Akamai Diversity

The Akamai Blog

DNS DDoS Takes Down Hong Kong Paper

The ongoing protests in Hong Kong are attracting worldwide attention. Less visible is a connection to the ongoing DNS-based DDoS attacks that started early this year. On Sunday, Sept 28 attackers used DNS based DDoS to target Passion Times, a local Hong Kong newspaper (http://www.passiontimes.hk/). The site was brought down for most of the day and had to resort to Facebook (https://www.facebook.com/passiontimes) in order to get the news out.

These attacks have usually followed a predictable pattern since they started. A small number, usually 4-6 websites, are targeted each day. This attack did not follow the pattern, all the energy was directed at Passion Times. All times in the charts below are UTC, they show the attack lasted about 13 hours.


This chart shows attack-related traffic from 5 providers.   The vertical scale is 10s of millions of queries. PRSD stands for "Pseudo-Random Subdomain", a style of DDoS attack which uses DNS queries where the leftmost label is randomized to create additional work for the DNS. High volumes of these randomized queries often cause authoritative servers for target domains to fail, this effectively takes the site offline.


This chart shows the percentage of attack queries relative to total queries for the same 5 providers. It shows the impact on provider DNS infrastructure. For one provider nearly half the query volume came from the attack. Nominum, now part of Akamai, estimates these graphs only reflect a small percentage of overall attack traffic, <<5%, so the overall scale of the attack is much larger.

News sites have been attacked in the past. In June of this year a Taiwanese news site, Apple Daily was attacked as was a Hong Kong voting site. But it is unusual, most days lightly trafficked, seemingly inconsequential websites are targeted. Small gaming sites in China are most common although recently the attackers also briefly shifted their focus to Chinese pornography sites. Given the low profile of most of the targets, it is unclear how the attacks could be monetized in a meaningful way.   The collateral damage across the Internet is far more costly as DNS operations teams rally to minimize the impact on their infrastructure.