Internet Archive under DDoS Attack

On October 09, NETSCOUT’s ASERT observed a significant deviation of network traffic to archive.org. This both corroborates the public disclose from independent investigative journalist Brian Krebs that the site had been compromised and defaced (Figure 1) and the claims (1, 2) by the founder and chairman of the Internet Archive that the website was experiencing a barrage of DDoS attacks.

NOTE: In the screen capture above, the hackers refer to HIBP, which almost certainly is a reference to the haveibeenpwned.com website, which is often the first address to receive user account data following breaches.

DDoS Attack Synopsis

NETSCOUT ASERT observed 24 DDoS attacks against the Autonomous System Number (ASN) 7941, the ASN used by the Internet Archive project. The first attack event started on October 09, 17:02 UTC and continued until 20:23 UTC the same day--at least 3 hours, 20 minutes of active DDoS activity. During the attack campaign, at least three distinct IP addresses used by archive.org received DDoS attack traffic.

The DDoS attacks were mostly composed of two attack vectors: TCP RST floods and HTTPS application layer attacks. In most cases a TCP RST flood will contain spoofed source IPs, yielding no information about the devices launching the attacks. In contrast, an HTTPS Application Layer attack is a direct-path attack. Meaning, the devices behind the attacking IP addresses are actual hosts on the internet. Direct-path attacks can come from legitimate devices, but in many cases, they will be compromised systems making up a botnet.

ASERT identified the top-contributing attack sources to understand commonalities among the attacking devices. We discovered characteristics and shared open ports indicative of Mirai variants. Similarly, many devices of a well-known home entertainment and IoT product were involved. The top contributing hosts were mostly devices in Korea and China, followed by Brazil.

While Mirai-variants are well-known for their direct-path capabilities, just recently new variants emerged which developed spoofing capabilities. With the information at hand, we assess with moderate confidence that a modern Mirai variant was involved in the attack, which incorporates packet-spoofing features.

Effects on Traffic Volume

Below, we explore the effects of the network traffic on Internet Archives ASN. Usually, the Internet Archive has a small footprint on ingress traffic and a large footprint of egress traffic. Figure 2 (below) clearly illustrates the spike of ingress traffic during the DDoS attacks.
 

The graph above also reveals a significant drop of egress traffic following the DDoS event. The founder and chairmen shared on X that the operators of the website enabled countermeasures and disabled certain features of the website. These measures reduced the observed egress traffic from AS7941 significantly as a response to the DDoS attack.

Conclusion

Adversaries managed to compromise and deface the website of archive[.]org and followed up with DDoS attack that knocked the website offline for multiple hours on October 09. NETSCOUT’s unique visibility not only allowed us to see the initial events, but also characterize the DDoS attacks that followed, causing the site to be unavailable to users for hours. These kinds of attacks energize adversaries, and they often attempt to replicate the feat. It is imperative that organizations secure their networks not just from data breaches, but also from DDoS attacks by investing in an Intelligent DDoS Mitigation System (IDMS).

References

1. Brian Krebs on LinkedIn, Oct 09: https://www.linkedin.com/posts/bkrebs_not-the-wayback-machine-crap-these-guys-activity-7249889640931889152-nCSM
2. Brewster Kahle on X, Oct 09: https://x.com/brewster_kahle/status/1844133492453671192
3. Brewster Kahle on X, Oct10: https://x.com/brewster_kahle/status/1844183111514603812
4. The Verge: The Internet Archive is under attack, with a breach revealing info for 31 million accounts (https://www.theverge.com/2024/10/9/24266419/internet-archive-ddos-attack-pop-up-message)