- Who is Cletus Kasady, Woody Harrelson’s character in ‘Venom 2’? Today 7:00 AM
- What is biometric data? Today 6:30 AM
- Cooking Mama’s return whips up a fresh batch of memes Tuesday 8:18 PM
- Influencer body-shames model, Photoshops photo of self to ‘prove point’ Tuesday 7:27 PM
- Boosie Badazz goes on transphobic rant about Dwyane Wade’s daughter Tuesday 6:34 PM
- Royal Family’s website accidentally links to porn instead of charity Tuesday 5:39 PM
- Republican senator spreads false conspiracy about coronavirus Tuesday 5:11 PM
- New DNA technology could help exonerate Black man serving life sentence Tuesday 4:24 PM
- ‘SNL’s’ Kenan Thompson to host the White House Correspondents’ Dinner Tuesday 3:58 PM
- Singer Summer Walker dragged for insensitive HIV comments Tuesday 2:39 PM
- This video of a teddy bear getting steam cleaned makes a perfect meme Tuesday 2:27 PM
- Ted Cruz goes on Twitter tirade over proposed vasectomy bill Tuesday 2:22 PM
- Billie Eilish says she’s stopped reading Instagram comments Tuesday 2:13 PM
- Christian group blames satanists for Twitter poll results Tuesday 1:41 PM
- Coronavirus has pandemic-themed video games topping charts Tuesday 12:58 PM
Turkish Internet hit with massive DDoS attack
Could Russia be the culprit?
Turkey is under massive cyberattack.
Since Monday morning, the country’s official domain name servers have been under a Distributed Denial of Service (DDoS) attack. The attack’s perpetrators are unknown, but it reveals the vulnerabilities of the country’s Internet infrastructure.
All domain names that end with Turkey’s two-letter country code .tr must be registered by NIC.tr, an administration office in Turkey’s capital of Ankara. Besides its registration duties, NIC.tr maintains the academic internet backbone for Turkish universities. It’s also the main service for .tr domain names, making it a valuable target.
On Monday morning Turkish time, traces of an attack became noticeable. By noon, NIC.tr’s five nameservers, ns1.nic.tr through ns5.nic.tr, were completely down under a 40 Gigabits per second DDoS attack.
Europe’s regional Internet registry, the RIPE Network Coordination Centre, serves as a secondary Domain Name System to Nic.tr. RIPE was also severely affected. As noted by its manager of the Global Information Infrastructure, Romero Zwart, the attack was “modified to evade” RIPE’s mitigation measures. As of this writing, the attack is still going on at around 40 Gbps, disrupting working hours in Turkey.
DDoS attacks, which overload servers with requests for information, are a simple way of disrupting a website for a brief amount of time. The cost of hiring attacking botnets, huge armies of compromised computers that can all visit a site at the same time, is getting cheaper, and the size of attacks is growing each year. In 2013, an average DDoS attack was about 2 Gbps. In 2014, it’s nearly 8 Gbps.
What makes the Turkish attack so damaging is the attackers’ sophisticated choice of target. By focusing on a relatively small group of IP addresses, the five nameservers of NIC.tr, the attackers managed to “take down the DNS system of a whole country with a 40 Gbps attack:”
As the country’s official domain suffix, .tr domain names are very popular in Turkey, and many local companies want their businesses officially recognized for their local audience. There are about 400,000 websites with localized Turkish domain names, including 300,000 companies. It’s also used by government institutions, schools, municipalities, Turkish e-mail servers, and the Turkish military.
When the attack left NIC.tr’s DNS service non-responding, practically all .tr domain names became unreachable. Besides the private Turkish companies, official government businesses such as vital population registry queries, remained interrupted for more than a day. Internet access at university campuses are still down or extremely slow.
On Monday evening, Turkey’s National Response Center for Cyber Events closed all incoming traffic to NIC.tr from outside of Turkey, which made 400,000 websites with .tr domain names unreachable from the rest of the world, all e-mails sent to companies and organisations with .tr domains bounced back with the “unknown host” error.
Response Center changed its policy late Monday night, and NIC.tr has since been running a selective block policy for a number of suspected root IP addresses. DNS service for .tr domains were also re-configured to distribute the queries among public and private servers, including a Turkish Internet service providers Superonline and Vodafone.
It’s notoriously difficult to attribute where a cyberattack comes from. Many Turkish commentators have pointed to Russia as the source of the attack. Russia’s cyber warfare capabilities are an established weapon, believed to be used against Estonia in 2007, Georgia in 2008, and Ukraine in 2014.
With Turkey’s recent downing of a Russian jet near Syrian border, and with the ongoing troll wars between Erdo?an’s and Putin’s social media campaigners, DDoS botnets could be the next battleground. Some experts have speculated this is a response to Turkey’s nationalist cyber teams, who stand accused of organising a DDoS attack on Russia’s Sputnik news.
DDoS attacks are by nature distributed, therefore the identity of the attackers could never be found out; but the consequences identified the vulnerabilities of the target very well.
Illustration by Max Fleishman
Efe Kerem Sözeri is a Turkish freelance researcher who lives in the Netherlands. After studying political science in Istanbul, he moved to Amsterdam to study migrants' political behavior. Besides his academic work, he regularly writes on internet freedom and censorship in Turkey.