Zimbabweans Hit By Cyber Attacks During Election

← Back to Stories (view on slashdot.org)

Zimbabweans Hit By Cyber Attacks During Election

Posted by Soulskill on Tuesday August 6, 2013 @09:07PM from the failsafes-failed-safely dept.

judgecorp writes "During last week's Zimbabwean election, some huge denial of service attacks took down sites including several reporting on human rights issues and potential irregularities in the election. Those affected suspect government involvement. ... GreenNet is only just recovering today, with some customer websites still down, having reported the strike on Thursday morning, the day after Zimbabweans headed to the polls. It appeared to be a powerful attack – TechWeek understands it was at the 100Gbps level – aimed at GreenNet’s co-location data centre provider Level 3, which subsequently did not let GreenNet move workloads within that facility. ... The DDoS that hit GreenNet was not a crude attack using a botnet to fire traffic straight at a target port, but a DNS reflection attack using UDP packets, which can generate considerable power. DNS reflection sees the attacker spoof their IP address to pretend to be the target, send lines of attack code to a DNS server, which then sends back large amounts of traffic to the victim."

63 comments

Min score:

Reason:

Sort:

Really? by john.burton1765 · 2013-08-06 21:09 · Score: 0

"send lines of attack code to a DNS server," really?
1. Re:Really? by Thanshin · 2013-08-06 21:23 · Score: 1
  
  "send lines of attack code to a DNS server," really?
  Yes. The code was: 41545441434b21
2. Re:Really? by Black+Parrot · 2013-08-06 21:29 · Score: 2
  
  Yes, and it generates considerable power. I'm going to start using it to power my computer from my network connection..
  
  --
  Sheesh, evil *and* a jerk. -- Jade
3. Re:Really? by Opportunist · 2013-08-06 23:03 · Score: 1
  
  PoE 2.0?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Really? by fritsd · 2013-08-07 01:06 · Score: 1
  
  Yes. The code was: 41545441434b21
  Pfff.. wake me when those last 2 nibbles have been changed from 21 to 212131216f6e652121 ...
  
  --
  To be, or not to be: isn't that quite logical, Slashdot Beta?
Re:wait by Thanshin · 2013-08-06 21:24 · Score: 2

Admit it. You couldn't have pointed at Zimbabwe, with a fat finger, on a map of the Solar System.
Re:wait by Anonymous Coward · 2013-08-06 21:28 · Score: 1

Surprisingly, yes they do. Please do not forget that it was the UK that set Mugabe up in 1980, despite his Chinese communist backing. And now we have the fruit of that political idiocy. You can bet your last dollar (Zim dollar or any other) that its the Chinese organizing the DDoS attacks, etc.
Re:wait by inasity_rules · 2013-08-06 21:37 · Score: 1

Indeed, I doubt the Zim government has the resources or skill to do this, given how often their own websites seem to get hacked.

--
I have determined that my sig is indeterminate.
Re:wait by jcr · 2013-08-06 21:42 · Score: 1

Not many since Mugabe ran that country into the ground.
-jcr

--
The only title of honor that a tyrant can grant is "Enemy of the State."
Elections by jkflying · 2013-08-06 21:44 · Score: 5, Funny

Obama, Cameron and Mugabe are on a boat, when they realise it is sinking and there is only one lifejacket. They decide, being leaders of ostensibly democratic countries, to vote over who gets the lifejacket, so they each write a name on a piece of paper and put it in a cup.
Once everybody is finished, they counted the pieces of paper, and the results were:
Obama: 1
Cameron: 1
Mugabe: 6

--
Help I am stuck in a signature factory!
1. Re:Elections by Anonymous Coward · 2013-08-06 23:21 · Score: 1
  
  The tally didn't really matter in the end. By the time they had counted the votes, Mugabe had arrested Cameron and Obama and then convicted them for treason in a show court.
2. Re:Elections by Anonymous Coward · 2013-08-06 23:44 · Score: 0
  
  And just then, a drone that was passing by bombed Mugabe for being on a secret 'these we bomb first' list, and Cameron died as 'acceptable' collateral damage.
3. Re:Elections by Anonymous Coward · 2013-08-06 23:48 · Score: 0
  
  How true. (And incredibly funny!)
4. Re:Elections by BrokenHalo · 2013-08-07 01:52 · Score: 1
  
  This is largely how he got into power in the first place, thanks to Lord Carrington and Maggie Thatcher.
  
