and reddit, at 500 Gbps. Though, for a country with as small an internet footprint as Liberia, even intermittent disruptions like that could cost providers a lot of money.

Rather than a new salvo in the IoT cyber arms race, however, the DDoS could have had a more traditional motive, perhaps to bleed a company’s coffers.

Or, to gain practice for a more powerful assault in the future.

The problem is that we just don’t know, and simply won’t know, until the next big disruption. Absent firmer attribution or a list of demands, the only thing that can be said is whoever did it knew they’d be noticed and be credited with another Mirai botnet attack, in a year full of similar headline-grabbing ones.

Who was targeted, and why?

Mirai malware takes advantage of security flaws in internet-connected devices like DVRs and webcams to hijack hundreds of thousands of identical devices, spamming service providers with far too many access requests to handle all at once, causing them to slow or shut down. One could disrupt an entire nation’s web infrastructure.  Though initial reports suggested the volume of the attack was enough to cripple the country’s entire internet infrastructure, the Cable Consortium of Liberia said it has not recorded sustained disruptions on the scale of the attack against Dyn on October 26. This attack appears to have only partially disrupted access, rather than taking the entire nation offline.

Some social media platforms and email services were still affected. But this uncertainty seems to be the result of the DDoS targeting just one web provider that uses Liberia’s sole ACE submarine cable to connect to the world wide web. Liberian web developer Kpetermeni Siakor notes that no network operator, of which there are only four there, would confirm any attacks on it, but at least one of these companies was specifically targeted.

Based on the IP addresses tracked by Beaumont during the attacks, botnet #14 concentrated on Lonestar Cell, the Liberian arm of South African wireless operator MTN, and also MTN’s own IP addresses in South Africa.

(A GSM provider, Novafone, was targeted too, apparently after Lonestar/MTN took the worst of the DDoS. Novafone is now owned by Lonestar, rather than a separate entity, however.)

It is plausible, then, that whoever did this wanted to inflict financial pain. At 500 Gbps, botnet #14 would still rank pretty high on a list of DDoS attacks to date, a challenge for even a big firm in a country with more developed ICT infrastructure. Despite having a mitigation plan in place, as the anonymous Liberian telecom reportedly does, defending against the attacks is expensive.

And, of course, customers would be mightily upset and notice that other providers aren’t experiencing similar troubles. An anonymous telecom employee in Liberia told IDG News just that: “It’s killing our revenue. Our business has been targeted frequently.”

Still, it is unclear why Liberia, where well less than a tenth of the population has internet access, would be targeted at all. Unlike other obliviously political incidents since 2014, there is no ongoing election to disrupt, nor any big social movements or military actions happening that would draw international or domestic outrage.

DDoS-for-hire” is a real industry online, though, with botnets that can be rented for a few dollars to attack specific corporate entities or service providers. These have included Blizzard Entertainment and Minecraft servers, and even just individuals the attackers don’t like.

So attacks like these could easily be carried out by extortionists and disgruntled employees, or even just people who want “practice.”

The misinformation economy

There might not even be any real financial, workplace, or political motivation at the root. Beaumont’s own assessment is that it was a “test.” Attacks like these garner headlines because of how disruptive a lack of access can be to the functioning of a modern society where more and more attention is paid to online content to disseminate information and go about business.

So much information out there is now deliberately manufactured to game the advertising business and social media algorithms. Or, just to advance partisan positions regardless of the truth. A takedown of the sites we’ve come to depend on and trust would only worsen these trends. Ironically, since most Liberians get their news from the radio, or in the public square, the disruptive effect online would be much less than in, say, FranceUkraine or the US.

Last month, Montenegro’s national elections were disrupted by denial of service attacks targeting government portals, news sites, NGOs, and campaign party pages just ahead of their presidential election.

Another tactic that could come into play is an actual breach of these sites to disseminate false information. This would look like the actions taken by the pro-Assad Syrian Electronic Army over the past few years to plant made-up stories on the homepages of major media outlets, so that readers would think these had been reported by credible sources.

As Geektime has previously reported, one of the most likely avenues of attacks for anyone trying to disrupt the 2016 US presidential election will be to target similar such websites here, in order to keep people from easily accessing information about the votes. The Mirai-botnet attack that recently took down Twitter, reddit, and other popular sites showed how this could be done, though it is not clear the attack was organized by any state … or as a dry-run for something even more disruptive next week.

Share on:Share
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

More Goodies From Security

4 Network Security Tips Progressive Small Businesses are Implementing

For Retail Startups, Security is Paramount

Russia in talks with US to create cybersecurity working group

  • Easy to stop a botnet attack, IPTABLES with AWK/SED or even Python scripted conditions easily will stop a botnet attack.