Who attacked CNN Philippines?


A series of DDoS cyber attacks disrupted the CNN Philippines and other news sites. First question is who did it? A Pinoy hacker collective - Pinoy Vendetta claimed responsibility. Their member “Abdul” confirmed the attacks using a swarm of botnets. These “bots” targeted other news sites which included the Rappler and PhilStar as well.

The hacker group sent a Youtube video. In it, we see what looks like a botnet launched against CNN Philippines website. The group ran 1000 threads using 34,291 “BOTS”. A bot is a compromised server/resource.

The video shows the attack on CNN Philippines website as it went ‘down’. The hackers used the same type of DDoS attack against Rapper and PhilStar as well. In the past, Pinoy Vendetta also hacked an election monitoring site and Sen Gordon’s page.

image001 (2)

https://www.youtube.com/watch?v=omGa7m0O3qk&ab_channel=MacarioSakay

In the above screengrab, “Abdul” further explains:

“PV_raw is our own method of raw botnet where we control infected computer/devices and connect to our servers and use it to attack simultaneously to CNN Phil Website. The BOTS you see in our panel thats the number of infected devices or what we called botnets.”

“Abdul” claimed they targeted these sites due “to their biased reporting”. For context, Pinoy Vendetta is suspected of being Pro-Philippine President Rodrigo Duterte. The other reason given for the attack is to “proved(sic) that their security is weakshit (sic)”.

Indeed, CNN Philippines’ setup seem woefully inadequate. Markku Kero, -CEO Job and Esther Technologies, Finland — noted that CNNPhilippines’ DNS is pointing directly to AWS (Amazon Web Services) load balancers. There were no CDN (content distribution network) or any other mitigation layer. Just a bunch of multiple IP addresses. This is “quite inexcusable for a company that size”.

As of this writing, CNN Philippines blocked all incoming request (403 error). But this is temporary as NO one else can access their site with such a setting. With this, the hackers achieved their goal — denial of service. And once the site comes up, the DDoS will also hit them again.

“AWS load balancer is just for simple flood attack but a massive attack (on) all of the IPs given by the load balancer will be flooded too”- “Abdul”

Further, “Abdul” claims that it cost them next to nothing to launch these debilitating attacks. Unlike other DDoS that pay using dark web platforms, Pinoy Vendetta “owns” their botnets. They don’t have to pay for the use of the botnet. In addition, the bandwidth used in DDoS attacks are paid by the unsuspecting owners of the compromised servers.

In contrast, news organizations spend thousands of dollars to mitigate the DDoS attacks. As more traffic hits their sites, they would have to pay MORE to their hosting company. Typically, these involve adding huge bandwidth, server memory, and CPU capacity.

The web traffic should also be scrubbed before it reaches the original servers. It filters the bad from the good to keep their websites open to legitimate users. But the drawback is that these measures come with a huge price tag.

The DDoS attacks are often coordinated efforts by many compromised computer systems. The DDoS attacks are designed to disrupt legitimate users. While DDoS attacks are generally aimed at the general public, the majority are directed at government websites. The Philippines has been a target for DDoS attacks since the 1990s.

These DDoS attacks highlight how low budgets can take down million dollar operations. The asymmetric costs sends shudders across webmasters and system administrators. It is harder to defend against an avalanche of ‘web requests’. More so when it’s difficult to filter the attacks from the legitimate traffic. These costs don’t even include the lost opportunity from ad revenues. Neither does it account for disruption of services to their readers.

My personal worry is how this might impact the coming Philippine elections. Would Comelec servers be immune from an onslaught of DDoS attacks should Pinoy Vendetta feel aggrieved by the process? How might system administrators counter this in a cost-effective manner? Fellow SysAds, please share your suggestions for the benefit of our community.