  Of his principal opponents, Joshua Nkomo was the foremost, though he might not have been much better an option (except that he had the grace to die sooner). Bishop Muzorewa never really gained the traction he needed, because he didn't use artillery.
5. Re:Elections by fellip_nectar · 2013-08-07 02:49 · Score: 1
  
  Robert Mugabe himself has modded the parent 'Overrated' three times.
  
  --
  Worst. Signature. Ever.
6. Re:Elections by jkflying · 2013-08-07 19:32 · Score: 1
  
  It actually only got moderated "overrated" twice. I guess ZanuPF were a bit low on mod-points yesterday.
  
  --
  Help I am stuck in a signature factory!
Re:wait by inasity_rules · 2013-08-06 21:46 · Score: 3, Interesting

You might be a little surprised if you visited Zimbabwe. The (one and only) thing Mugabe did right was push education, which means a lot of arbitrary schools in the middle of the rural areas have computer labs and things like that. There is a thriving business in old computers there, and it was almost enough for me to support myself.

--
I have determined that my sig is indeterminate.
DNS Reflection is a bitch by Drakonblayde · 2013-08-06 21:56 · Score: 3, Interesting

Been on the business end of a DNS reflection attack. Not fun. Not only do you have to figure out how to deal with loads of DNS responses invading your network, the contact that's listed for the allocation that the spoofed IP falls under gets slammed with inquiries from angry operators wanting to know why their network is sending so many damned DNS queries to them. Very disruptive.
1. Re:DNS Reflection is a bitch by auric_dude · 2013-08-06 22:58 · Score: 1
  
  Anything like the spamhaus ddos problems a short while ago? http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/ http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/
They seem pretty adept at it, actually by Camael · 2013-08-06 22:00 · Score: 3, Informative

I shared the same belief as you, until I did some random digging... and wow.
Apparently the Zim government has LOTS of experience with cyber warfare .

By the time Russia ‘e-nvaded’ Georgia and paralyzed its security with cyber-weaponry in August-September 2008, Zimbabwe was in its fifth year of cyber-guerrilla warfare. Using interception gadgets, the Zanu (PF) government of Robert Mugabe jammed radio signal and web traffic that sympathized with the opposition. Online newspapers and internet radios had been using the internet to attack the Mugabe dictatorship for the past four years. Government and anti-Mugabe hackers had been trading long-range artillery fire for three decades.
That article, mind you, was written in 2008. Imagine how much more they would have picked up in the last 4 years.
1. Re:They seem pretty adept at it, actually by inasity_rules · 2013-08-06 22:12 · Score: 1
  
  Those gadgets? Guess where they come from? I suppose the Chinese could have trained them up in the interim, but for a large part they seemed to be following instructions from their Chinese overlords last time I was there... A couple of ham operators I knew got into fairly serious trouble over the things they were saying back in the mid 2000s, but mainly because they used their own callsigns. To be fair, I did not get my internet through tell-one, who probably did censor things, but instead through Econet, who did not(they had their own satellite link). I never ran across any blocked sites through them, or through the state sponsored university internet. I haven't been back for more than a couple of weeks in 3 years though, so things may have changed, but in the towns you can access pretty much any site you like.
  
  --
  I have determined that my sig is indeterminate.
Re:wait by Andy+Prough · 2013-08-06 22:03 · Score: 1

@AC 05:12AM -- "zimbabweans have computers?!"

Yes, but most access the internet via internet cafes or mobile devices. The number of Zimbabwean internet users has tripled from 1.5 million to 4.5 million (around 37% of the population) in just the past two years. This number should jump substantially over the next year, as 3G/4G service has grown rapidly - reaching 91% of the population in the past year. A 2010 United Nations survey found the Zimbabwe literacy rate was the highest of all African countries.
We should pause and step back a moment... by tlambert · 2013-08-06 22:05 · Score: 1

We should pause and step back a moment to meditate upon these attacks... hopefully it won't take too long or too many resources to do so...
1. Re:We should pause and step back a moment... by gmack · 2013-08-06 22:30 · Score: 1
  
  There are multiple ways these attacks could have been prevented but laziness and incompetence rule yet again. ISPs could add egress filtering, or they could limit the amount of open recursive resolvers on their network.
  In the end, I suspect the only way to fix this will be the same way we fixed open mail servers: start blacklisting badly behaving ISPs.
2. Re:We should pause and step back a moment... by Drakonblayde · 2013-08-06 23:38 · Score: 4, Informative
  
