Full Report
An attempt to silence feminism blog Femsplain backfires on DDoS attackers, as they only help to raise its profile.
Analysis Summary
# Incident Report: DDoS Attack on Femsplain Blog
## Executive Summary
On International Women's Day (March 8, 2015), the feminist blog Femsplain suffered a severe Distributed Denial-of-Service (DDoS) attack, likely intended to silence the platform on a day celebrating women's contributions. The attack temporarily overwhelmed the site but ultimately backfired, gaining the blog significant media attention and leading to a successful fundraising campaign that ensured its continued operation.
## Incident Details
- **Discovery Date:** March 8, 2015
- **Incident Date:** March 8, 2015 (International Women's Day)
- **Affected Organization:** Femsplain (femsplain\.com)
- **Sector:** Media/Publishing (Feminist Blog)
- **Geography:** Not explicitly stated, assumed primarily US-based operations/audience interaction.
## Timeline of Events
### Initial Access
- **Date/Time:** March 8, 2015
- **Vector:** Distributed Denial-of-Service (DDoS) attack.
- **Details:** Malicious web traffic was directed at the Femsplain website, causing severe interruption consistent with an attempt to take the site offline.
### Lateral Movement
- Not applicable for a DDoS attack focused purely on availability.
### Data Exfiltration/Impact
- **Impact:** Temporary loss of availability for the Femsplain website ("brought the site to its knees"). The goal appeared to be censorship or silencing the platform rather than data theft.
### Detection & Response
- **Detection:** The site owner, Amber Gordon, discovered the attack via monitoring and shared evidence on Twitter.
- **Response Actions:** Femsplain publicly documented the attack via social media, using the negative attention to bolster their profile and launch a successful fundraising effort.
## Attack Methodology
- **Initial Access:** Volumetric DDoS attack.
- **Persistence:** Not applicable.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable (attack focused on network availability).
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Denial of Service (disruption of public website access).
- *Suspected Tool:* Low Orbit Ion Cannon (LOIC) was suggested as the tool used to coordinate the attack.
## Impact Assessment
- **Financial:** The immediate impact was service disruption, but this was immediately offset by a successful Kickstarter campaign that raised over $30,000, securing the platform's future operation.
- **Data Breach:** None reported.
- **Operational:** Significant, temporary operational outage on International Women's Day.
- **Reputational:** Positive for Femsplain, as the attack backfired, drawing widespread, positive media attention (e.g., The Verge, Daily Dot).
## Indicators of Compromise
- **Network indicators:** High volumes of malicious web traffic overwhelming standard website defenses.
- **File indicators:** None mentioned.
- **Behavioral indicators:** Coordinated attempt to degrade service availability coinciding with a culturally significant date (International Women's Day).
## Response Actions
- **Containment measures:** Not fully detailed, but presumably involved traditional DDoS mitigation (e.g., service provider intervention, traffic filtering).
- **Eradication steps:** N/A, as the attack stopped either naturally or through mitigation.
- **Recovery actions:** Leveraging the attention from the attack to successfully crowdfund more than $30,000 via Kickstarter to ensure the platform could continue operating and expand its capacity.
## Lessons Learned
- **Key Takeaways:** Attacks intended to silence or censor voices can often be leveraged into powerful positive publicity. The motivation appeared to be related to the ideological nature of the site and the date (IWD).
- **What could have been done better:** While the response turned positive, the severity suggested the blog's existing DDoS protection may have been insufficient for coordinated, high-volume attacks.
## Recommendations
- Ensure robust, scalable DDoS mitigation services are in place, especially for publicly visible platforms engaged in potentially controversial or high-profile advocacy.
- Develop a clear communication plan for major incidents to immediately maximize positive media attention during downtime.