DDoS Floods in Belarus: Political Motivations

By: Jose -

Alerted by @infopolicy on twitter, we went investigating attacks on Charter97.org, a Belarus news site. Evidently the site’s been under attack for days now and has been in the past couple of months.

As we often do when this sort of thing happens, we dig into the news. Sure enough, there’s some regional tension between Belarus and Russia. In the article Belarus turns to EU as Russian ties deteriorate from the Associated Press, there’s a bit of background offered:

Russia sees courting of the West by former Soviet satellites as a threat to its influence in the region. Observers say Lukashenko has played on that feeling in the intensifying quarrel between the two countries.

The dispute escalated recently when Russia withheld the last quarter of a $2 billion loan to Belarus. Lukashenko accused Russia of punishing Belarus for refusing to recognize the independence of rebel-held regions of Georgia.

This isn’t abrupt but has been brewing for a few months. We saw this site under attack in April, 2008, with the botnet hosted at ‘httpdoc.info’ using a Machbot-like botnet that we’ve seen before. This was very much like the botnet behind the July, 2008, Georgian president attacks. The command this time looks like:

FREQ 900000
DDOS 1 78000000 www.charter97.org 20
DDOS 0 78000000 www.charter97.org /ru/search/ 0 %3Fstext=%EB%F3%EA%E0%F8%E5%ED%EA%EE 80 30

At the time it was also DDoSing the Russian news site www.compromat.net (or www.compromat.ru). This site appears to be an alternative RU-language news site. The botnet’s now dead and has been for nearly a tear.

A few sites in the region are tracking the attack. Here’s some third-party information on the attack:

Leading Belarusian opposition media are attacking the second day. DDoS-attack started yesterday 11-56 Minsk time and is still ongoing. Technical Service at the time the resource was able to neutralize the attack and distributed by the evening of June 8, the site became available. However, the night attack, the algorithm was modified and the power increased.

DDoS traffic to charter97.org courtesy of electroname.com

Via The site continues to attack the Charter’97 (via Belnet).

We’re still digging for more information. This is especially interesting as it’s right before I head off to Talinn for the NATO CCDCOE workshop in Talinn next week.

Comments

  1. To the “political” context we could add that, at the time of the attack, Charter97 published several articles about the ban on sales of dairy products from Belarus to Russia, and one about President Lukashenko mentionned in a satirical Russian TV program (http://www.charter97.org/en/news/2009/6/8/).