  It's not as simple as that. Blacklisting badly behaving mail servers is one thing. That's pretty much an application level fix. You just don't accept the mail from the mailserver.
  DNS reflection is more insidious. If I spoof an IP address and send a query to a DNS server that's authoritative for the domain, it's going to send a response back to the IP address in the source of the packet. Now I do that with a shitload of domains and a shitload of DNS servers, and they all start sending responses to the spoofed IP. A good DNS reflection attack will hit so many sources that it's impractical to filter them all, you'll spend a crapload of time just trying to keep the access-lists updated, and it's exponentially worse the bigger your border is. The only thing you can do is null-route the spoofed IP at your border to prevent the responses from getting into your network and bringing down your entire infrastructure.......... assuming you have border routers that won't die under the flood in the first place. The second you do that, the attacker has won.
  If they're sending queries to authoritative name servers what are you going to do? Blacklist them? The authoritatives are doing what they're supposed to.
  The only real way to stop DNS reflection is to convince every operator to do proper border filtering. If the source address in the packet didn't come from their allocation, they should drop it. Convincing network operators to do so is incredibly difficult.
  The one I was on the end of, they did it smart. They started at 5am on Christmas day, which is pretty much about the best time to ensure that any response is sluggish at best. It went on for two weeks and didn't cease until 4 different providers had operators willing to pool their Netflow data in order to track back where the shit was actually coming from, and we found the CnC nodes buried in TWC's network. TWC was kind enough to terminate those nodes with extreme prejudice.
  Didn't help though, we still lost the customer.
3. Re:We should pause and step back a moment... by gmack · 2013-08-07 00:14 · Score: 1
  
  I agree about filtering outbound traffic but keep in mind that these attacks work best with open recursive mail servers and there are few reasons to configure them that way. Need a resolver for your network? Then lock it so only your network can make requests on it. I just did a quick look up of the ISPs with open recursive name servers and found a company my employer does a lot of business with has 31 open recursive name servers. There is just no excuse for that.
  My thought is that we need to cause pain for people who are lazy and we could easily start blacklisting name servers because having domains stop resolving would be more painful than fixing the problem.
4. Re:We should pause and step back a moment... by Anonymous Coward · 2013-08-07 11:39 · Score: 0
  
  Most facility providers have their own caching DNS servers that all internal hosts should be using. If they also had a clue then any DNS traffic crossing the border routers that doesn't source/sink to those caching server addresses should be getting dropped on the floor. At worst the caching DNS servers would be the subject of a DDoS but this wouldn't affect hosted web servers (unless they're stupidly doing reverse lookups for their log files).
My question by korbulon · 2013-08-06 22:20 · Score: 1

Why the hell is anyone who can still use a computer - or better yet, *own* a computer - still in Zimbabwe? You'd think the strategy for anyone with some means would be: Leave now. Come back when that old stupid fuck is dead.
1. Re:My question by inasity_rules · 2013-08-06 22:33 · Score: 2
  
  Many do, but many stay because hope is a triumph of optimism over experience. Also, where do you propose they all go? Given the literacy rates a significant proportion of the population can use a computer. While I love the idea of Mugabe sitting alone in a ghost town, it isn't really practical...
  
  --
  I have determined that my sig is indeterminate.
2. Re:My question by korbulon · 2013-08-06 22:41 · Score: 1
  
  Oh I know, lord I know - my question was more rhetorical than realistic. It's just so sad to see an entire country succumb to a cancer like Mugabe. Aside from the obvious parties, who else is to blame for the current situation? I mean, how did it come to this? And for so long?
  Human history is a long line of relative misery, punctuated by brief epochs of absolute misery.
3. Re:My question by edanto · 2013-08-06 22:44 · Score: 1
  
  One thing that I discovered on my visits to Africa is that it can be extremely difficult for Africans to get visas to enter other counties. They don't have the freedom of movement that we enjoy. On top of that, many will have responsibilities to support relatives (social security in Zim is very limited), so leaving ain't as easy as it might first appear.
4. Re:My question by inasity_rules · 2013-08-06 23:04 · Score: 2
  
