<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I wonder who could be doing this...<br>
<br>
<br>
<b>Turkish Internet hit with massive DDoS attack</b><br>
<br>
By Efe Kerem Sozeri<br>
<br>
<i>Last updated Dec 17, 2015, 10:07am </i><br>
<p><a href="http://dailydot.com/tags/turkey" target="_self">Turkey</a> is
under massive cyberattack. </p>
<p>Since Monday morning, the country's official domain name servers
have been under a <a
href="http://turk-internet.com/portal/yazigoster.php?yaziid=51709"
target="_blank">Distributed Denial of Service (DDoS) attack</a>.
The attack’s perpetrators are unknown, but it reveals the
vulnerabilities of the country’s Internet infrastructure.</p>
<p>All domain names that end with Turkey’s two-letter country code <a
href="https://en.wikipedia.org/wiki/.tr" target="_blank">.tr</a>
must be registered by <a
href="https://www.nic.tr/index.php?USRACTN=STATICHTML&PAGE=about_corpident"
target="_blank">NIC.tr</a>, an administration office in Turkey’s
capital of Ankara. Besides its registration duties, NIC.tr
maintains the academic internet backbone for Turkish universities.
It’s also the main service for .tr domain names, making it a
valuable target.</p>
<p>On Monday morning Turkish time, traces of an attack became
noticeable. By noon, NIC.tr’s five nameservers, ns1.nic.tr through
ns5.nic.tr, were<a
href="http://daghan.net/tr-alan-adlari-problemi.dgn"
target="_blank"> completely down</a> under a 40 Gigabits per
second <a href="http://dailydot.com/tags/ddos" target="_self">DDoS</a>
attack.</p>
<div class="ddgce-embed ddgce-embedded-oembed"
data-value="eyJ1cmkiOiJodHRwczovL3R3aXR0ZXIuY29tL0R5blJlc2VhcmNoL3N0YXR1cy82NzY3ODI1MDYxNzIxNjIwNDgiLCJ0eXBlIjoib2VtYmVkIn0."
contenteditable="false">
<div>
<blockquote class="twitter-tweet">
<p dir="ltr" lang="en">.<a
href="https://twitter.com/adililhan">@adililhan</a> Two of
the routes hosting nic.tr experienced instability yesterday
<a href="https://t.co/OHk3dF0Bxo">pic.twitter.com/OHk3dF0Bxo</a></p>
— Dyn Research (@DynResearch) <a
href="https://twitter.com/DynResearch/status/676782506172162048">December
15, 2015</a></blockquote>
</div>
</div>
<p>Europe’s regional Internet registry, the RIPE Network
Coordination Centre, serves as a secondary Domain Name System to
Nic.tr. RIPE was also <a
href="https://www.ripe.net/ripe/mail/archives/dns-wg/2015-December/003184.html"
target="_blank">severely affected</a>. As <a
href="https://www.ripe.net/ripe/mail/archives/dns-wg/2015-December/003184.html"
target="_blank">noted</a> by its manager of the Global
Information Infrastructure, Romero Zwart, the attack was “modified
to evade” RIPE's mitigation measures. As of this writing, the
attack is still going on at around 40 Gbps, <a
href="https://stat.ulakbim.gov.tr/ulaknet/omurga_details.php?name=internet-toplam&type=bps&dev=anauc&place=omurga&details=yes"
target="_blank">disrupting working hours</a> in Turkey.</p>
<p>DDoS attacks, which overload servers with requests for
information, are a simple way of disrupting a website for a brief
amount of time. The cost of <a
href="http://www.dailydot.com/business/botnet-rent-stress-test-paid-ddos-attacks/"
target="_self">hiring attacking</a> <a
href="http://dailydot.com/tags/botnets">botnets</a>, huge armies
of compromised computers that can all visit a site at the same
time, is getting cheaper, and the size of attacks is growing <a
href="http://www.scmagazine.com/report-shows-42-percent-of-attacks-leveraged-more-than-1-gbps-of-attack-traffic/article/399206/"
target="_blank">each year</a>. In 2013, an average DDoS attack
was about 2 Gbps. In 2014, it’s nearly 8 Gbps.</p>
<p>While a 40 Gbps attack still sounds huge, <a
href="http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/"
target="_blank">security experts</a> say that even 400 Gbps
attacks, like one recently <a
href="https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/"
target="_blank">reported</a> by DDoS mitigation service
Cloudflare, are “the new normal.”</p>
<p>What makes the Turkish attack so damaging is the attackers’
sophisticated choice of target. By focusing on a relatively small
group of IP addresses, the five nameservers of NIC.tr, the
attackers managed to “take down the DNS system of a whole country
with a 40 Gbps attack:”</p>
<div class="ddgce-embed ddgce-embedded-oembed"
data-value="eyJ1cmkiOiJodHRwczovL3R3aXR0ZXIuY29tL21obXRrY24vc3RhdHVzLzY3NjY5MjE5ODczODM2NjQ2NCIsInR5cGUiOiJvZW1iZWQifQ.."
