When exiled Russian news website Meduza was hit with a flood of internet traffic in mid-April, it set off alarm bells among the staff as the deluge blocked publishing for more than four hours and briefly rendered the site inaccessible for some readers. It was the largest distributed denial of service attack (DDoS) attack in Meduza’s 10-year history.
“We were trying to spin up solutions…everything to continue to write news,” Pavel Manylov, the site’s lead software engineer, told CPJ. “Our colleagues said the website was giving an error message and the content management system was not working properly. It was because of the enormous traffic, something new for us.”
The scale wasn’t the only notable thing about the attack. In their cyber assault, the attackers deployed a suite of online tools increasingly used to target media sites around the world, while keeping the perpetrators’ identities secret.
To source and direct online traffic en masse, attackers often use a combination of these tools, including:
- Proxy providers offering access to IP addresses, which are unique numbers assigned to internet-connected devices;
- Other marketplaces where IP addresses are leased or re-sold; and,
- Data centers that host and route online traffic.
Experts told CPJ that such tools, offered openly by for-profit companies, can make cyberattacks particularly difficult to defend against. Their use appears to be part of an emerging censorship strategy that poses a serious transnational threat to press freedom and access to information.
“[Outlets] that try to do some hard-hitting independent journalism, but may not have the resources to defend themselves, are at great risk of being blotted out by a DDoS,” Doug Madory, director of internet analysis at the global network monitoring company Kentik, told CPJ.
Proxy service attacks: ‘You really need to think fast’
Amy Brouillette, advocacy director at the International Press Institute (IPI), a global press freedom group based in Vienna, told CPJ that she initially thought the group’s website was broken when a DDoS attack knocked it offline for three days in early September 2023. The timing was eerie: the group had recently published a report about similar cyberattacks targeting over 40 Hungarian news sites.
The attacker targeting IPI used the services of proxy providers, which aren’t by definition malicious; their services are used for online research, security, and privacy protection. But they have also been abused. In March, French telecom company Orange warned that proxy providers are part of a “financially motivated cybercrime ecosystem.”
“You really need to think fast,” KontraBit Development’s Žarko Jović, who IPI hired to defend its site, told CPJ. He described watching the attackers intensify their assault in response to his efforts to identify and block the malicious traffic: “When the attackers see that you are comfortable with protecting yourself…they start using proxy networks.”
Qurium, a Sweden-based non-profit that hosts websites of independent media and human rights groups, found that the attack on IPI, as well as several Hungarian news sites, “weaponized” services of a proxy provider called White Proxies, also known as White Solutions.
In the Meduza attack, Qurium also identified the use of at least two proxy providers: Vietnam-based MIN Proxy and Hong Kong-based RapidSeedBox.
Qurium does not host IPI or Meduza, but collaborated with them to investigate the attacks.
CPJ emailed White Proxies questions about the use of its services in DDoS attacks, but received no response.
“[W]e immediately notified the client who was using our IP ranges…[and] worked with them mutually to immediately block the actual client who rented the IPs from which the attacks came,” RapidSeedBox product manager Yuri Meshalkin told CPJ by email, explaining the company’s reaction upon learning of the attack on Meduza, but declined to disclose any client information. “We have both automated and manual systems in place to monitor illicit activity, including DDoS attacks,” Meshalkin said, adding, “We do not intend to work with clients who abuse our IPs in attacks.”
CPJ sent emails to addresses listed on MIN Proxy’s websites but received error messages in reply. Questions sent via messaging app to a number listed on a Facebook page for the company were not answered directly; instead, the respondent accused CPJ of “planning to scam” them.
Other media sites have been similarly targeted: In October 2023, attackers used services of two proxy providers – U.S.-based RayoByte and FineProxy, founded in Russia – to flood Philippines news site Rappler, which is headed by Nobel laureate and CPJ board member Maria Ressa. CPJ previously reported that RayoByte’s services were used in DDoS attacks on at least six other media sites around the world.
RayoByte and its parent company Sprious confirmed receipt of CPJ’s emailed questions about the attack on Rappler, but did not respond further. In previous responses to questions about its services’ use in earlier DDoS attacks, RayoByte told CPJ it had “removed the abusive user” and opposed online harassment, including cyberattacks. FineProxy did not respond to CPJ’s emailed questions about its services being implicated in attacks on Rappler and websites reporting on Azerbaijan.
Qurium said both companies responded to abuse reports by blacklisting the victimized websites, and “refusing to help identifying the customer behind the DDoS.”
“Proxy services are known for being vectors of DDoS attacks,” Madory told CPJ. “If you can large-scale anonymize many, many internet connections, there’s a lot of bad things you can do.”
Why it’s hard to flight proxy-enabled DDoS attacks
Experts told CPJ that standard strategies for defending against DDoS attacks involve analyzing incoming traffic to see which IPs are overwhelming the site, where they are coming from, and determining how to block them most efficiently without blocking legitimate site visitors.
“There’s a little bit of a science to that, rapidly figuring out that you’re getting overwhelmed with a particular type of traffic,” Madory said. “You may be able to define it by its source.”
That’s what Manylov did in response to the April attack on Meduza. “It’s cat and mouse,” he told CPJ, recalling how he briefly blocked all IPs from China, Japan, Brazil, and the U.S. at certain points during the attack. But this sorting process was made more difficult because the attackers used “residential proxies,” which give the appearance of standard traffic from real visitors.
