South Africa has faced a week of sophisticated DDoS attacks. Literally one week prior, the City of Joburg was slapped in the face with a ransom note from a group of hackers known as the Shadow Kill Hackers. Where the employees were left with a demand of 4 bitcoin approximately R550000 or €33500.  The last week of October 2019 however, South Africa was hit by an even more massive series of attacks “the largest South Africa has ever seen” according to mybroadband.co.za.
Initially the attacks were targeted at the ISPs themselves which is already quite a feat for hackers. Thousands of consumers weekend browsing came to a halt as the DDoSing targeted Liquid Telecoms infrastructure. This means that thousands if not millions of slave devices were made to block the road from legitimate traffic, in excess of 100Gbps. Multiple big names in the industry of ISPs were targeted such as Afrihost, Axxess, Webafrica, Cool Ideas, Cybersmart and RSAWEB and some have not been named.
The attacks on RSAWEB’s network started on 21st October according to this article on mybroadband.co.za. “The issue started last Monday. We are still seeing intermittent traffic attempting to exploit any vulnerabilities; however, we feel we have mitigated these issues,” RSAWEB’s CEO Mark Slingsby told MyBroadband after which he described the attack as ‘somewhat unusual’. “We saw large short bursts with high volume small size packets targeting DNS, LDAP, and uPNP services,” said Slingsby. “What was interesting is we were seeing source traffic from local peers inside SA, which is not typically the case.” Much like other Internet service providers and South African banks, RSAWEB cannot determine the true source of the attack.

Cool Ideas the self acclaimed “community referral based ISP” even reached out to their consumers in a playfully educational email as follows:


Afrihost CEO Gian Vissier said that that locally hosted content like Netflix, Gmail and YouTube should be working without problems. “Internationally hosted game servers and other international resources will remain an issue until the attacks go away or are well mitigated,” he said. Visser said that technical staff from Afrihost, Echotel and Liquid Telecom are working on mitigating the attack as effectively and quickly as possible. “Although the attacks continue, the severity or impact thereof has decreased,” said Visser.

Which brings us to the next major point, on 23 October 2019, the South African banks were hit by DDoS attacks which targeted consumer-facing services. SABRIC CEO Susan Potgieter said that the wave of attacks targeted various public-facing services across multiple banks. “These attacks started with a ransom note which was delivered via email to both unattended as well as staff email addresses, all of which were publicly available,” said Potgieter.

In response to this: “Threat intelligence which has surfaced has revealed that this is a multi-jurisdictional attack with entities from several countries being targeted,” the South African Banking Risk Information Centre (SABRIC) said. SABRIC also goes on to say how this is a serious wake-up call to organisations to talk to experts in the field to be able to keep up with the ever-changing field of cyber security. Unlike the City of Joburg’s attack, this attack on the South African banks did not jeopardize sensitive information it merely prevented operation.

Read more on MyBroadband.co.za’s website where most of the information above was gathered. Also interesting read is the US Department of Homeland Securities page on DNS Amplification.