CMS resources
Technology insights
Back to Technology insights

Protecting the news on Election Night: An inside look at Brightspot’s cyber defenses

illustration depicting essential features for a broadcasting CMS

Brightspot CIO David Habib shares behind-the-scenes details about a series of coordinated DDoS attacks during the U.S. presidential election on November 5 — and how our security protocols thwarted a massive global botnet attack targeting one of Brightspot's largest news customers.

Brightspot supports several big names in the media, all over the world, and the elections in the U.S. are a big deal for a lot of those customers — so they’re a big deal for us, too, and not just for the politics. Last night some of us were spending more time looking at graphs than at the news, and here’s a little drama we saw unfold.

Starting at about 7 p.m. (U.S. Eastern), we detected a distributed denial of service, or “DDoS,” against one of our customers. A DDoS is a lot of different computers — and sometimes other devices — sending connection requests to a website all at the same time, trying to overwhelm the website’s servers and break the website.

While our customer’s site was serving record-breaking pageviews, we saw a new attack happen — instead of Edgar’s 300,000 requests in 4 minutes, this one was 37 million requests in one minute, which is a lot. (On a typical day, this site may get about 180,000 requests per minute.)
image of Brightspot Chief Information Officer David Habib
David Habib, Brightspot Chief Information Officer

The 7 p.m. attack lasted about 4 minutes and sent about 300,000 requests at us, then it went away. But then it came back a few minutes later, did the same thing, and went away again. It did this six times, each time about the same duration and about the same volume. It was an ineffective attack, deflected by the security infrastructure. We named it Edgar. I made a picture of him. Or ChatGPT did, anyway.

This story is not about Edgar; it’s about Edgar’s much bigger brother, who we didn’t name.

At a little before 9:30 p.m., while our customer’s site was serving record-breaking pageviews, we saw a new attack happen — instead of Edgar’s 300,000 requests in 4 minutes, this one was 37 million requests in one minute, which is a lot. (On a typical day, this site may get about 180,000 requests per minute.)

There were other attacks throughout the night and into today, but none of them were nearly as big as the 9:30 attempt and, I hasten to say, the website itself was fine the whole time.

It takes a lot of devices to generate that many requests in a minute; for an attack like Edgar it can just be a handful of servers or a dozen personal computers, but 37 million requires either a sizable botnet (a botnet is a collection of hacked devices) or several small ones, working together. Or both.

After failing to find anything in common among all the requests that came in at 9:30 (IP Address, ASN, user agent, geographic info, etc.), we took a look at something called a JA4 fingerprint. The JA4 fingerprint is a sophisticated way to identify any software that makes secure connections, no matter where the software is or what it’s doing. We found that almost all of the 9:30 attack came from a single fingerprint, across hundreds of devices, all over the world. A single, very large, botnet.

Depending on what tools you have, you can actually block a particular JA4 fingerprint. We didn't feel it necessary to do so at the time, because our automated security services identified and mitigated the requests before any impact was seen on the site. Because we didn’t block it, Edgar’s big brother managed to attack two more times, once around 2 a.m. and once around 6 a.m. But those attacks were much smaller; only about 3 million requests. Still a good amount of traffic, but nothing like the first one. What happened?

It looks to me like a lot of the individual devices in the botnet disappeared sometime between 9:30 p.m. and 2 a.m. The fingerprint remains the same, and some of the devices are still there in all three attacks, but the drop in volume (and some other evidence) suggests that the botnet took a pretty big hit. I’m guessing that big chunks of the botnet were detected and neutralized by security teams at network and cloud providers all over the world. I’ll never know, and will probably never get to meet the folks who did it. But it worked, the whole thing worked, the way it’s supposed to. And you probably never hear about that.

So to those people: hey, thanks.

image of Brightspot Chief Information Officer David Habib
By David Habib
January 23, 2024
From the meaning of denial of service to DDos protection case of an attack, here's everything you need to know about DDos attacks from Brightspot's Chief Privacy and Security Officer, David Habib.

Share
image of Brightspot Chief Information Officer David Habib
About the Author
As Brightspot’s CIO, David is responsible for our Security and IT functions as well as playing advisory roles in both Managed Services and Customer Success. David has been the CIO since October of 2018.

Related resources

Learn how news sites can scale efficiently during high-traffic events with strategies like load testing, caching, real-time scaling and security measures.
Starting in 2021, Midwestern media publisher Forum Communications set out to transform the digital experience for both readers and newsrooms across its portfolio of 20-plus newspaper and media brands.
As media habits shift, the need for scalable CMS solutions becomes clear to stay competitive across channels. Find out here why digital transformation is vital for broadcasters in 2024.
Discover how Brightspot empowered Grupo AJ Vierci's digital revolution, enhancing the digital presence for several publications in its family of brands with seamless content migration, sophisticated publishing tools and integrations for a modern multimedia experience.
Discover how TV Azteca transformed its digital landscape with Brightspot CMS, gaining greater enhanced efficiency, agility and cost savings across dozens of sites in its media portfolio.
Discover how AI-powered CMS tools can streamline content creation, automate workflows and deliver personalized experiences in news and publishing.
Let us give you a demo
Hear how Brightspot can turn your digital strategy goals into a reality and see how the lives of your content creators and developers will be changed using our platform.


Request Demo