  When Mugabe refused to allow the UN to administer the money the British were sending him to buy farms for the war veterans (because then he would not be able to steal it, and also, pride "Zimbabwe is a sovereign Nation!"), the money stopped and he had nothing to give the war veterans who then revolted. What happened next was highly predictable in hindsight. He printed money to appease them, which they squandered and inflation ate. So they demanded land and took it.
  The problem is, when you're riding the tiger, if you get off it will eat you. I could almost pity the man, except for the slaughter of his own people in the 80s... In any case, if Mugabe dies, the Mujurus and so forth of Zimbabwe will drag it into civil war, since they control the police and the army. He clings to power because if he loses it, he is dead. He once stated he'd leave power in a coffin, and that is likely true even if he resigns. He is actually a very intelligent, though very nasty, person. Most blame his wife who is basically evil incarnate.
  Zimbabweans are a peaceful people, they don't easily become violent. If that weren't the case, he would be dead by now. In essence, I guess the people get the government they deserve, though this could have gone an entirely different way had we had someone else as leader.
  What the solution is, I don't know. Perhaps a free and fair election could transition power, but Tsvangirai isn't actually good leadership material. Essentially, the cancer has spread to the point where the organism that is Zimbabwe basically may die. Zimbabwe had such amazing potential.
  
  --
  I have determined that my sig is indeterminate.
5. Re:My question by DNS-and-BIND · 2013-08-06 23:20 · Score: 1
  
  You know why Africans can't get visas? Because when their visa expires, they don't go home. Countries keep track of things like this. Then, they modify their visa laws to match. You know why it's easy for Americans go to anywhere? Because they spend money locally and then leave. A perfect fit, what every country wants. Even America.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
6. Re:My question by edanto · 2013-08-06 23:30 · Score: 1
  
  If only things were so simple. Hey, I'm sure if Africans had a nice stable democracy, with a ludicrously powerful dollar to return to, then they would go home to. The poster before me had simply asked why people in Zimbabwe didn't leave, and we've both given him part of the answer.
7. Re:My question by korbulon · 2013-08-06 23:58 · Score: 1
  
  Seems to me that much of Africa has amazing potential, but most of its countries are caught in a vicious cycle of incompetent, patrimonial and ruthless leaders with strong ethnic ties, an endless stream of warlords and strongmen propped up by commodities and foreign aid. Indeed, throwing wealth at the problem seems to do far more harm, like water on an oil fire. Nothing good can take root in such wretched soil. It's just so... fucking depressing.
8. Re:My question by Anonymous Coward · 2013-08-07 00:06 · Score: 0
  
  It's called a family.
9. Re:My question by Entropius · 2013-08-07 00:14 · Score: 1
  
  They are leaving, though -- per a friend of mine from Pretoria, there are a great many Zimbabwean refugees heading to northern South Africa, and the SA government doesn't quite know what to do with them.
10. Re:My question by inasity_rules · 2013-08-07 00:31 · Score: 1
  
  South Africa isn't too bad. Not too good either, but it passes. The real issue is pretty much nowhere in Africa has a functional democracy. South Africa's does partially work, but not completely. It is really depressing, I know. I lived through the worst of Zimbabwe. If SA goes the same way, I guess I'm leaving Africa. I would be very sad to go though. Africa, despite it's issues is an absolutely amazing place to be.
  
  --
  I have determined that my sig is indeterminate.
11. Re:My question by inasity_rules · 2013-08-07 00:41 · Score: 1
  
  Yes, they take a lot of the Jobs in SA. Mainly because they're more willing to work and often better educated than their South African counterparts. In any case, since the SA government props up Mugabe, it is sort of a self-created problem. If all the Zimbabweans went home (and former Zimbabweans like myself), the economy here would take quite a hit... Still, you can't empty an entire country...
  
  --
  I have determined that my sig is indeterminate.
12. Re:My question by korbulon · 2013-08-07 01:15 · Score: 1
  
  Out of curiosity, do you ever catch yourself thinking "It's gonna take a lot to take me away from you."?
13. Re:My question by inasity_rules · 2013-08-07 01:42 · Score: 1
  
  As it happens, yes...
  
