Italian CERT: Hacktivists hit govt sites in ‘Slow HTTP’ DDoS attacks

Italy’s Computer Security Incident Response Team (CSIRT) has disclosed recent DDoS attacks against crucial government sites in the country over the past couple of days.

DDoS (distributed denial of service) is an attack that aims to deplete a server’s available resources, making it unable to respond to legitimate user requests and rendering the sites it hosts inaccessible.

Pro-Russian hacktivists known as the Killnet group claimed responsibility for the attacks and are the same group that launched similar attacks against Romanian portals and the Bradley Airport in the US.

In response to news stories about the DDoS attacks against Italy, Killnet published a message to Telegram stating that further attacks may be coming in the future.

“Our Legion conducts military cyber exercises in your countries in order to improve their skills. Everything happens similarly to your actions – the Italians and the Spaniards are going to learn how to kill people in Ukraine. Our Legion is learning to kill your servers!,” a Killnet representative posted to their Telegram channel.

“You must understand that this is training. Don’t make too much noise, I’m sick of the amount of news about attacks on the Senate. I give you my word of honor that our cyber army will soon finish training in your territory, and we will go on the offensive. It will happen suddenly and very quickly.”

Killnet’s attacks are effective

As part of the announcement, CSIRT explained that the attacks on the country’s government, ministry, parliament, and even army websites, used the so-called “Slow HTTP” technique.

This method is based on sending one HTTP request at a time to webservers but sets the request at a very slow transmission rate or makes it incomplete, leaving the server waiting for the next request.

The server detects the incoming communication and allocates resources dedicated to waiting for the remaining data. When there are too many of these types of requests, the server is overwhelmed and cannot take any more connections, making the site inaccessible.

“This type of attack is more effective in the case of using POST requests, as they are also used to send considerable amounts of data to the web server.” – explains CSIRT’s announcement.

CSIRT characterizes “slow HTTP” as an unusual type of DDoS attack, warning system administrators that their existing defenses may not be effective if they are not targeted towards the attack.

“With regard to the recent DDOS attacks that occurred starting from 11 May last against national and international subjects, it was found that they were carried out using techniques that differ from the most common DDOS attacks of volumetric type 1, thus passing unnoticed to the protection systems commonly used on the market against this type of attack as they occur using a limited bandwidth.”

CSIRT.

CSIRT has shared possible ways to mitigate this type of attack in their advisory.