Zimbabweans Hit By Cyber Attacks During Election

judgecorp writes "During last week's Zimbabwean election, some huge denial of service attacks took down sites including several reporting on human rights issues and potential irregularities in the election. Those affected suspect government involvement. ... GreenNet is only just recovering today, with some customer websites still down, having reported the strike on Thursday morning, the day after Zimbabweans headed to the polls. It appeared to be a powerful attack – TechWeek understands it was at the 100Gbps level – aimed at GreenNet’s co-location data centre provider Level 3, which subsequently did not let GreenNet move workloads within that facility. ... The DDoS that hit GreenNet was not a crude attack using a botnet to fire traffic straight at a target port, but a DNS reflection attack using UDP packets, which can generate considerable power. DNS reflection sees the attacker spoof their IP address to pretend to be the target, send lines of attack code to a DNS server, which then sends back large amounts of traffic to the victim."

Re:

[Thanshin]

"send lines of attack code to a DNS server," really?

Yes. The code was: 41545441434b21

Re:

[fritsd]

Yes. The code was: 41545441434b21

Pfff.. wake me when those last 2 nibbles have been changed from 21 to 212131216f6e652121 ...

Re:

[Black Parrot]

Yes, and it generates considerable power. I'm going to start using it to power my computer from my network connection..

Re:

[Opportunist]

PoE 2.0?

Re:

[Thanshin]

Admit it. You couldn't have pointed at Zimbabwe, with a fat finger, on a map of the Solar System.

Re:

[Anonymous Coward]

Surprisingly, yes they do. Please do not forget that it was the UK that set Mugabe up in 1980, despite his Chinese communist backing. And now we have the fruit of that political idiocy. You can bet your last dollar (Zim dollar or any other) that its the Chinese organizing the DDoS attacks, etc.

Re:

[inasity_rules]

Indeed, I doubt the Zim government has the resources or skill to do this, given how often their own websites seem to get hacked.

They seem pretty adept at it, actually

[Camael]

I shared the same belief as you, until I did some random digging... and wow.

Apparently the Zim government has LOTS of experience with cyber warfare [concerneda...holars.org] .

By the time Russia ‘e-nvaded’ Georgia and paralyzed its security with cyber-weaponry in August-September 2008, Zimbabwe was in its fifth year of cyber-guerrilla warfare. Using interception gadgets, the Zanu (PF) government of Robert Mugabe jammed radio signal and web traffic that sympathized with the opposition. Online newspapers and internet radios had been using the internet to attack the Mugabe dictatorship for the past four years. Government and anti-Mugabe hackers had been trading long-range artillery fire for three decades.

That article, mind you, was written in 2008. Imagine how much more they would have picked up in the last 4 years.

Re:

[inasity_rules]

Those gadgets? Guess where they come from? I suppose the Chinese could have trained them up in the interim, but for a large part they seemed to be following instructions from their Chinese overlords last time I was there... A couple of ham operators I knew got into fairly serious trouble over the things they were saying back in the mid 2000s, but mainly because they used their own callsigns. To be fair, I did not get my internet through tell-one, who probably did censor things, but instead through Econet, w

Re:

[Entropius]

last dollar (Zim dollar or any other)

If they're Zimbabwean dollars, wouldn't you have to bet at least a trillion?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:wait

[inasity_rules]

You might be a little surprised if you visited Zimbabwe. The (one and only) thing Mugabe did right was push education, which means a lot of arbitrary schools in the middle of the rural areas have computer labs and things like that. There is a thriving business in old computers there, and it was almost enough for me to support myself.

Re:

[K. S. Kyosuke]

and it was almost enough for me to support myself

Don't you think that sitting on a chair would have been more comfortable than that?

Re:

[inasity_rules]

We could not afford chairs, so we had to sit on piles of money instead...

Re:

[Andy Prough]

@AC 05:12AM -- "zimbabweans have computers?!"

Yes, but most access the internet via internet cafes or mobile devices. The number of Zimbabwean internet users has tripled from 1.5 million to 4.5 million (around 37% of the population) in just the past two years. This number should jump substantially over the next year, as 3G/4G service has grown rapidly - reaching 91% of the population in the past year. A 2010 United Nations survey found the Zimbabwe literacy rate was the highest of all African countries.

Re:

[Entropius]

It's 90.7%, per the CIA.

Elections

[jkflying]

Obama, Cameron and Mugabe are on a boat, when they realise it is sinking and there is only one lifejacket. They decide, being leaders of ostensibly democratic countries, to vote over who gets the lifejacket, so they each write a name on a piece of paper and put it in a cup.

