On May 1st, an Anonymous-affiliated group called Ghost Squad announced an attack on Black Lives Matter, using a denial-of-service attack to take down and deface the website blacklivesmatter.com for most of the day. Ghost Squad took credit for the attack in a Max Headroom-styled YouTube video the next day, accusing the group of anti-white racism. The video drew the expected headlines and attention — but for the site itself, it was only the beginning.
A new report from Deflect, a nonprofit DDoS mitigation service, shows just how determined Ghost Squad and other groups were to bring down the site after the initial incident. Over the next six months, attackers hit blacklivesmatter.com with over a hundred separate denial-of-service attacks, some of which saw as many as 34 million attempted connections in a single day.
Neither expensive nor technically sophisticated, the attacks leveraged pre-built software and known vulnerabilities in widely used web tools like WordPress and Joomla. It’s unclear how many of the attacks were directly conducted by Ghost Squad and how many were simply opportunistic attackers following the group’s lead. Still, Deflect believes a string of attacks in April and May can be conclusively linked to Ghost Squad — particularly the members known as “bannedoffline” and “s1ege”— because the attacks were coordinated through a single account on an offshore bulletproof hosting service.
According to co-founder Dmitri Vitaliev, Deflect was largely successful in mitigating the attacks after the May 1st incident. “There were downtimes of several minutes as we would switch off our emergency system in spring and early summer in between incidents,” Vitaliev says, “but when the larger attacks began, we were requested to leave it on permanently.”
Similar attacks have become even more potent in the months since Deflect’s study concluded, as attackers have learned to exploit vulnerabilities in Internet of Things devices. Earlier this year, a malware variant called Mirai compromised over 100,000 such devices, using them to generate as much as 1.2 Tbps of phony traffic. One subsequent attack caused downtime for a number of major services, including Amazon, Twitter and Netflix.
Fortunately for blacklivesmatter.com, Ghost Squad and its followers never got access to Mirai, and the new botnet was never turned against the site. Instead, Vitaliev says the attacks tapered off significantly after October, an effect he attributes to the FBI takedown of the vDOS booting service and other similar efforts.