DDoS Attacks (HTTP/2, DNS, Hacktivist) // Real World Technical Analysis
and that was actually something that happened already back in 2016 I don't know if you remember that was like the first time that people were talking in most about DDoS attacks but in 2016 there was a botnet called Mirai that performed an attack and that took down Dyn DNS bringing down Netflix Amazon a whole lot of services in the US and all of a sudden people were like oopsie DNS can be a real problem here so what Mirai did is actually also leveraging one of those protocols DNS one of the features of DNS to turn it against the victim. If like you said if if someone downloads an AI uses it locally and that thing's poison then an attacker could like send a special command or something and extract your personal data or something right? Oh yeah AI are the worst of keeping secrets yeah look at it like that never give your secrets to an AI that's what FraudGPT and WormGPT did WormGPT started out um was a Portuguese student it started out as a gray hat project um but it it became so big that they then pulled the plug. Hey everyone it's David Bombal back with a very special guest Pascal welcome. Hi David thank you for having me. It's great to have you on the show really excited about what we're going to talk about today I've got a report in front of me the Radware global Network and application attack Trends report and then I've also got a 2025 Global threat analysis report some very interesting stuff in here and I believe you're the author of these reports so I'll just I'll just throw you some stats that I read here like Web DDoS attacks up at 549% DNS floods like almost 100% whole bunch of other attacks but you know this better than I you wrote this so tell us what's going on in the real world because I saw you actually on LinkedIn posted just a few days ago at the time of this recording about X being DDoSed and also there's this DieNet group activist group I believe so perhaps you can take us on a journey about what this report is about and the sort of takeaways that people need to be aware of because I think a lot of people you misunderstood or you know mistakenly believe that DDoS isn't such a big problem today but based on what the graphs that you got in this report and the stuff that I'm seeing here it's like a major problem. Remember when you were young and it was Christmas and you sit down you put on your PlayStation you want to play and then it says PSN cannot log in connection error yep that's when you know that DDoS might be a problem right so and it it's of course it's not limited to to only PlayStation attacks it's it's much more than that and that's what we happening now and that's also what I covered in the report. So Pascal I've got
these two reports there's the threat analysis report and then we've got this Global Network and application attack Trends is it possible for people to download these and where where can we get them I mean if there's links I'll put them below perhaps you can tell us like is it publicly available you know what's the difference between these two? Yeah so the both reports are are available um one of the reports is an executive summary that's for the executive people who don't want the details and all the numbers and all the analysis that goes behind it and then the other one the full report provides all the graphs and all the analysis um of the data from from our Cloud uh there's also several webinars uh that you can find if you go on BrightTalk uh and you look for the for Radware you will find several webinars there as well covering the the topics of that report. So for everyone who's watching I've put links below to the two reports I really enjoyed reading these Pascal you wrote these fantastic it's great to see you know real world examples of this stuff and just for everyone who's watching in this video we discuss a lot of technical stuff so this is not high level we're going to go into the weeds Pascal gives us a lot of really technical analysis of stuff so make sure that you continue watching I have to say this shout out to Radware for sponsoring this video and making Pascal available hopefully we get you back Pascal for more detailed analysis of you know cyber threats and what's actually going on but without further ado let's cut to the interview. Now to set the scope right when we talk about a global report we talk about the global scope so that means worldwide report so but what we are looking at and what we are zooming into is network and application threats and when I say Network and application threats I'm not talking about the Local Area Network so not the Insight Network that you have in your house or in your company but actually the internet so the threats that we were talk about uh like DDoS attacks are the threats that are happening on the public internet an Internet that was created as a best effort network uh created with all the best intents open for everyone but for some reason businesses find it found it a good idea to run multi-billion dollar businesses on top of that best effort Network and that's where the problem for DDoS starts everybody can access that Network so that means whatever you put out there you put it in the public it's like putting it in your front door and then thinking that nobody will pick up your package if it's out out in your front door for like two or three weeks um so you have many drive by's uh cars that drive by that throw stuff in your garden uh all kinds of uh of nasty stuff those are the DDoS attacks uh people who are trying to do exploits in your online applications and it gotten worse since COVID so in the report I also talk about the Threat landscape Revolution I used to talk about the Threat Landscape Revolution okay but if I look at at the last three years and I've been in the industry I'm I'm a bit older so I've been in the industry for about 25 years years now and always been in security um so so I saw things being connected I I even had the time with the dial-up modems where nobody cared about security and then all of a sudden from dial up you come to broadband and then your IP address it's always connected so now you need to have a firewall and then we came if you look at nowadays uh if you think that an IP address is as good as a password forget it because everybody can scan the internet for in in like less than one hour yeah that we have so so it's it's very important for organizations and especially since COVID many organizations moved to the public Cloud because they had