Once everybody is finished, they counted the pieces of paper, and the results were:
Obama: 1
Cameron: 1
Mugabe: 6

Re:

[Anonymous Coward]

The tally didn't really matter in the end. By the time they had counted the votes, Mugabe had arrested Cameron and Obama and then convicted them for treason in a show court.

Re:

[BrokenHalo]

This is largely how he got into power in the first place, thanks to Lord Carrington and Maggie Thatcher.

Of his principal opponents, Joshua Nkomo was the foremost, though he might not have been much better an option (except that he had the grace to die sooner). Bishop Muzorewa never really gained the traction he needed, because he didn't use artillery.

Re:

[fellip_nectar]

Robert Mugabe himself has modded the parent 'Overrated' three times.

Re:

[jkflying]

It actually only got moderated "overrated" twice. I guess ZanuPF were a bit low on mod-points yesterday.

DNS Reflection is a bitch

[Drakonblayde]

Been on the business end of a DNS reflection attack. Not fun. Not only do you have to figure out how to deal with loads of DNS responses invading your network, the contact that's listed for the allocation that the spoofed IP falls under gets slammed with inquiries from angry operators wanting to know why their network is sending so many damned DNS queries to them. Very disruptive.

We should pause and step back a moment...

[tlambert]

We should pause and step back a moment to meditate upon these attacks... hopefully it won't take too long or too many resources to do so...

Re:

[gmack]

There are multiple ways these attacks could have been prevented but laziness and incompetence rule yet again. ISPs could add egress filtering, or they could limit the amount of open recursive resolvers on their network.

In the end, I suspect the only way to fix this will be the same way we fixed open mail servers: start blacklisting badly behaving ISPs.

Re:We should pause and step back a moment...

[Drakonblayde]

It's not as simple as that. Blacklisting badly behaving mail servers is one thing. That's pretty much an application level fix. You just don't accept the mail from the mailserver.

DNS reflection is more insidious. If I spoof an IP address and send a query to a DNS server that's authoritative for the domain, it's going to send a response back to the IP address in the source of the packet. Now I do that with a shitload of domains and a shitload of DNS servers, and they all start sending responses to the spoofed IP. A good DNS reflection attack will hit so many sources that it's impractical to filter them all, you'll spend a crapload of time just trying to keep the access-lists updated, and it's exponentially worse the bigger your border is. The only thing you can do is null-route the spoofed IP at your border to prevent the responses from getting into your network and bringing down your entire infrastructure.......... assuming you have border routers that won't die under the flood in the first place. The second you do that, the attacker has won.

If they're sending queries to authoritative name servers what are you going to do? Blacklist them? The authoritatives are doing what they're supposed to.

The only real way to stop DNS reflection is to convince every operator to do proper border filtering. If the source address in the packet didn't come from their allocation, they should drop it. Convincing network operators to do so is incredibly difficult.

The one I was on the end of, they did it smart. They started at 5am on Christmas day, which is pretty much about the best time to ensure that any response is sluggish at best. It went on for two weeks and didn't cease until 4 different providers had operators willing to pool their Netflow data in order to track back where the shit was actually coming from, and we found the CnC nodes buried in TWC's network. TWC was kind enough to terminate those nodes with extreme prejudice.

Didn't help though, we still lost the customer.

Re:

[gmack]

I agree about filtering outbound traffic but keep in mind that these attacks work best with open recursive mail servers and there are few reasons to configure them that way. Need a resolver for your network? Then lock it so only your network can make requests on it. I just did a quick look up of the ISPs with open recursive name servers and found a company my employer does a lot of business with has 31 open recursive name servers. There is just no excuse for that.

My thought is that we need to cause pain

Whoosh?

[tlambert]

To reflect: To meditate upon

Re:

[auric_dude]

Anything like the spamhaus ddos problems a short while ago? http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/ [arstechnica.com] http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/ [arstechnica.com]

My question

[korbulon]

Why the hell is anyone who can still use a computer - or better yet, *own* a computer - still in Zimbabwe? You'd think the strategy for anyone with some means would be: Leave now. Come back when that old stupid fuck is dead.

Re:

[inasity_rules]

Many do, but many stay because hope is a triumph of optimism over experience. Also, where do you propose they all go? Given the literacy rates a significant proportion of the population can use a computer. While I love the idea of Mugabe sitting alone in a ghost town, it isn't really practical...

Re:

[korbulon]

Oh I know, lord I know - my question was more rhetorical than realistic. It's just so sad to see an entire country succumb to a cancer like Mugabe. Aside from the obvious parties, who else is to blame for the current situation? I mean, how did it come to this? And for so long?

