Analysis of Vikingdom DDoS Attacks on U.S. Government Sites

Cyber Vandalism, Fast Track to Fame

Over the past two weeks, a cyber vandalism group using the Twitter handle @Vikingdom2015 (currently suspended) has been targeting various high-profile U.S. federal and state government websites with DDoS attacks.

Not much is known about the group’s real motives, but earlier tweets indicate it tried achieving notoriety by publically shaming sites that lacked what the group deems to be adequate security.

Before unleashing its DDoS campaign, Vikingdom tweeted about vulnerabilities it found on some low-profile sites, taunting ‘What should we take down?’

Big talk

@Vikingdom2015’s SoundCloud profile page includes an audio statement claiming, ‘We will knock all American government’s websites offline. We do not care if we get caught. We all like doing this. So you better be prepared for the battle.’

Subsequent tweets claimed the group was also about to start branching out from government sites, adding gaming servers (another popular choice for attention hungry DDoSers) to their list of targets.

Most recently, on March 27, the group credited itself with taking down In.gov, supposedly as a response to the state’s controversial religious freedom bill, which was signed into law a day before.

Still, in light of the group’s original statements, this seems to be nothing more than an attempt to piggyback on the news coverage.

Try ‘n Catch Methodology

Despite their brazen threats, @Vikingdom2015’s success seems to have been limited. Besides claiming to take down In.gov, the group also reportedly targeted Maine.gov, which went down last Monday for about three hours, and again on Tuesday for two hours.

Overall, of the 44 targets on its list, the group was able to take down between five and seven US government domains. This “try-catch” methodology, to borrow a term from programming jargon, suggests the group is probing a wide range of sites, and moving on if it can’t make any headway.

Weak Weapon, Weaker Targets

On March 18, during one of the initial attacks, one of @Vikingdom2015’s victims contacted Incapsula for assistance with mitigation. As soon as they on-boarded their website, we saw a DDoS attack targeting our Seattle PoP, peaking at ~8.74 Gbps and 2.4 million packets per second.

Our data shows that the attackers employed NTP amplification to carry out their offensive. Typically for an NTP DDoS amplification attack, the amplification factor is x20. Meaning that, for every 1 Gbit of spoofed NTP requests originating from the perpetrator’s botnet, the victim is flooded with 20 Gbit of NTP responses.

Not even close.

Given that the attack magnitude was ~8.74 Gbps, this means @Vikingdom2015 only sent 437 Mbps from their own compromised machines-not an impressive amount. With attacks of over 100 Gbps being an everyday event, this level of magnitude is considered a small- to medium-scale attack.

Here it’s interesting to point out that the group itself spins a very different tale. Specifically, when speaking with SCMagazineUK, a member of Vikingdom2015 described their attack on Maine.gov as the ‘biggest attack ever’, claiming that it they saw it ‘peaking at 3.5Tbps’.

Needless to say, all of these claims and figures do not jive with what we saw on March 18. From our viewpoint, it looks like the group executes small scale attacks against high-profile ‘low hanging fruit’- all in the effort to achieve that ever-so-flimsy, instant Internet notoriety.

What Customers Should do to Protect Themselves

While @Vikingdom2015 is using run-of-the-mill, low-power DDoS techniques, the resulting level of traffic is still far greater than what the vast majority of smaller organizations can handle by themselves.

That said, a good solid DDoS mitigation service should be able to handle these types of attacks with ease. Organizations looking to create an effective DDoS defense strategy can download our free DDoS Response Playbook.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.