The results of the auditing of the DDoS attack are now available for the Boomer community.
It comes as final stage of a very complicated process to finally be able to share with you results of the cyber security auditing regarding the DDoS attack that we suffered on the night of the 19th of October 2017, during the first launch of online ticket sales. The final evaluation encompassed technical and thorough information that was delivered to the court of Castelo Branco (Portugal) with an official complaint.
The following text it sums up significant data and was written by the cybersecurity specialists that assisted us for the analysis, a company called Securnet:
“The Security Incident Analysis is based on web server access log that hosts the ticket sales platform (tickets.goodmood.org)
This information shows that the platform had suffered a DDoS (Distributed Denial of Service) attack with major impact between 21:00pm on 19th October and 04:00am on 20th (GMT), with 20 million total interactions
These requests were made from 29.734 unique IP Addresses arriving from 138 different countries.
As we could identify, on the 19th October, 3.404.494 requests were made between 21:00 and 22:00 (945 hit per second) with an increase to 5.414.492 between 22:00 and 23:00 (1.504 hits per second) and a decrease to 1.437.867 between 23:00 and 24:00 (399 hits per second).
On the 20th October there were 2.981.440 requests between 00:00 and 01:00 (828 hits per second) with a decrease through time to 2.929.055 requests between 01:00 and 02:00 (813 hits per second), 1.725.905 requests between 02:00 and 03:00 (479 hits per second), 1.129.206 requests between 03:00 and 04:00 and 939.632 requests between 04:00 and 05:00 am (313 hits per second).
Besides the DDoS (Distributed Denial of Service), we identified the usage of other automated scanning tools to check server information (footprinting), and search for database management tools (like phpmyadmin).
Suspicious activity was also detected, with the attempt to grant direct API access with actions like User Registration, User Login, and others… with PostmanRuntime. Those activities were made on the 19th October over a time span of 40 minutes with 4851 interactions from two IP Addresses that have been identified (United Kingdom and Ireland) and where a suspect was identified based on leaked data.
With further analysis to the platform, a vulnerability was confirmed through which it was possible to get direct API access that could lead to automated tasks and/or other unauthorized usage.
This situation may imply financial fraud and/or organized crime.”
These details could only be shared now, as the whole situation has been undergoing a meticulous investigation which - at last - has come to an end. The role of timing was crucial, as we communicated information as we received it, always having to take into account the seriousness of the attack and the subsequent involvement of law enforcement.
Thank you for taking the time to read these news. If you have any remaining doubts or need any further clarification, you can always reach us at [email protected]
With Love and Gratitude,