contenteditable="false">
<div>
<blockquote class="twitter-tweet">
<p dir="ltr" lang="tr"><a href="https://twitter.com/ozgit">@ozgit</a>
40GBitlik saldirida butun bir ulkenin alan adlari sisteminin
cokmesi kabul edilemez <a
href="https://twitter.com/hashtag/nictr?src=hash">#nictr</a>
<a href="https://twitter.com/METU_ODTU">@METU_ODTU</a> <a
href="https://twitter.com/hashtag/nictr?src=hash">#nictr</a></p>
— Mehmet Akcin (@mhmtkcn) <a
href="https://twitter.com/mhmtkcn/status/676692198738366464">December
15, 2015</a></blockquote>
</div>
</div>
<p>As the country’s official domain suffix, .tr domain names are
very popular in Turkey, and many local companies want their
businesses officially recognized for their local audience. There
are about <a
href="https://www.nic.tr/index.php?USRACTN=STATISTICS"
target="_blank">400,000 websites</a> with localized Turkish
domain names, including 300,000 companies. It's also used by
government institutions, schools, municipalities, Turkish <a
href="https://www.nic.tr/forms/eng/policies.pdf" target="_blank">e-mail
servers</a>, and the Turkish military.</p>
<p>When the attack left NIC.tr’s DNS service non-responding,
practically all .tr domain names became unreachable. Besides the
private Turkish companies, official government businesses such as
vital population registry queries, remained interrupted for more
than a day. Internet access at university campuses are still down
or extremely slow.</p>
<p>On Monday evening, Turkey’s<a href="https://www.usom.gov.tr/"
target="_blank"> National Response Center for Cyber Events</a>
closed all incoming traffic to NIC.tr from outside of Turkey,
which made 400,000 websites with .tr domain names unreachable from
the rest of the world, all e-mails sent to companies and
organisations with .tr domains bounced back with the “unknown
host” error.</p>
<p>Response Center changed its policy late Monday night, and NIC.tr
has since been running a selective block policy for a number of
suspected root IP addresses. DNS service for .tr domains were also
<a
href="http://turk-internet.com/portal/yazigoster.php?yaziid=51709"
target="_blank">re-configured</a> to distribute the queries
among public and private servers, including a Turkish Internet
service providers Superonline and Vodafone.</p>
<p>It’s notoriously difficult to attribute where a cyberattack comes
from. Many Turkish commentators have pointed to <a
href="http://dailydot.com/tags/russia" target="_self">Russia</a>
as the source of the attack. Russia’s <a
href="http://cyberwardesk.com/5-russian-weapons-of-war-turkey-should-fear/"
target="_blank">cyber warfare capabilities</a> are an
established weapon, believed to be used against <a
href="https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia"
target="_blank">Estonia in 2007</a>, <a
href="https://en.wikipedia.org/wiki/Cyberattacks_during_the_Russo-Georgian_War"
target="_blank">Georgia in 2008</a>, and <a
href="http://www.csmonitor.com/Commentary/Global-Viewpoint/2014/0312/Russia-s-cyber-weapons-hit-Ukraine-How-to-declare-war-without-declaring-war"
target="_blank">Ukraine in 2014</a>.</p>
<p>With Turkey’s recent <a
href="http://www.bbc.com/news/world-middle-east-34912581"
target="_blank">downing of a Russian jet</a> near Syrian border,
and with the ongoing<a
href="http://www.dailydot.com/politics/russia-turkey-missle-turkey-troll-war-twitter/"
target="_self"> troll wars</a> between Erdoğan’s and Putin’s
social media campaigners, DDoS botnets could be the next
battleground. Some experts have speculated this is a response to
Turkey’s nationalist cyber teams, who stand accused of organising
a<a
href="http://in.sputniknews.com/russia/20151208/1016691128/sputnik-turkey-ddos-attack.html"
target="_blank"> DDoS attack on Russia’s Sputnik news</a>.</p>
<div class="ddgce-embed ddgce-embedded-oembed"
data-value="eyJ1cmkiOiJodHRwczovL3R3aXR0ZXIuY29tL3VtdXRzaW1zZV9rL3N0YXR1cy82NzY3MTE4NzgxMzYxMDI5MTIiLCJ0eXBlIjoib2VtYmVkIn0."
contenteditable="false">
<div>
<blockquote class="twitter-tweet">
<p dir="ltr" lang="en">It's highly probable that ddos attacks
on nic.tr and tr ISPs are retaliation to recent <a
href="https://twitter.com/sputnik_TR">@sputnik_TR</a> ddos
attacks</p>
— Umut Simsek (@umutsimse_k) <a
href="https://twitter.com/umutsimse_k/status/676711878136102912">December
15, 2015</a></blockquote>
</div>
</div>
DDoS attacks are by nature distributed, therefore the identity of
the attackers could never be found out; but the consequences
identified the vulnerabilities of the target very well.<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.dailydot.com/politics/turkey-ddos-attack-tk-universities/">http://www.dailydot.com/politics/turkey-ddos-attack-tk-universities/</a><br>
<pre class="moz-signature" cols="72">--
RR
"You might want to ask an expert about that - I just fiddled around
with mine until it worked..."</pre>
</body>
</html>