- All of the ‘Avengers: Endgame’ Easter eggs discovered by fans Saturday 6:52 PM
- Every big announcement made at D23 about Disney+ Saturday 6:33 PM
- The best haunted house movies to watch online in 2019 Saturday 4:13 PM
- Andy Ngo seen laughing as Patriot Prayer members plan an attack in newly emerged video Saturday 3:59 PM
- How to stream Manchester City vs. Bournemouth Saturday 3:25 PM
- Catholic priest allegedly spent church money on Grindr hookups Saturday 3:04 PM
- Nicolás Maduro’s English Twitter account was suspended with no public explanation Saturday 2:06 PM
- Man claims ex-girlfriend killed his dog after he broke up with her Saturday 1:02 PM
- What are BitTorrent downloads and how do they work? Saturday 12:58 PM
- ICE cuts the cord on real immigrant hotline after being featured in ‘Orange Is the New Black’ (updated) Saturday 10:49 AM
- The 10 best music podcasts for artist interviews and criticism in 2019 Saturday 10:41 AM
- How a socialist Twitch streamer landed in a feud with Dan Crenshaw Saturday 10:07 AM
- How to prepare for your fantasy football draft (and season) Saturday 9:00 AM
- Kit Harington is joining the MCU–and people are guessing which character he will play Saturday 8:48 AM
- How to live stream Juan Francisco Estrada vs. Dewayne Beamon Saturday 8:00 AM
Turkish Internet hit with massive DDoS attack
Could Russia be the culprit?
Turkey is under massive cyberattack.
Since Monday morning, the country’s official domain name servers have been under a Distributed Denial of Service (DDoS) attack. The attack’s perpetrators are unknown, but it reveals the vulnerabilities of the country’s Internet infrastructure.
All domain names that end with Turkey’s two-letter country code .tr must be registered by NIC.tr, an administration office in Turkey’s capital of Ankara. Besides its registration duties, NIC.tr maintains the academic internet backbone for Turkish universities. It’s also the main service for .tr domain names, making it a valuable target.
On Monday morning Turkish time, traces of an attack became noticeable. By noon, NIC.tr’s five nameservers, ns1.nic.tr through ns5.nic.tr, were completely down under a 40 Gigabits per second DDoS attack.
Europe’s regional Internet registry, the RIPE Network Coordination Centre, serves as a secondary Domain Name System to Nic.tr. RIPE was also severely affected. As noted by its manager of the Global Information Infrastructure, Romero Zwart, the attack was “modified to evade” RIPE’s mitigation measures. As of this writing, the attack is still going on at around 40 Gbps, disrupting working hours in Turkey.
DDoS attacks, which overload servers with requests for information, are a simple way of disrupting a website for a brief amount of time. The cost of hiring attacking botnets, huge armies of compromised computers that can all visit a site at the same time, is getting cheaper, and the size of attacks is growing each year. In 2013, an average DDoS attack was about 2 Gbps. In 2014, it’s nearly 8 Gbps.
What makes the Turkish attack so damaging is the attackers’ sophisticated choice of target. By focusing on a relatively small group of IP addresses, the five nameservers of NIC.tr, the attackers managed to “take down the DNS system of a whole country with a 40 Gbps attack:”
As the country’s official domain suffix, .tr domain names are very popular in Turkey, and many local companies want their businesses officially recognized for their local audience. There are about 400,000 websites with localized Turkish domain names, including 300,000 companies. It’s also used by government institutions, schools, municipalities, Turkish e-mail servers, and the Turkish military.
When the attack left NIC.tr’s DNS service non-responding, practically all .tr domain names became unreachable. Besides the private Turkish companies, official government businesses such as vital population registry queries, remained interrupted for more than a day. Internet access at university campuses are still down or extremely slow.
On Monday evening, Turkey’s National Response Center for Cyber Events closed all incoming traffic to NIC.tr from outside of Turkey, which made 400,000 websites with .tr domain names unreachable from the rest of the world, all e-mails sent to companies and organisations with .tr domains bounced back with the “unknown host” error.
Response Center changed its policy late Monday night, and NIC.tr has since been running a selective block policy for a number of suspected root IP addresses. DNS service for .tr domains were also re-configured to distribute the queries among public and private servers, including a Turkish Internet service providers Superonline and Vodafone.
It’s notoriously difficult to attribute where a cyberattack comes from. Many Turkish commentators have pointed to Russia as the source of the attack. Russia’s cyber warfare capabilities are an established weapon, believed to be used against Estonia in 2007, Georgia in 2008, and Ukraine in 2014.
With Turkey’s recent downing of a Russian jet near Syrian border, and with the ongoing troll wars between Erdo?an’s and Putin’s social media campaigners, DDoS botnets could be the next battleground. Some experts have speculated this is a response to Turkey’s nationalist cyber teams, who stand accused of organising a DDoS attack on Russia’s Sputnik news.
DDoS attacks are by nature distributed, therefore the identity of the attackers could never be found out; but the consequences identified the vulnerabilities of the target very well.
Illustration by Max Fleishman
Efe Kerem Sözeri is a Turkish freelance researcher who lives in the Netherlands. After studying political science in Istanbul, he moved to Amsterdam to study migrants' political behavior. Besides his academic work, he regularly writes on internet freedom and censorship in Turkey.