MANILA, Philippines – On October 30, 2023, Rappler was the target of a DDoS (distributed denial of service) attack, a type of cyberattack that aims to bring a website down by flooding it with artificial web traffic.

Swedish group Qurium, a nonprofit that assists media groups worldwide through digital forensics of cyber attacks, aided Rappler in analyzing the attacks, identifying the severity, as well as the services that enabled them.

The first flood started at 10:51 am, October 30, lasting one minute, at a rate of 20,000 requests per second, a volume that would take down most websites without necessary protections. After the first volley, six more attacks were launched within the hour, peaking at 250,000 requests per second within a two-minute window, resulting in 26 million requests to the site.

Rappler experienced a series of DDoS attacks as well, along with other Philippine news sites, in the months leading up to the 2022 national elections, wherein some instances saw an attack volume of millions of requests per second. 

More than the attack intensity, Qurium’s report highlighted a more important component of the October 2023 attack on Rappler: proxy service providers are still being utilized by DDoS attackers to carry out their objectives.

The latest attack happened despite Qurium saying that they have long been in touch with the involved companies to inform them how their services were being misused, with the hope of seeing effective action from the companies that would mitigate future proxy provider-aided attacks in the future.

In the Rappler attack, two of these service providers were identified: US-based Rayobyte and Russia-based Fineproxy.

What are proxy providers? Similar to VPNs (virtual private networks), these services mask an internet user’s IP address, a general identifier for a user on the world wide web. Commonly, it is used to make one’s connection appear as if it’s originating from another part of the globe, to access geo-restricted content such as those provided by streaming services.

But as Qurium has seen, proxy IPs can also be weaponized and used in a more sinister way: DDoS attacks. In such an attack, thousands of these proxies, each pretending to come from a real human user, are utilized to flood a website with traffic to bring it down. For news sites, it can be mere harassment or it can be a form of censorship.

In Qurium’s findings, at least 10% of the proxy IPs involved in the October 2023 attack on Rappler can be traced to the aforementioned service providers, Rayobyte and Fineproxy. In their analysis of the fake traffic flooding Rappler, they found at least five data centers that were connected to FineProxy, and four others connected to Rayobyte.

While the two companies are not the perpetrator or perpetrators of the attack – which remain unidentified – the attackers were able to use their systems and services.

Qurium, in the past, identified links to the Philippine military enabling the DDoS attacks on Altermidya, Bulatlat, and Karapatan, and uncovered the individual conducting attacks on Rappler. 

Not the first time

While a single incident may be attributed to a momentary lapse in monitoring, several incidents may point to institutional faults in the company, the lack of will, concern, or ethics to prevent such harmful use of their services.

Qurium reported that they have informed the two companies “several times” about the DDoS operations co-opting, and weaponizing their systems but the non-profit said, “Despite our reports, none of the providers have managed to stop the use of their proxy service to conduct denial of service attacks.”

The non-profit has, in “past years” tracked “dozens of denial of service attacks sourced from Rayobyte infrastructure.” In the case of FineProxy, they began seeing attacks launched from the service’s infrastructure in 2018.  

Aside from the Rappler attack, the most recent one involving the use of Rayobyte infrastructure includes one on Somali journalists in August 2023.

Earlier incidents involving the same company include Nacionale (Kosovo), Kloop (Kyrgyzstan), People’s Gazette (Nigeria), Bulatlat (Philippines), and Turkmen News (Turkmenistan).

FineProxy was first identified in an attack on two media outlets in Azerbaijan, gununsesi.info and azadliq.info, in 2018. Another Azerbaijan news site, timetv.live, was attacked in 2020, again using FineProxy services.

Qurium asking for accountability 

One of Qurium’s top goals is to make a dent against DDoS attackers by putting the spotlight on these very visible proxy service providers whose infrastructure is being used for cyberattacks. 

Qurium’s technical director, Tord Lundstrom, said that proxy service providers have the ability to see the traffic going in and out of their infrastructure, and as such, the ability, and responsibility to spot patterns of abuse, such as in the case of a DDoS attack. 

But despite such an ability, Lundstrom said the DDoS attackers have been able to keep using the services, meaning there is either negligence or inadequate monitoring, or the service providers are turning a blind eye. Whatever the reason is, what matters is that the attacks have continued to use their infrastructure, and the companies in question need to put a stop to these, the director said.

Qurium and the companies have been engaged in email correspondence in the past, stemming from other incidents, with the former informing them of the attacks coming from IP addresses traced to their infrastructure.

But as evidenced by the latest attack on Rappler, the providers have not managed to stop DDoS attackers from using their services. 

In a recent email between Qurium and FineProxy seen by Rappler, the proxy provider did not acknowledge that the traffic traced to their infrastructure was used in a DDoS attack, indicating it could instead be traffic coming from web scraping activities. FineProxy sent Qurium a list of queries, attempting to question Qurium’s findings.

Qurium countered FineProxy’s web scraping defense, saying the number of requests made to the Rappler site are unreasonable. 

After reaching out to FineProxy, its CEO Ilya Trusov sent Rappler the same set of queries he sent to Qurium, once again questioning the findings.

Rayobyte’s CEO Neil Emeigh, a company that markets itself as an “ethical” proxy provider, told Qurium that like other online platforms such as cloud services AWS, Google Cloud, or Azure, “we can’t naively assume that [zero] abuse is possible when offering an infrastructure product, which is why we have the tight procedures and compliance steps in place to prevent, mitigate, and address any abusive users.”

Rayobyte also said it implemented measures such as blacklisting Rappler.com from their data centers to prevent attacks that use their infrastructure, and has removed the user that implemented the DDoS attacks. 

Lundstrom expressed skepticism over such a solution, saying that a potential DDoS attacker can merely continue to attempt to run their operations under a different user name on the same platform. Blacklisting only prevents attacks on a specific website, and doesn’t guarantee the stoppage of the proxy provider-assisted DDoS attacks on other websites. 

Both Rayobyte and FineProxy have also asked Qurium – which is also a hosting provider with DDoS protections – to provide a list of organizations that they host, so they can ensure that attackers cannot target these again.

Lundstrom dismissed the offer, and implied that it’s merely a ploy so they’ll have less forensics data to work with. “If Qurium’s clients are no longer victims, there will be no more forensics reports revealing their malicious practices,” the director said. 

Trusov also offered to reveal the name of their customer that was responsible for the DDoS attacks, on condition that Qurium removes all articles about FineProxy from Qurium’s website. This, Lundstrom said, indicates that FineProxy has knowledge of the entity using their services for DDoS attacks. 

Qurium is adamant about shedding light on these proxy providers as until they take effective measures in stamping out DDoS-as-a-service attackers co-opting their infrastructure, the attacks are likely to continue.

Rappler has reached out to Rayobyte. Rayobyte has acknowledged our inquiries, and this story will be updated once they send their responses. – Rappler.com