On February 27, as CNN Philippines was gearing up to livestream a debate between candidates standing in the country’s presidential elections, its website went down. It was the second time in a matter of months that the site had been hit.
Since June 2021, opposition politicians, independent media, and fact-checking websites in the Philippines have been hit over and over with brute-force cyberattacks known as distributed denial-of-service, or DDoS, attacks. CNN, major news network ABS-CBN, Rappler (the outlet founded by the 2021 Nobel Peace Prize winner Maria Ressa), and VERA Files, a fact-checking organization, have all been targeted, along with the website of Vice President Leni Robredo, who is a staunch critic of the current president, Rodrigo Duterte.
For the past 10 months, the attacks have escalated in frequency and aggression, as the country moves towards the vote in May. Some of the organizations have been under a constant barrage of DDoS attempts. “It’s like being under siege,” Ellen Tordesillas, VERA Files’ president, told Rest of World. “You’re always on alert.”
DDoS is one of the oldest forms of cyberattack. Attackers build a network of compromised machines and use them to flood the target’s server with thousands upon thousands of requests for data, overloading it and forcing it offline.
“In the beginning, [DDoS] was used as a social activist tool,” said Dmitri Vitaliev, director and co-founder of eQualitie, a coalition of cybersecurity experts and developers who help civil society organizations, including VERA Files, defend against cyberattacks. Now, he said, the polarity has reversed. It’s become a tool for intimidation and censorship, aimed at civil society groups and independent media. “Our clients receive attacks on a daily basis. We see two to three significant attacks every week,” he told Rest of World.
More than 20 years have passed since the first documented DDoS attack, when a network of 114 computers infected by the Trin00 script were used to take down a computer system at the University of Minnesota in 1999. But it was Anonymous, an anarchic movement that spiraled out of 4chan discussion forums, that popularized their use.
In the U.S., people using the Anonymous name coordinated attacks that took down websites belonging to neo-Nazis, the Church of Scientology, and the billionaire oil magnates and political donors, the Koch Brothers. Their activities weren’t always political or wholesome — and were often self-interested — but the targets of their fury were often those who’d challenged the collective’s general belief that the internet should be free and uncensored.
In 2009, after the Green Movement protests in Iran, Anonymous attacked Iranian government websites in support of the political opposition. Hackers claiming to be affiliated with the group later hacked government servers, stealing thousands of emails. In 2011, in the early days of the Arab Spring, Anonymous led attacks on government websites in Tunisia and Egypt, including the site of President Hosni Mubarak’s political party, the National Democratic Party. Leaderless groups, which formed under the Anonymous name and disappeared just as quickly, targeted government sites and services in Zimbabwe, Malaysia, Israel, Nigeria, Myanmar, and the Philippines.
In February 2022, after Russia used DDoS attacks to take down the websites of Ukrainian government agencies and banks ahead of its invasion of the country, people rallied under the Anonymous name again to target Russia in retaliation.
Anonymous’ crowdsourced, collective approach was made possible by the availability of tools to launch a DDoS attack, such as easily-accessible scripts. Meanwhile, the universe of devices that can be infected and brought into a botnet in order to launch such an attack has grown substantially. The Internet of Things has meant that hundreds of thousands of new processors are online, in household appliances and commercial systems, and are often unprotected from cyberattacks. With relative simplicity, a cybercriminal can co-opt, for example, a smart energy meter in Ukraine to join a botnet that attacks a human rights organization in the Philippines.
“Our clients receive attacks on a daily basis. We see two to three significant attacks every week.”
Today, 24 hours of a DDoS attack can be procured for a few hundred dollars, and the economics of attacks have shifted so much that supply is driving demand, Vitaliev said. “This is why we do see the whole gamut of attacks, you know, from script kiddies to nationalists to commercial companies.”
It’s become a constant hazard in the Philippines, where large, organized digital groups — some directly linked to the government, others probably working for hire — routinely attack opponents of the Duterte regime with bots and trolls pushing out misinformation and cyberattacks. Several of the attacks this year have been claimed by the Pinoy Vendetta hacking group.
