FCC: Despite DDoS Attack in May, ECFS “Remained Secure” Wasn’t Hacked

Although the FCC’s electronic comment filing system (ECFS) experienced a distributed denial-of-service (DDoS) attack last month (TR Daily, May 8), “the system remained secure and nothing was hacked,” according to FCC Chief Information Officer David Bray. Mr. Bray’s comment on the DDoS attack was attached to a letter that the FCC released June 27 from FCC Chairman Ajit Pai to Sens. Ron Wyden (D., Ore.) and Brian Schatz (D., Hawaii). The letter, dated June 15, responded to a letter from the senators on the DDoS attack.

Mr. Pai’s letter and the CIO’s responses were referenced yesterday in a letter that House Democrats wrote the FCC and the National Cybersecurity and Communications Integration Center (NCCIC) raising concerns about the Commission’s cybersecurity preparedness in the wake of the DDoS attack (TR Daily, June 26).  “We have determined that this disruption is best classified as a non-traditional DDoS attack,” Mr. Bray said in his response to questions from the senators. “Specifically, the disrupters targeted the comment filing system application programming interface (API), which is distinct from the website, and is normally used by automated programs or bots for bulk filings.”

“From our analysis of the logs, we believe these automated bot programs appeared to be cloud-based and not associated with IP addresses usually linked to individual human filers. We found that the bots initiated API requests with the system and then via their high-speed, resource-intensive requests, effectively blocked or denied additional web traffic — human or otherwise — to the comment filing system,” he said. “Since both humans and bots were attempting to access the same system and because bots could make more intensive resource requests much faster than humans, the ‘bot surge’ triggered the comment filing system to queue and ultimately decline new connections. The result was that new human users were blocked from visiting the comment filing system. “By 1 :00 a.m. EST on Monday, May 8, 2017, the system effectively reduced the number of new requests it would accept in response to the bot swarm. We believe that these bot swarms continued, peaking at 30,000 requests per minute, or three times the total daily traffic for any day in the previous sixty days. This volume also represented the maximum volume that the commercial, cloud-based API servers could handle,” he added.

“Importantly, the system remained secure and nothing was hacked,” Mr. Bray said. “In addition, the FCC successfully received more than two million comments in 10 days, versus more than two million comments over 110 days in the related 2014-15 proceeding. This number includes a one-day record of more than 400,000 comments on Thursday, May 11, 2017. We continue to research additional solutions to strengthen ECFS’ controls to further protect the system.”

He said the FCC consulted with the Federal Bureau of Investigation but that “given the facts currently known, the attack did not appear to rise to the level of a major incident that would trigger further FBI involvement.”

He said the Commission “has several commercially provided services and tools to protect its systems from DDoS attacks as well as all forms of cyber-attacks.” But he added that “[b]ecause the FCC is required to accept comments in virtually any form and from any source, our commercial providers are severely limited in the actions they may take to shut down what are perceived as inappropriate or malicious bots accessing system resources. However, the FCC did implement a rate limit on its API to prevent any one bot from draining excessive system resources. But this rate is tied to a key, and if bots requested multiple keys, they could bypass the limit. We believe there were instances where a single IP address requested multiple keys, thus bypassing the rate limit.”

As to whether the FCC has the necessary resources to combat such cyber attacks in the future, Mr. Bray said, “Although the FCC has demonstrated the resiliency of its systems, we must be consistently vigilant in safeguarding IT assets to ensure system availability for all constituents. The FCC is dependent upon its IT team to deal with any issues that may occur going forward and they are continuing to explore potential improvements to the system. If the Commission needs additional resources to address system and cybersecurity issues, we will work with OMB and the Appropriations Committees to ensure that we have the funds to undertake essential upgrades.” —Paul Kirby, paul.kirby@wolterskluwer.com

Courtesy TRDaily