Earlier this week, the Maine.gov website was taken offline for numerous hours, up until around 13.30GMT on Tuesday, in what was thought to be a one-off attack. However, in the hours that followed, other state websites, like Colorado, Virginia, Georgia, Alabama, Oregon and Nebraska, were also seemingly DDoSed, while Maine.gov went offline again on Wednesday. There was, oddly, one UK site attacked too, scottisharchitects.co.uk.
Maine.gov eventually released a statement on the DoS attack on Thursday saying: “The state of Maine's web portal continues to be affected by attempts to overwhelm the service with artificial web traffic. Technicians with the Information Resource of Maine (InforME) and Office of Information Technology (OIT) have worked aggressively to mitigate the inconvenience caused by the attack on Maine.gov. The site remains online at this time, but users may experience slowness or notice other performance issues as the attack continues.
“Today marks the third day Maine.gov has been target by a denial-of-service (DoS) attack. A DoS attack seeks to make a service unavailable to users by overloading the servers that host it with artificial traffic.”
A spokesperson added: “It's unfortunate that an individual or a handful of individuals would choose to disrupt public services for no other reason than their own amusement. While some in the online community consider DoS attacks a form of protest, they are a crime. Accordingly, InforME and OIT have been in contact with law enforcement.
“Despite online claims to the contrary, we currently have no evidence to suggest that any personal information connected with the Maine.gov portal has been compromised.
“OIT and InforME will continue to work towards fixing this issue and hope to return Maine.gov to full capacity as soon as possible. We regret any inconvenience this may have caused.”
The group claiming responsibility for this attack, and others, is ‘Vikingdom2015', which appears to have been named after a low-budget Malaysia/American film with a cult following. The group made numerous claims online on its Twitter account, prior to it being suspended on Thursday. But later that day they returned under the name ‘TheVikingdom2015'.
Speaking to SCMagazineUK.com earlier this week, a member of the group said that it has 16 members, although once had 22, adding that layer 4 DDoS attacks were the preferred method of attack. The group, which only appears to have been active since March 16 with attacks a daily occurrence since, claimed responsibility for attacks against the various US state websites, as well as commercial sites Go.com, Seaworld.com and Twitch.com, the gaming TV service bought by Amazon for £600 million.
The group was previously operating and communicating on Facebook but switched to Twitter when a rival hacking group, ‘ClownSec', took their accounts offline. One of its members, BitCoin Baron, was apparently kicked out for his/her role in that incident.
The team member confirmed that – contrary to some rumours – that they were not motivated by a political cause. “We knock sites down for fun,” the member said.
He/she confirmed the use of a botnet in the attacks, and that the group was behind the Amazon Twitch attack, before claiming surprisingly that it was the largest DDoS attack in history against Maine.gov.
“It was DDoS. [On] 1/3/2015 we launched the biggest attack ever, peaking at 3.5Tbps. 8/3/2015 power decreased from 3.5TBps to 1Tbps.” However, other hacking groups online have disputed their ability.
Asked on the nature of the attack, the team member added: “They are layer four (DDoS). We are using ESSYN to knock down big sites - [it's a] great method to destroy everything.”
The group said that its goal is “to knock down all sites”, adding that it had tried and failed to take down the official website of the National Security Agency (NSA).
Information security professionals have disputed the size of the attacks, and questioned how a relatively basic attack appears to have undone so many government websites.
“The traffic volumes that these script kiddies claim to control is unrealistic,” said Jonathan Davies, co-founder of Pervade Software. “3.5Tbps would require more than 1,750,000 infected computers under their control, assuming an average internet connection of 2Mbps (which is optimistic), and for the owners of these infected machines to not notice their huge bandwidth consumption and slow computer for very prolonged periods.”
“I believe that they are attempting to make their attack seem more sophisticated than it is in order to explain their success when the more likely answer is a simple lack of protection from these .gov sites. It seems these attacks are not complex, they are just well organised. Governments need to be prepared for these and more sophisticated 3DoS and Layer 7 DoS attacks.”
Martin McKeay, senior security advocate at Akamai Technologies, told SC: “The attacks against the US targets have been successful primarily because the attacks appear to have been against organisations with minimal infrastructure, aka ‘low hanging fruit'. All the targets are state and local governments that don't have advanced anti-DDoS in place. It is highly unlikely that the attacks were even close to 3Tbps, a more realistic traffic figure might be as low as 3 Mbps, which is still enough to affect some systems if sufficient protections aren't in place.
“The attackers appear to be using a tool called ‘Strong Orbit Ion Cannon', which is very similar to the High Orbit Ion Cannon made famous by Anonymous. These are not advanced tools and could be used by anyone, even those with little or no skill.”
On the maximum size of DDos attacks, he added: “The highest attack Akamai has recorded to date was a 320 Gbps against a single target. The claims of 3Tbps for this attack far exceed this and if true would have had a serious effect on the entire region the targets are in, not just the targets themselves.
“Businesses should look at having multiple layers of defence in place. On premise devices specialising in DDoS protection are helpful for smaller attacks, but if the attack exceeds the bandwidth the business has, then their connections to the internet become saturated and the defences fail.”
McKeay said that Akamai has seen two new types of attacks in recent months. “The first is a reflection attack that uses SSDP, aka Simple Service Discovery Protocol. This attack relies on systems that have Universal Plug and Play (UPnP) open to the Internet and has a large amplification factor. The second is the Xmas-DDoS attack, which relies on turning on many of the flags in a TCP packet and causing systems to have high-resource utilisation as they try to parse through the conflicting flags. This was used by the Lizard squad last quarter in one of the larger attacks that clocked in at 134 Gbps.”