The internet has become an essential tool for communication and the free exchange of information. However, this freedom is not without its challenges. One of the gravest threats faced by independent media outlets and journalists is the use of Distributed Denial of Service (DDoS) attacks to silence their voices. In a shocking revelation, Qurium Media Foundation has uncovered how Rayobyte, a proxy provider, has been weaponized to launch large-scale and sophisticated DDoS attacks against independent media organizations.
Proxy services have gained popularity as a means to bypass censorship and enhance online privacy. They act as intermediaries, allowing users to access the internet through their servers, effectively masking their real IP addresses. However, this anonymity has also made proxies an attractive tool for malicious actors seeking to exploit their infrastructure for nefarious purposes.
The Somali Journalists Syndicate (SJS), an independent trade union advocating for journalists' rights and press freedom, fell victim to a relentless DDoS attack. The assault initially led to the suspension of hosting services by prominent providers such as HostGator and A2 Hosting, as the massive influx of malicious traffic disrupted services for other clients. Subsequently, Qurium stepped in to migrate the SJS website to their secure hosting infrastructure, only to witness the attacks resuming shortly thereafter.
Qurium's forensic report sheds light on the role played by Rayobyte, a US-based proxy provider owned by the Sprious Group, in facilitating these DDoS attacks. Rayobyte's infrastructure, comprising a vast pool of IP addresses from around the world, has become the go-to choice for orchestrating such malicious campaigns. The report also exposes the complicity of Rayobyte's partners and IP space providers, as well as the deceptive use of fake geo-location data to mislead geolocation service providers.
The DDoS attacks orchestrated through Rayobyte's infrastructure employed an application layer flood technique. The attacker relied on traffic generators hosted by Worldstream to flood the targeted websites via the Rayobyte proxy service. By leasing fresh IP addresses through Rayobyte's residential proxy service, the attacker ensured a constant influx of unique IP addresses, making it challenging for traditional firewalls to filter and mitigate the attacks effectively.
Qurium's investigation uncovered a network of collaboration between Rayobyte and several partners operating under autonomous systems such as AS-BLAZINGSEOSP-NYJAS-SPRIOAS-COLOCROSSINGSERVER-MANIA24SHELLSSS-ASHIPXOM247. These partnerships allowed Rayobyte to provide its proxy service while leveraging the resources and infrastructure of its associates. The report also highlights the questionable acquisition of IP addresses from AfricaNic, raising concerns about the integrity of the network's origins.
Qurium's swift response involved blocking approximately 20,000 IP addresses during the 24-hour attack period. The intensity of the assault is reflected in the staggering number of unique IP addresses flooding the targeted websites. However, the dynamic nature of the attack, with thousands of new addresses being constantly leased, posed a significant challenge for mitigation efforts.
The weaponization of proxy and VPN providers like Rayobyte highlights the urgent need for enhanced cybersecurity measures and increased accountability within the industry. Proxy providers must take proactive steps to prevent their infrastructure from being exploited for malicious purposes. Collaboration between cybersecurity experts, law enforcement agencies, and internet service providers is crucial in dismantling these networks of complicity.
The case of Rayobyte's involvement in DDoS attacks against independent media organizations serves as a stark reminder of the vulnerabilities present in the digital landscape. It underscores the importance of a collective effort to safeguard the freedom of the press and protect journalists from malicious actors. By exposing the dark side of proxy and VPN providers, we can take the necessary steps to ensure a safer and more resilient online environment for all.