Ríodoce attack shows need for denial-of-service defenses

A founder of Mexican news weekly Ríodoce, Javier Valdez Cárdenas, traveled to New York in November to receive CPJ’s International Press Freedom Award at our annual benefit dinner. No sooner had he returned to Mexico than Ríodoce‘s website was thrown offline by a denial of service (DOS) attack, in which multiple computers are used to flood a webserver with fake requests, slowing down the site so that it cannot serve legitimate requests.

Ríodoce is one of the few publications in the Mexican state of Sinaloa that covers in depth the narcotraffickers who operate in the region, including the powerful Zetas cartel. Its staff lives with the consequences every day. In 2009, a hand grenade was thrown at the magazine’s offices. This, however, was the first successful online attack on the publication. It’s simple to assume that the attempted silencing of Ríodoce online was related to its drug war coverage, but the perpetrators left confusing clues as to their identity. These included a reference to Anonymous, the collective identity adopted by a wide range of Internet activists.

Like many independent media online, Ríodoce relied on a standard webhosting agreement to host its content, in this case with the U.S. company DreamHost. The attack on Ríodoce used enough resources to affect other websites at DreamHost, and eventually the company shut down the news site completely to protect its other customers. Ríodoce has since switched to another provider. The attack began on November 25 and prevented access to the news site for six days.

“We can’t accuse anyone [for the attack], because everyone is a suspect… but we are sure that it was a result of our reporting,” Valdez told CPJ. “We have another server now and we are thinking of getting our own server. We are protecting ourselves against another one of these kinds of attacks because we are expecting there will be more.”

Ríodoce‘s attackers appear to have hid their tracks by using Ultrasurf, an anonymizing service originally designed to allow users to circumvent China’s censorship. They did leave a message for Ríodoce, however. Many of the page requests had embedded the following text:

L3G10N=NOMASMENSAJESDEZETASENLOSMEDIOS!!SomosLegion!!

or “No more messages from the Zetas in the media! We are Legion!”

As Ríodoce noted in its own piece on the matter, the message includes the language of Anonymous, whose activists use the slogan “we are legion” in their announcements. The group has been associated with proclamations against the cartels, as well as rumors that some members intended to release private documents on the drug gangs (although some observers remain skeptical of the accuracy of those threats). Since the terminology and the name “Anonymous” could be adopted by anyone, the use of their slogan in an attack does not indicate a great deal.

Nor is a large conspiracy or gang of super-hackers needed to explain how Ríodoce was taken offline. The attack was small, relative to many denial-of-service attacks. Webserver logs reviewed by CPJ indicate that possibly fewer than 30 computers were used to take the website down. For a website using unfortified software on a shared host such as DreamHost provides, a few machines are all that are needed to force the website offline.

Such an attack could easily have been organized by a small group of hacktivists who misinterpreted Ríodoce‘s coverage of the Zetas as support. It could have been launched by another cartel attracted by the rebellious imagery of Anonymous. Or it could be one online prankster with a PC.

Taking down the site of an independent news service with a limited Internet budget does not require the financing or organizational capabilities of a powerful group. It could be conducted by a single, technically knowledgeable person with a grudge. Such attacks are no less damaging to free speech than if they were conducted by large conspiracies. Journalists make enemies – especially if, like Ríodoce, they are doing their jobs well – and such enemies will be happy to break the law to silence a critic. Technologists, news site software designers, and hosting services need to have a defense prepared for such attacks.