to allow people to work from home so moving an application into the public Cloud was the best solution to allow people working from home uh so we saw a big acceleration in the number of applications uh also if you look at most of the companies and I'm I'm sure this also goes for many of the people that are listening and also for you David but you're not using a single public Cloud yeah you're using two or three or four of them and if you ever went to look into what kind of settings that you have in terms of permissions and and metadata and all the security controls and the different logging it's different for every Cloud so it becomes very difficult to control that so so what we are saying is that organizations face a problem where their attack surface is expounding so you have that major attack surface and then on the other side you have the bad guys who want to profit from this yeah and one of the bad guys that you were zooming in on was now the attackers that were trying to attack X so with the attacks on X it was a DDoS attack uh that is for sure um and that was also confirmed by by Elon um but the only one that we saw that claimed the attack and it corresponds when you go check on down detector where there's typically down detector keeps track of all the different uh complaints that are coming in from people who cannot connect When You See It ramp up we had a claim coming out on t by a threat actor a activist threat group that is called um Dark Storm Team so in Dark Storm Team it's it's a group that we were tracking already from before they already did attacks mostly polit politically driven so so attacks and that is a pro Palestinian group so we see a lot of attacks from Dark Storm Team Israel for example because yeah they are pro Palestinian so they want to to let themsel be hurt now what is typically the motivation of a hack activist the activist is the same as an activist in the street why are people walking in the street and blocking the street sitting on a Crossroads to block the cars is to get attention they want to bring out their message a activist is exactly the same but in cyber and their road is the internet highway so what they're doing is they perform attack they try to cause disruption they try to cause chaos and by doing so get the attention of the media and then in their message whenever they claim the attack and typically they will claim it on social media and one of the biggest platforms for claiming is telegram they will claim it on Telegram and they will also put in they're typically politically driven or ideologically driven message so in this case it was dark storm team now it gets a little bit more complex because many of those activists and we saw them ramp up in 2022 when when the conflict in Ukraine started especially from the pro Russian side but also from the Ukrainian side so the IT Army of Ukraine for example that was created by Mykhailo Fedorov who was the vice president uh of of Ukraine the vice president for digitalization at the time created the IT Army and for the first time that we saw uh this happen he went out to social media and he called for the rest of the world for everybody who is positive and who wants to support Ukraine to start performing DDoS attacks with the IT Army of Ukraine so he created a Telegram Channel he posted host that should be attacked and then they started creating tools to help people people could download those tools and you saw even people in the US especially young people who were bragging in the Press about yeah I attacked those Targets in Russia and I was helping Ukraine um but of course you will have a counter movement from the other sites which was the pro Russian activists so so that's in 2022 that's where it all started and that's where Telegram actually came on the scene as a major hub for underground activity and when I say underground I would say prob the underground above ground so the criminal activity that is happening on the public internet and easily accessible on Telegram anyone with a Telegram account can find those channels and can follow what these activists are doing and who they are attacking so in the case of uh X it was Dark Storm Team that did the attack they claimed it and there there are two possibilities here because Dark Storm Team is also a provider of DDoS for higher services so many of this activists they need resources to to attack if you want to do a DDoS attack especially against a large company like X you need a lot of bandwidth you need lots of resources to pull it off to cause a dent in their uh activity so in this case you would see that Dark Storm Team is also offering DDoS for higher services and that can be as easy as going on WhatsApp and sending uh or on Telegram and sending a message to the owner paying a subscription of like $20 maybe $30 and then for one day you can attack hosts so you just tell them I want to attack this host and then the attack will start on that host some of them are automated so I don't know how far you know Telegram but Telegram provides much more than just messaging and and public soundboards or or channels where where you can reach a large number of subscribers and members but Telegram also provides services like Telegram bots it's very easy to write a Python Bot that integrates with Telegram and whenever there's an instruction given in the Telegram channel the bot will execute that command so before we saw DDoS for higher services or we also called them boter and stressor services for the people who heard about booters and stressors so those DDoS for higher Services used to be web panels but now you can also build them in Telegram now Telegram also provides another feature which is payment services with crypto so you have like a full stack now that comes close to a WeChat app so so WeChat has all those apps and yeah they also have games so Telegram is still missing the games but if if you look at what we have in Telegram now you have a a full stack where you can Implement a service uh can be a legal service but also criminal service like the DDoS for hire so Dark Storm Team is providing such kind of services so there's two possibilities for the attacker on X either it is somebody who commissioned the attack and Dark Storm Team leveraged the moment to make an advertisement or it was dark Storm Team itself so what we see from a lot of those providers of of underground services is they need advertisement they need to show that their product is good right what's the best way of showing it going bring