First published: 19th June 2014
PopVote.HK and Apple Daily were both hit by large Distributed Denial of Service (DDoS) attacks on 18th June 2014. The attack on PopVote.HK, which uses web services provided by Amazon Web Services (AWS), CloudFlare and UDomain, reached 85Gbps, making it the largest DDoS attack seen in Hong Kong. However, Cloudfront is a large international content delivery network and DNS provider, and it recorded the biggest ever DDoS seen on the internet, reaching 400Gbs, in February 2014 against an unnamed customer.
PopVote.HK is the website of the Public Opinion Programme (POP) of The University of Hong Kong (HKU). It is a sensitive time for PopVote.HK because it is preparing for a so-called referendum this weekend commissioned by the Secretariat of the "Occupy Central with Love and Peace" on the question of constitutional reform in Hong Kong, particularly on the matter of public nominations for the Chief Executive. AWS and UDomain have withdrawn from providing services to the site, leaving CloudFlare as their only service provider.
The DDoS on Apple Daily, a Chinese-language newspaper with an often controversial pro-democracy stance, at the same time seems more than mere coincidence.
Almost all the attack traffic to PopVote.HK was from local ISPs. The Police are investigating.
A founder of Occupy Central, Professor Benny Tai Yiu-ting, said there was "reason to suspect" that government bodies were behind the hacking activities and that the attacks must have come from "a political power which doesn’t want to see universal suffrage being implemented in Hong Kong" but he did not elaborate on the evidence.
In and email Legislative Councillor for the IT Function Constituency Charles Mok has urged his constituents to condemn the attacks, writing, "it is shameful that technology is now used to thwart our civil society". He has set up a Facebook page to gather cases of cyber-attacks and condemn those behind them. He urged the Police to investigate.
Acting Secretary for Security John Lee issued a press release that did not reference the attacks directly. He urged the public to report cyber attacks to the Police so that they could take action. He mentioned a previous conviction for a DDoS attack. The release was confused on technical details, saying, "that to stop such attacks, Police must have access to the targeted system, which requires consent." Particularly for DoS attacks, the contents of the targeted system are irrelevant, all that is required are system logs showing the details of the traffic, which might come from an intermediate system, not the final target. The target might contain confidential information that the victim is obliged to protect, so the Police should have access to sufficient information for the investigation and no more. When a mob is throwing mud at your windows, do the Police need to search your safe?