Cyber Incident Victim: Graham Cluley Blog
Date:
Nov 2015
Location:
United Kingdom
Summary
A cybersecurity-focused website experienced a significant distributed denial-of-service (DDoS) attack that disrupted its availability for multiple days, rendering it inaccessible to users. The attack employed multiple vectors including UPnP reflection, DNS reflection, and TCP SYN flooding, originating from thousands of sources to overwhelm infrastructure. While speculation arose about potential links to known DDoS extortion groups like the Armada Collective, no ransom demands or attacker communications were received, suggesting non-financial motives. The site owner migrated hosting to isolate the target and implemented mitigation measures through third-party services including Cloudflare (later replaced by Incapsula) and Pressidium's managed WordPress hosting to restore functionality and harden defenses against future attacks. Service was restored after configuration adjustments, with no evidence of data breaches or system compromises beyond temporary unavailability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Graham Cluley Blog experienced a distributed denial-of-service (DDoS) attack beginning on Sunday, November 8, 2015, which disrupted website accessibility for readers. The attack involved flooding the site with excessive traffic to render it inaccessible, analogous to overwhelming infrastructure without breaching data or compromising accounts. Initial uncertainty existed regarding whether Cluley’s site was the primary target, as the shared hosting environment raised the possibility of collateral damage affecting other clients of his web host. This ambiguity was resolved when the attack resumed after Cluley migrated his website to a dedicated IP address, confirming his site as the intended target. The attackers employed multiple techniques, including UPnP reflection, DNS reflection, and TCP SYN flooding, generating traffic from thousands of sources that strained the host’s upstream network. Cluley described the attack as "unusually large" but noted no evidence of data theft, defacement, or unauthorized account access. No ransom demands or communications from the attackers were received, leading Cluley to assess the motivation as personal rather than financial. Public speculation linked the incident to the Armada Collective’s DDoS extortion campaigns, though Cluley could not confirm this connection.
Mitigation efforts commenced in the early hours of Wednesday, November 11, with Cluley collaborating with managed WordPress host Pressidium and DDoS protection service CloudFlare to implement defensive measures. The migration to CloudFlare’s paid tier occurred at approximately 4:30 AM during this response window, though Cluley acknowledged this might not represent an optimal long-term solution. Pressidium’s support team provided continuous assistance throughout the incident to stabilize the hosting environment. By Wednesday, the site regained functionality apart from intermittent performance issues attributed to Cluley’s own configuration errors rather than ongoing attacks. Cluley committed to additional hardening measures to maintain uptime while inviting user feedback regarding residual technical anomalies. In December 2015, Cluley replaced CloudFlare with Incapsula for DDoS mitigation, reflecting an iterative adjustment to the site’s defensive posture following the incident. The attack’s duration spanned at least three days, with full restoration requiring coordinated infrastructure changes and third-party security services.