down a company an organization attack an organization but if you attack the pharmacy around the corner here in whatever state or Street nobody no nobody will notice nobody will be interested but if you bring down a company like X or Tesla or SpaceX so you go after the big names and that's another possibility that it was purely for the advertisement but mostly for sure all the things align of course attribution always very hard we can never say 100% um and and even if they claim it because remember those are criminals if I have one piece of advice it would be never trust criminals so when they say it was me well you also have criminals out there that are looking at down detector because you can go to the website of down detector right now and look which one is down okay and now I quickly going to post the claim that it was me now they they have some ways of of proving uh providing proof like like typically what those activists are doing and also something that we are using for tracking them and for keeping track who is attacking who and why they are attacking is check-host.net so that's a website check-host.net where you can you can go to this website it's it's safe to go there so if you want to go there with a browser go there and then you can put in whatever website that you want to test and checkhost has probes around the globe that are trying to connect to that website and if the website is available it will show you that it's it's available and that it has success so lots of those hacktivists and that started already early on in February 2022 when they started doing attacks on on European targets for for political reasons um they always post a checkhost and the checkhost shows you that at the moment that they checked so it's like a persistent link to report in the past that shows that those websites were unavailable that they were not accessible so that's kind of giving a proof that they were attacking circling back to Dienet second part of your question Dienet is also one of those activists so and Dienet is is very recent because um the first that I saw them was was early March so so earlier this month the first two weeks they were attacking Israel uh they went also after um what other countries couple of other countries Netherlands was one of them all political messaging um then they got banned um because yeah after Durov the the CEO of Telegram got arrested in France uh because he he was too lenient towards criminals leveraging his platform so they ask him to be more transparent since then we see that much more of the Telegram channels are being banned for example if you live in the European Union you will see that some of those pro Palestinian activist websites are banned because of propaganda um and what we see now happening in the last month it has been much more accelerating it's like a play of whack-a-mole between the authorities and activist channels yeah so you have the activist like Dienet who has his channel they do an attack they claim the attack then the authorities they ask Telegram to ban the account sometimes it can be Telegram or the authorities sometimes can also be competing hacktivists because competing hacktivists want to be in the spotlight so that's competition for them so so they might also file reports and ask their members because they have many subscribers asked them to do an attack on that channel to ban it to file reports for Banning for for unusual conduct so so they can also be banned by competing hacktivists so but when an channel is ban so it was called like at @Dienet but then they came back with d and with @D1ENET but the I with a 1 now and you see the same for for threat groups like no noname0 for example who's the most active and the most popular Pro Russian one they have been banned for several times uh already uh they always come back with a backup Channel or reborn or Channel 2 in the case of noname they now even have a noname Italian noname uh French noname Spanish so they have all kinds of different channels where they keep the backup so it's it's purely a game of wack-a-mole whenever you take one out there's like three or four coming back up so D1enet came back and then started uh attacking the US many organizations in the US in the financial and also government and also a lot of uh a lot of attacks targeting um Trump websites uh clearly uh and also the messaging on their channel was clearly against Trump so so they were not really good friends with Trump and a little bit in the same context I think that Dark Storm Team or the one who commissioned the attack through Dark Storm Team was opposed to uh Elon Musk. So you mentioned application and network and I've read in some in the reports yes one of the applications was HTTP2 so perhaps you can explain why that's a big problem because I mean and go technical please cuz I'd like to know like how are they doing these attacks like what are the applications what are the protocols and what devices are they using I'm assuming it's IoT devices but is it other devices etc so again like let's go let's go deep tell us how's it how's it happening Network attacks versus I'm assuming that's maybe DNS but like what are what are the attacks that are that are happening and protocols and then like the devices actually being used to launch these DDoS attacks. So if if you look nowadays when you want to target an application um or you want to target the company you want to target its website yeah that website is hosted in the Cloud yeah that Cloud typically has lots of bandwidth if you want to bring down that application you need to throw maybe one two or three or multiple terabits per second of traffic at that Cloud and you're not going to bring down that single application you're going to bring down the whole Cloud basically how can you target that single application that's by going after the application so what we saw is that DDoS actors where they used to use the attacks that for Layer 3 Layer 4 based so network based attacks where they use volume TCP and stuff like that sorry um yeah you have the SYN attacks on on one end which is resource ex exhaustion so if you have a firewall for example that keeps sessions you would do a SYN attack and then the firewall would allocate sessions and you would be exhausted of of resources or a low and slow attack against the web browser where you create an HTTP connection and you do a file download but you only allow it to download at one bite per 10 minutes and you make like thousands and thousands of connections that's slow loris for example so so those were the kind of attacks that you saw before and the bandwidth that you had before people were hosting their web services on prem which means that the bandwidth that they had was typically less than one gigabit per second so if you could throw more than one gigabit per second and and that was fairly easy done especially when you use amplification attacks uh leveraging DNS servers or NTP servers then you can easily get to that threshold and you can saturate the line so that no Communications are possible so that's to bring Offline that website I already just mentioned amplification attacks and that might ask some questions because I was just throwing it out there with DNS and NTP how does that work um so if you have a DNS server typically what you're going to do is you're going to do a DNS query to the server so when you are sitting at home and you type in davidbombal.com for example or couk I don't know what it is yeah yeah that's
