Italian Police Repel Online Attempt to Disrupt Eurovision'Killnet' Group Vows Reprisals for Blocking Russia From Annual Music Competition
Italian police have reportedly thwarted an attempt to disrupt the online voting process for the annual music competition Eurovision.
Authorities say the attempted disruption was launched by a pro-Russia attack group called "Killnet" as a reprisal for the country being prohibited from competing in this year's Eurovision competition.
Eurovision organizers blocked Russia over the country's invasion of Ukraine.
Killnet, however, denies any allegations that it was involved in the attempted disruption, vowing via its Telegram channel to enact retaliation for such "deceit." The group also announced that it had "declared war" on Italy and nine other countries.
"According to foreign media, Killnet attacked Eurovision and they were stopped by the Italian police. So, Killnet did not attack Eurovision. But today, Killnet officially declares war on 10 countries, including the deceitful police of Italy," Killnet's Telegram post says. The attackers do not identify the other countries on its target list.
But Killnet appears to be contradicting itself. Last Wednesday, it said on its Telegram page that it had "perhaps" targeted Eurovision with a distributed-denial-of-service attack.
Posts published by the group on Telegram indicate that it used the Mirai botnet in the attack. The botnet has been part of large-scale DDoS campaigns in the past. "Italy and Spain, I've heard that the Mirai squad is coming to you. Perhaps this is the beginning of your end!" the post says.
A separate Killnet post on Telegram indicates the number of requests per second likely attained in the DDoS attack: "Let's send you 10 billion requests and add votes to some other country," it says.
The group says that Italy is likely to be the victim of more attacks soon and that the attacks are intended to improve the cyber skills of the country.
"Killnet does not actually attack your countries like it did in Romania," the group says in a Telegram post. "Our Legion conducts military cyber exercises in your countries in order to improve their skills. Our Legion is learning to kill your servers! You must understand that this is training. I give you my word of honor that our cyber army will soon finish training in your territory, and we will go on the offensive. It will happen suddenly and very quickly."
Italy Blocks Attacks - Twice
Italian police tell Reuters they thwarted attempts to disrupt Eurovision twice: during the semifinal on Wednesday, and during the final on Saturday.
Sventati attacchi informatici da #PoliziadiStato a @Eurovision
Gli hacker hanno provato a infiltrarsi ma l'attivazione di una sala operativa h24 dedicata all'evento con personale #CNAIPIC di #PoliziaPostale ha permesso di neutralizzare e respingere gli attacchi #essercisempre pic.twitter.com/t4fKqaUKJH— Polizia di Stato (@poliziadistato) May 15, 2022
Italian police say hackers tried to infiltrate Eurovision online voting, but the Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche - aka CNAIPIC or the Italian cyber police - says that it neutralized the attacks via its 24/7 operations room that was established specifically to support the event. It says there were concerns about retaliatory attacks from Russia over the country having been prohibited from competing in Eurovision 2022 over its Feb. 24 invasion of Ukraine.
Italian police tell Reuters that during voting and the performances, CNAIPIC blocked several attack attempts on network infrastructure launched by the Killnet hacking group and an affiliated group called Legion.
Ukraine's Kalush Orchestra won the Eurovision 2022 contest with its entry "Stefania." Ukrainian President Volodymyr Zelenskyy thanked voters for the public support for Ukraine amid the current geopolitical crisis.
'Slow HTTP' DDoS Attacks
Days before the Saturday attack on Eurovision, Italy's Computer Security Incident Response Team detailed that there has recently been a wave of DDoS attacks against critical government sites in the country. But the DDoS techniques used in this particular campaign differ from the more common volumetric DDoS attacks that saturate the bandwidth capacity available to the victim. Specifically, the method used in these attacks is called a slow HTTP DDoS attack.
This refers to a type of attack that aims to saturate the resources of the systems that provide services, including web servers, for example, usng "HTTP GET requests to saturate the available connections of a web server," according to the Italian CSIRT.
"In particular, when a client makes an HTTP request to a web server, it releases the connection only when the header of the request received is complete. By sending numerous requests with very low transmission speeds, the attacker forces the target web server to keep the connection open, thus saturating the resources dedicated by the server to communication with external clients," CSIRT says.
It adds that this type of attack is more effective when using POST requests, as they are able to send considerable amounts of data to the web server.
In its alert, the CSIRT recommends the following mitigation measures to protect systems against slow HTTP types of attacks:
- Reject connections with HTTP methods not supported by the URL.
- Limit the message header and body to a minimum reasonable length. For specific URLs, set stricter and appropriate limits for each resource that accepts a message body.
- Set an absolute connection timeout, where possible, using connection statistics. A timeout slightly greater than the average connection duration should satisfy most legitimate clients.
- Use a backlog of pending connections, which allows the server to maintain connections it is not ready to accept, thereby blocking a larger slow HTTP attack, as well as giving legitimate users the ability to be served under high load. If your server supports a backlog, it is recommended that you make it reasonably large so that your web server can handle a minor attack.
- Define the minimum speed of incoming data and block connections that are slower than the set speed. Be careful not to set the minimum value too low so as not to block legitimate connections.
- Activate the protection tools against this type of attack available through security devices such as Web Application Firewall and Next Generation Firewall L7.
CSIRT-Italy also lists product-specific mitigation actions for Apache, Nginx, Lighttpd and IIS in its disclosure statement.
It is not known whether a separate anti-Ukraine attack that targeted the Lviv city council website during the same week as Eurovision has any connection to the Killnet hacking group. The Lviv attack resulted in stolen data being published on Telegram channels linked to Russia.