Sunday, 25 March 2012

NDP Denial of Service Attack

Sunday was the NDP leadership convention during which NDP members could vote online. This system was plagued with issues causing voting delays and frustration within the membership. This caused much hilarity amongst the online punditry until it was revealed that the online voting system was being subjected to a Denial of Service attack. This news immediately changed the mood from "gleeful mocking" to "serious shit".

Almost from the start my techie skeptical antennae were twitching. Who would have the motive to disrupt an NDP leadership convention? And who would do it so poorly that nothing of consequence resulted other than some frazzled nerves? The system never went offline, its performance was just degraded. The convention ended, a leader was chosen. Was this just a case of an anti-social basement dweller getting his kicks in between bouts of World of Warcraft?

The news releases to date have not ameliorated my skepticism either.

"Officials say they may be able to identify the source of the attack, which jammed the online voting system, provided by Spanish company Scytl.

Party president Rebecca Blaikie told Radio-Canada that they isolated two IP addresses behind the attacks, which at one point sparked more traffic than if all 131,000 members were trying to vote at same time. An IP address is a number assigned to an internet connection that may be able to point the party to the perpetrator."

Two IPs were able to generate enough traffic to take down the online voting system???? REALLY?

The outsourced partner that the NDP used is a global company whose primary purpose is to provide secure online voting systems. A company this big should have powerful enough, and protected enough, systems to handle small to large scale DoS attacks. If they don't, they need to get out of this business pronto. It is damnably difficult to DoS a "small" server with two IP addresses. If should be impossible to disrupt a large hosted cluster of servers. One would hope that if a country ran their federal election using Scytl's services that it would take an enormous army of attacking computers to disrupt the process. Full scale Cyber warfare in other words.

This whole story smells. Denial of Service attacks usually require hundreds, if not thousands, of computers to simultaneously attack their target. If it takes much less than that, then the code running on the system is so poorly written that a single legitimate user can take the system down by clicking "refresh" in their web browser over and over again.

The other problem with the story is the "isolation of two IP addresses". An attacker doesn't directly use their own computers to try to DoS a system. Such actions are illegal and can incur serious jail time. You use a network of compromised computers to attack your target. Computers owned by people that have been infected with malware. A botnet. (There is also the problem that DoS attacks do not always require a legitimate IP address to work. IP spoofing does work in this case.)

Based on the story released so far, we have a global company, whose only purpose is to provide online voting, has such a poorly protected system that it is taken down by two IP addresses that are then traceable back to a lazy hacker just waiting to be arrested.

You can never underestimate stupidity, but this is practically a conspiracy of the stupid and the inept. There's a lot more to this story and what has been released so far does not make sense. In any event, Scytl's reputation took a huge hit. Their system should not have been disrupted. If online voting is their bread and better, and they couldn't handle a small Canadian party convention, well, their investors should start getting the hell out now. DoS or regular old poor peformance, would you use Scytl to host a vote?

2 comments:

Anonymous said...

Wouldn't it be more of an issue of the NDP only paying for their process to have adequate bandwidth for the expected number of voters and the company not scaling up the available bandwidth after the attack became apparent because it's running a business and the NDP didn't pay for this sort of protection against a DOS?

The other question is, if the attacks that essentially cut off access to the voting system for the better part of an hour each time were able to effectively simulate connection requests by over 120,000 users came from only two (or possibly 3) IP addresses, we're not dealing with some home users running 25Mbps lines are we?

Something fishy indeed.

Catelli said...

I can't see a provider not automatically providing DoS prevention support. Since most services are shared, one attack against one customer is an attack against all customers. (This actually occurred to me the other night, was one of their other customers being attacked, and did the attack "bleed through" to the NDP side?)

To your other point, yeah, that is fishy. It doesn't add up.