Human history is a long line of relative misery, punctuated by brief epochs of absolute misery.

Re:

[inasity_rules]

When Mugabe refused to allow the UN to administer the money the British were sending him to buy farms for the war veterans (because then he would not be able to steal it, and also, pride "Zimbabwe is a sovereign Nation!"), the money stopped and he had nothing to give the war veterans who then revolted. What happened next was highly predictable in hindsight. He printed money to appease them, which they squandered and inflation ate. So they demanded land and took it.

The problem is, when you're riding the tige

Re:

[korbulon]

Seems to me that much of Africa has amazing potential, but most of its countries are caught in a vicious cycle of incompetent, patrimonial and ruthless leaders with strong ethnic ties, an endless stream of warlords and strongmen propped up by commodities and foreign aid. Indeed, throwing wealth at the problem seems to do far more harm, like water on an oil fire. Nothing good can take root in such wretched soil. It's just so... fucking depressing.

Re:

[inasity_rules]

South Africa isn't too bad. Not too good either, but it passes. The real issue is pretty much nowhere in Africa has a functional democracy. South Africa's does partially work, but not completely. It is really depressing, I know. I lived through the worst of Zimbabwe. If SA goes the same way, I guess I'm leaving Africa. I would be very sad to go though. Africa, despite it's issues is an absolutely amazing place to be.

Re:

[korbulon]

Out of curiosity, do you ever catch yourself thinking "It's gonna take a lot to take me away from you."?

Re:

[inasity_rules]

As it happens, yes...

Re:

[edanto]

One thing that I discovered on my visits to Africa is that it can be extremely difficult for Africans to get visas to enter other counties. They don't have the freedom of movement that we enjoy. On top of that, many will have responsibilities to support relatives (social security in Zim is very limited), so leaving ain't as easy as it might first appear.

Re:

[DNS-and-BIND]

You know why Africans can't get visas? Because when their visa expires, they don't go home. Countries keep track of things like this. Then, they modify their visa laws to match. You know why it's easy for Americans go to anywhere? Because they spend money locally and then leave. A perfect fit, what every country wants. Even America.

Re:

[edanto]

If only things were so simple. Hey, I'm sure if Africans had a nice stable democracy, with a ludicrously powerful dollar to return to, then they would go home to. The poster before me had simply asked why people in Zimbabwe didn't leave, and we've both given him part of the answer.

Re:

[Entropius]

They are leaving, though -- per a friend of mine from Pretoria, there are a great many Zimbabwean refugees heading to northern South Africa, and the SA government doesn't quite know what to do with them.

Re:

[inasity_rules]

Yes, they take a lot of the Jobs in SA. Mainly because they're more willing to work and often better educated than their South African counterparts. In any case, since the SA government props up Mugabe, it is sort of a self-created problem. If all the Zimbabweans went home (and former Zimbabweans like myself), the economy here would take quite a hit... Still, you can't empty an entire country...

Re:

[mrbester]

You could ask questions of Level 3 who didn't help in mitigating the attack...

Re:

[Drakonblayde]

It's not that simple.

A well executed DNS reflection attack is very very broad spectrum, and doesn't have to involve broken or compromised DNS servers.

It's easy to armchair quarterback, try being on the receiving end of one sometime and actually looking at the data you get, you'll be impressed.

Eliminating this kind of attack would take an unprecedented level of cooperation among service providers, and for most of them, there would be absolutely no business reason for them to undertake it.

Re:

[Opportunist]

Is that like hitting Cuba with economic repressions rather than bombs is progress? If so, I think it's not really much progress.

Re:

[inasity_rules]

In the recent elections people were hit by both, so it is progress... Just not progress from a non-Zaunu PF point of view...

sensationalist crap

[Gothmolly]

A DNS amplification attack is not hacking the Gibson, geesh.

Besides, what's the point of elections in Zimbabwe anyway? To decide whose face goes on the eleventy-billion dollar note?

Re:

[BrokenHalo]

Mandela is a coward, and Mugabe is the greatest African who ever lived. Bob says so himself [codewit.com].

Far out. I wonder if he was drunk. I don't think it's possible to come up with a more inflammatory speech than that.

simo

[coutysd]

Simon : Wow Kate! That makes it seem much better. You're right, baby steps are the way forward. Starting with my immediate environment.

What was there to attack?

[sapped]

I think the thing that blows me away the most about this news is that there is anything of a cyber nature in Zimbabwe to attack in the first place.