“They’re addresses of real people or connected to real people,” Manylov said. “I wouldn’t say that residential proxies by themselves are a bad thing, but this kind of usage is, well, it’s obviously not good…they’re more threatening than the basic DDoS.”
Orange, the French telecom company, said that residential proxies are “an integral part of many malicious operations,” including DDoS. Microsoft has similarly identified them as a problem, noting in January that a “Russian-state sponsored actor” targeting its systems sought to hide using “residential proxy networks, routing their traffic through a vast number of IP addresses that are also used by legitimate users.” Residential proxies also played a role in cybercrime activities disrupted by an international law enforcement operation led by the U.S. Justice Department in late May.
Proxy providers often offer customers access to residential proxies that can be exchanged quickly for new ones, which creates variation in the traffic and reduces the likelihood they will be flagged and blocked. This “rotating” option can make defending websites from DDoS attacks even more complicated.
“The bad actor can go and get a whole bunch of new IP addresses to use to attack you,” Madory said of access to rotating proxies. “If you had profiled [the attack] based on the source IP address before, that information is of no use in the next attack.”
Malicious IPs can be more difficult to identify and block when they change locations every few months, as was the case with traffic used in attacks against various outlets in August and September, Qurium technical director Tord Lundström told CPJ. Defending websites from traffic that has moved in this way is more arduous because the IPs’ defining characteristics, like geolocation data, can vary widely and may not have been kept up to date, he said.
“You see [an] incredible amount of IP addresses on the website and it’s really hard for you to find something common to all of those addresses and to block them,” Jović said of his experience defending IPI. “That’s really the point when you cannot protect yourself with the usual tools.”
Low cost, bulk IP addresses make DDoS more dangerous
Qurium’s analysis of the attacks on Meduza and IPI highlighted an additional concern: the malicious traffic included IPs from the massively expanded set of cheaply available addresses known as IP version 6 (IPv6). This set of IPs became the latest standard for the internet in 2017 to service the world’s growing number of internet-connected devices, as the older set of addresses known as IP version 4 (IPv4) are nearly fully assigned to devices.
“IPv6 has a much bigger pool…and they’re much cheaper…they are less traceable than IPv4,” Jović said. “It is good for the regular people, but it is also good for the attackers.”
Manylov described IPv6 as “the future of the internet” because it will allow an exponentially greater number of internet addresses, but said that renting millions of IPv6 addresses would “cost you basically nothing” and can make it particularly difficult to block DDoS attacks without blocking real news readers. “It’s very threatening for the small media…[that] have zero tech and IT [people],” he added.
One cybersecurity expert noted to CPJ that DDoS attacks, made harder to defend against by the increased use of IPv6, could pose additional problems for online media trying to monetize journalism. As news outlets work to block potentially malicious traffic, they may prevent actual readers from coming to their sites, hindering their ability to make money from viewership and ads.
Attacks can give clues to who is responsible
Neither the staff of the targeted websites, nor the people defending them, have been able to confirm who is responsible for the attacks. But by analyzing the traffic, clues emerge.
As Jović defended IPI, he recognized what appeared to be a message from the attacker: “HanoHatesU.” The phrase was embedded in many of the URLs used as requests to visit the site and ironically allowed him to successfully identify and filter the malicious traffic. It was the same cryptic message seen in attacks on some of the Hungarian sites earlier that year, suggesting a link between the incidents.
Lundström has also detected patterns. Proxy providers often source and route IP addresses via other companies and Qurium reported that services from some of the same companies, including data centers operated by UK-based A1 Network Exchange, were used in the attacks against Meduza, IPI, and Hungarian media.
CPJ emailed Shakib Khan, A1 Network Exchange’s director, at addresses publicly listed for the firm and its parent company, HostCram, which Khan heads and is registered in the U.S., but received no response.
The attack on IPI similarly used services of several companies, including five specialized in IP address leasing and re-selling. Addresses leased from one of those companies – U.K.-based IPXO – appeared in DDoS attacks in August 2023 targeting media sites covering news in Somalia, Turkmenistan, and Kosovo. Lundström also noticed that IPs used to attack IPI were used the same day, September 8, 2023, in a DDoS attack against the Philippines-based Bulatlat news site.
IPXO did not respond to CPJ’s questions about the use of IPs sourced via its leasing service to attack IPI, but told Qurium that it would “inform their client so they can suspend the attacker.” Following CPJ’s reporting on the August attacks, IPXO said in an email that it expected lessees of its IP address to “take appropriate action to cease and prevent any abusive or unlawful activities” and may take further action depending on a lessee’s conduct. “We neither possess the resources, means, nor the authority to proactively monitor and prevent unlawful activities by IP address lessees or their customers,” IPXO said, adding it did evaluate lessees’ history for “likelihood of abuse.”
Lundström believes that companies should not protect the identities of their clients that use their services to launch such attacks. So far, none have cooperated in this way and some even hide using U.S.-based shell companies.
Though they don’t have confirming evidence, staff at Meduza believe the Russian government ordered the large-scale attack on their site. It came just days before Russian authorities initiated legal proceedings against Meduza’s head, Galina Timchenko, and two other reporters for the outlet. Cyberattacks often happen alongside other assaults on journalists’ freedom and safety.
Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media, also known as Roskomnadzor, did not respond to CPJ’s request for comment about the attacks on Meduza.
“The mission of journalism is to inform people and there are many forces that want to stop that,” Madory said. “They either want to threaten a journalist, or if they can just take a source of journalism offline. That works too.”
(Editor’s note: The first paragraph of this report has been updated to spell out the full DDoS acronym.)