  --
  I have determined that my sig is indeterminate.
sounds like the problem is here.... by Anonymous Coward · 2013-08-06 22:40 · Score: 0

, send lines of attack code to a DNS server,which then sends back large amounts of traffic to the victim
1. if the attackers need to spoof their own ip addresses when targeting the dns server, it's obvious they dont run their own.. why is the dns servers allowing the "attack code" are they exploitable or compromised? obviously they are ... so FIX THEM.
2. why are those dns servers sending massive quantity of responses and traffic back to a single ip or network? FIX THEM.
it's bad enough that there's people out there that do attack sites or services with ddos but, come on, really.. do you have to unknowingly help? afaik, those owners and operators of the dns servers allowing the attacks to go through their servers are equally at fault and just as liable (financially and otherwise).
1. Re:sounds like the problem is here.... by mrbester · 2013-08-06 23:16 · Score: 1
  
  You could ask questions of Level 3 who didn't help in mitigating the attack...
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
2. Re:sounds like the problem is here.... by Drakonblayde · 2013-08-06 23:42 · Score: 1
  
  It's not that simple.
  A well executed DNS reflection attack is very very broad spectrum, and doesn't have to involve broken or compromised DNS servers.
  It's easy to armchair quarterback, try being on the receiving end of one sometime and actually looking at the data you get, you'll be impressed.
  Eliminating this kind of attack would take an unprecedented level of cooperation among service providers, and for most of them, there would be absolutely no business reason for them to undertake it.
Improvement by Anonymous Coward · 2013-08-06 22:55 · Score: 0

If they were hit by a cyber-attack and not by Robert Mugabe's thugs, that's progress.
1. Re:Improvement by Opportunist · 2013-08-06 23:06 · Score: 1
  
  Is that like hitting Cuba with economic repressions rather than bombs is progress? If so, I think it's not really much progress.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Improvement by inasity_rules · 2013-08-06 23:08 · Score: 1
  
  In the recent elections people were hit by both, so it is progress... Just not progress from a non-Zaunu PF point of view...
  
  --
  I have determined that my sig is indeterminate.
sensationalist crap by Gothmolly · 2013-08-07 00:00 · Score: 1

A DNS amplification attack is not hacking the Gibson, geesh.
Besides, what's the point of elections in Zimbabwe anyway? To decide whose face goes on the eleventy-billion dollar note?

--
I want to delete my account but Slashdot doesn't allow it.
Re:wait by Entropius · 2013-08-07 00:06 · Score: 1

last dollar (Zim dollar or any other)
If they're Zimbabwean dollars, wouldn't you have to bet at least a trillion?
Re:wait by Entropius · 2013-08-07 00:10 · Score: 1

It's 90.7%, per the CIA.
This just in! by Anonymous Coward · 2013-08-07 00:20 · Score: 0

Mandela is a coward, and Mugabe is the greatest African who ever lived. Bob says so himself.
1. Re:This just in! by BrokenHalo · 2013-08-07 10:27 · Score: 1
  
  Mandela is a coward, and Mugabe is the greatest African who ever lived. Bob says so himself [codewit.com].
  Far out. I wonder if he was drunk. I don't think it's possible to come up with a more inflammatory speech than that.
Whoosh? by tlambert · 2013-08-07 01:19 · Score: 1

To reflect: To meditate upon
Re:wait by K.+S.+Kyosuke · 2013-08-07 01:37 · Score: 1

and it was almost enough for me to support myself
Don't you think that sitting on a chair would have been more comfortable than that?

--
Ezekiel 23:20
Re:wait by inasity_rules · 2013-08-07 01:43 · Score: 2

We could not afford chairs, so we had to sit on piles of money instead...

--
I have determined that my sig is indeterminate.
Similarity between Obama and Mugabe by Anonymous Coward · 2013-08-07 03:16 · Score: 0

Ni66er who commit election fraud.
simo by coutysd · 2013-08-07 03:33 · Score: 1

Simon : Wow Kate! That makes it seem much better. You're right, baby steps are the way forward. Starting with my immediate environment.
Re:wait by Anonymous Coward · 2013-08-07 05:56 · Score: 0

mod parent up! that's funny given their currency value :)
What was there to attack? by sapped · 2013-08-08 02:28 · Score: 1

I think the thing that blows me away the most about this news is that there is anything of a cyber nature in Zimbabwe to attack in the first place.
Make them attack each other ... or best practices by Anonymous Coward · 2013-08-08 17:38 · Score: 0

Attacks like this can ripple Tier 1
I've wondered what would happen if someone made these DNS servers (that don't follow best practices) attack each other in this manner. Would they fix them then?
Why don't the operators fix them? Paid off maybe?