Part of the report released by the information technology security experts of Manila stated that it was “a very unusual scenario/occurrence, especially as seen above, it’s clearly bot-triggered. Based on our experience, we highly suspect that whoever is doing this has a troll farm generating machinery. We were able to locate and identify IP addresses (below are the lists) where it was being generated and we’ve [sic] found out that they are using ASN’s [sic] via PLDT line.”
The listed IP addresses are 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168 and 22.214.171.124.
Calls for investigation
Immediately after the announcement of the “hacking incident,” calls for an investigation arose. Others even suggested a “political backdrop” behind the cyberattacks.
The following day, Renato Reyes Jr. of Bayan Muna posted this on his Facebook account: “Marapat na imbestigahan ng NBI ang ginawang cyber attack sa vaccination site ng Manila LGU lalo na’t napakahalaga ng pagbabakuna ngayon. Ang cyberattack ay naglalayong pabagsakin ang site sa pamamagitan ng napakalaking volume ng mga page requests. Ang atake sa vaccination site sa panahon ng pandemya ay isang napakalalang krimen. Pwede nitong pagkaitan ng pagkakataon na makapag-rehistro ang mga nais magpabakuna. Pwede nitong gawing magulo ang sistema ng pagbabakuna. Hindi ito makakatulong (The NBI should investigate the cyberattack on the vaccination site of Manila LGU considering that vaccination is very important now. The main goal of the cyberattack is to bring down the site by making huge volumes of page requests. The attack on the vaccination site in these times of the pandemic is a grave crime. This can deny the applicants the opportunity to register for vaccination. This can even make the vaccination system confusing. It does not help in any way).”
“Wala kaming nakikitang ibang motibo kundi pulitika (We can’t see any other motive except politics),” he added.
I did my own research and investigation on the listed IP Addresses and the supposed cyberattack.
Denial of service attack
The vaccination registration website for the City of Manila is https://www.manilacovid19vaccine.ph/. It is hosted by Cloudflare Inc. in Singapore with registered autonomous system numbers (ASN) in Cloudflarenet, USA. The IP address assigned to it is 126.96.36.199.
The traffic volume for this website averages 1,760 unique daily visitors and some 6,513 page views. On the assumed day of the attack, it surged to more than a million page requests resulting in a “502 error” or a temporary inaccessible server. It is rather clear here that a denial of service attack happened.
A denial of service attack, technically termed as “DoS,” is a hacking technique designed to flood the web server with a multitude of requests to the point that it overloads the web server resulting in a website crash. To have an efficient DoS attack, hackers utilize botnets, or zombie computers, that send out the data requests, which in turn flood or choke the server.
However, this attack was actually a more efficient distributed denial of service or “DDoS” attack, which is essentially a DoS attack that uses multiple locations and IP addresses instead of just one.
Revisiting the IP address
I have, on several occasions, defined what an IP address is. For the benefit of those who are not in the know, I will be revisiting this topic.
IP stands for Internet Protocol. The moment you are connected to the internet, your device (e.g., a laptop, tablet, phone) follows certain rules and standards to connect to other servers and for information exchange. These rules and standards are called protocols. Hence, we have an Internet Protocol or IP.
In an IP address, the address part is a unique set of numbers assigned to an electronic device, which is used to identify such a device within a local network or over the internet. This set of numbers is usually represented in dot-decimal notation, consisting of four decimal numbers, with each ranging from 0 to 255 and separated by dots. An example is 188.8.131.52 – the IP address of www.manilacovid19vaccine.ph.
These IP addresses (unless they are spoofed) are traceable since they serve as the “electronic return addresses” for all information requests and online activities done by the device while connected to the internet or a local network.
Who owns listed IP addresses?
The security report cited above claimed that the alleged hackers “are using ASN’s via PLDT line.” First off, it was wrong to report that the hackers are using ASNs through the PLDT line. Out of the listed five IP addresses, only one uses the PLDT as a gateway or service provider.
Here is my analysis of the five IP addresses.
184.108.40.206 – This IP address is in the city of Manila, and the internet service is provided by the Philippine Long Distance Telephone (PLDT) Co. It is geographically located at 14.6042, 120.9822 latitude and longitude.
220.127.116.11 – This IP address is in the city of Manila, and hosting is provided by Converge ICT Solutions, Inc. The device’s geographical location is at 14.6042, 120.9822 latitude and longitude.
18.104.22.168 – This IP address is in Quezon City and the service provider is the Philippine Telegraph and Telephone (PT&T) Corp. This is physically located at 14.6488, 121.0509 latitude and longitude.
22.214.171.124 – This IP address is located in Quezon City, and its service provider is Globe Telecom, Inc. The physical location of this is at 14.6488, 121.0509 latitude and longitude.
126.96.36.199 – This IP address is located in Quezon City, and Globe Telecom, Inc. is its service provider. It can be found at 14.6488, 121.0509 latitude and longitude.
With the latitude and longitude coordinates, it would be very easy to pinpoint the exact location of those who used these IP addresses. Surprisingly, though there were five IP addresses identified in the report, they point to only two – one in Manila and another in Quezon City.
Two of the users are located at 819 Rizal Ave., Santa Cruz, Manila 1003, while the other three users are at Elliptical Road corner Kalayaan Ave., Brgy. Pinyahan, Diliman, Quezon City. The Manila location is in a block bounded by R-9, Recto Ave. and Oroquieta Road.
Who are the people behind these cyberattacks? Can the Philippine National Police or the National Bureau of Investigation take on the leads that I presented here?
Who then is/are behind the sabotaging of the Manila city government’s vaccination efforts through cyberhacking?
Please continue sending your comments to [email protected] Visit our page at www.facebook.com/All.Insight.Manila.Times. Messages can also be sent to Viber account (0915)4201085.