Pinoy Vendetta, although apparently independent, has received vocal support and encouragement from members of the government’s “National Task Force to End Local Communist Armed Conflict,”or NTF-ELCAC. The NTF-ELCAC, whose purpose is reminiscent of the U.S. McCarthy-era “reds-under-the-bed” communist purge, habitually accuses members of the opposition or media of being communists and terrorists, sometimes with deadly consequences. In August 2021, investigations by the Philippines’ Department of Information and Communications Technology found that DDoS attacks on two independent media sites, AlterMidya and Bulatlat, originated from IP addresses assigned to the Philippine Army, but the report into the incident was not widely-published, and there was no subsequent action.
A forensic analysis of the December 2021 attacks on Rappler, conducted by the digital rights organization Qurium, found that the traffic came via almost 14,000 IP addresses, mostly open proxies — proxy servers for common use, which allow a user to mask their identity — in the U.S., China, Germany, Indonesia, Russia, and Vietnam. Qurium’s investigation also found that Pinoy Vendetta was directing supporters to pay-to-play botnets on its social media accounts.
As May’s election approaches, the frequency and scale of the attacks is ramping up, in particular targeting media and politicians who have been critical of the Duterte administration’s signature policies — its “anti-communist” campaign and its brutal “war on drugs,” in which thousands have died in extrajudicial violence.
Distributed denial of service attacks: from protest tool to state censorship
DDoS is a simple but often very effective way to force a website offline.
A Distributed Denial of Service, or DDoS, attack disrupts a website or service by overloading its servers with spurious requests.
The attacker needs to have access to a huge network of computers that they can use to send the hundreds of thousands of requests it needs to disrupt the target’s servers.
Often an attacker, or someone building a “botnet” for hire, will illicitly install malware onto computers using simple phishing attacks, which trick users into clicking on compromised links.
Botnets are increasingly easy to build, due to the proliferation of internet-connected devices — including “Internet of Things” hardware — with weak cybersecurity.
Free services, such as virtual private networks, sometimes also include software that can be used to build botnets, which can be hired or hijacked for DDoS attacks.
Criminal groups now offer botnets as a service. Privacy Affairs’ Dark Web Price Index puts the cost of a one-hour attack against an unprotected website at $15.
The attacker directs their botnet to send thousands of repeated requests to a specific website address. The sheer volume of traffic overwhelms the server, which can’t process the information fast enough.
DDoS attacks have been used as a form of protest, and for financial gain, taking sites down and demanding ransoms. But they’re increasingly used by governments and political actors to harass and disrupt civil society.
Civil society and independent media groups from the Philippines, Vietnam, Azerbaijan, and Iran have been routinely targeted by DDoS attacks.
Tordesillas didn’t want to speculate who might be targeting her organization. She only said: “Maybe the ones who have been hurt by what we have been putting out; maybe they’re the ones who have the motivation to disrupt our operations.”
It’s quite rare for DDoS attacks to actually take down independent media sites for any sustained period of time, but that doesn’t mean they’re not effective. The targets of these assaults talk about a grinding, attritional process of constant mitigation. It’s not always technically complicated, but it wastes their resources and wears them down — which is probably the point, Joris van Duijne, the executive director of Zamaneh Media, a website and radio station founded by Iranian exiles, told Rest of World. He said that mitigating relentless DDoS attacks is just another line on the organization’s budget. They pay a premium for resilient web hosting, but at least the cost is predictable.
Van Duijne also said that the steady backbeat of DDoS is complemented by other attacks, where the blunt-force assaults create openings for more targeted hacks. Behind the DDoS barrage, for example, Zamaneh’s journalists are targeted by spear phishing attacks – attempts to hack their email and social media accounts – at least once a month. Social media accounts spread hateful rumors, particularly about female journalists, and staff receive calls and messages threatening them and their families back in Iran.
These more targeted attacks are harder to budget for, because “you don’t know when they will happen and what the cost is going to be that flows from that,” van Duijne said. “Even harder to budget for is the psychology of it.”
Under constant attack, it’s the emotional cost that is perhaps the most widespread, and least measurable. “I know this is true of other exile media initiatives that I’ve talked to … the level of sick leave is generally quite high,” van Duijne said. “Burnouts are more common than in other organizations. And that all has to do with the pressure.”