fine so when you type in davidbombal.com you don't know the IP address so it will go to your ISP DNS server who will then try to find the authoritative server DNS server for the domain ask to translate it get the IP address and give it back to you now once you have the IP address you can serve to that domain now that's a simple query it's in UDP um can also be in TCP it doesn't take a lot of so the answer is small but you can also do DNS query where you say query type any for example where you get a whole list of the whole domain all the names now what you see is that with a small UDP packet with the single UDP packet with a query I get a stream of UDP package back to me yep so and since it's using UDP that means that there's no connection state so that means I don't need to connect from my PC to the DNS server and then get the acknowledgement and set up a session no I just sent a UDP the DNS server gets it what does the DNS server do who asked this question ah well oh that's the source IP so I just switch source and Target IP the source and destination IP and I reply yeah now if I send the request for queue any and I spoof the source IP so I change the source IP for my IP to somebody I want to attack the IP of somebody else then I will send it to the server and the server will respond to that somebody else Y and that is a big problem in DNS and unfortunately it's something that we cannot solve yeah there's DNS SEC but as you know not everybody supports it yet and yeah it's it's not that easy so there's always servers out there that exist and that will allow such kind of behavior and taking out DNS is not the solution it's the Cornerstone of the whole internet so if you take out DNS all crumbles down um there's more problems with DNS like for example a DNS DDoS attack query flood attack we also saw that coming up a lot uh lately in the last two years and that was actually something that happened already back in 2016 I don't know if you remember that was like the first time that people were talking in mes about DDoS attacks but in 2016 there was a botnet called Mirai yeah that performed an attack and that took down Dyn DNS bringing down Netflix Amazon a whole lot of services in the US and all the sudden people were like oopsy DNS can be a real problem here so what Mirai did is actually also leveraging one of those protocols DNS one of the features of DNS to turn it against the victim so what they wanted to do the goal of Mirai uh and this threat actor um that was leveraging that Mirai botnet which was also a DDoS as a service by the way it was DDoS For Hire so it was somebody who hired that botnet to perform the attack is to bring down a certain domain so let's say you want to bring down davidbombal.com um yeah please don't not tonight please tonight yeah so what what they typically would do is they will use many IoT devices so IoT devices are like routers that sit at home yep that we use for day-to-day internet connections that are getting exploited uh why are those devices getting exploded well many of those modems have default passwords you might say well hey those people should put in Secure password but yeah do not forget that some of most of those routers are M and Pops routers and once the Wi-Fi works you don't touch it anymore right so don't expect those people to do firmware upgrades especially if we as special and David you probably also know that whenever you do a firmware upgrade it's like is my device going to come back it's like almost praying sitting on your knees waiting for that device to come up uh does it fail or not so you can imagine that many of the people who have routers at home Wi-Fi routers will not perform firmware updates and there's many vulnerabilities in those devices because price is one of the things that is important in those devices if you can buy it for $50 come on what you expect there cannot be that much research and security put in that that device so that was a big problem at the time so many of those devices were allocated in botnet and we're talking several thousands um in the beginning we had botnet like a guy called Daniel Kaye uh also known as Spider-Man he assembled a botnet of more than 900,000 of those IoT Bots and he performed an attack on a competitor of a mobile operator in Liberia and while doing the attack he just brought down all of Liberia oopsie yeah that's where actually the authorities went after him and and discovered him so back to my story so those IoT devices so typically I already explained how you do a DNS uh name to IP address now there's an ISP server in between there so you sent a query for davidbombal.com he will try to find the authoritative DNS server and send it forward to that authoritative DNS server gets the answer sends the answer back to you if I ask it again if I ask for example www.davidbombal.com then he will cache that information so now the ISP server
will directly answer me he will not go to the authoritative server anymore there's DNS cache now imagine a botnet of thousands of IoT devices all doing queries at something random davidbombal.com and the random part is very important that's what we call the water torture attack so that random you just send it through you send it to the ISP server you look looks in his cache it's not cache because it's a random name so it goes to the authoritative DNS server the authoritative DNS server gets so many requests that he slows down what does the ISP server do well retry because it takes too long so he increases the flood back onto that authoritative DNS server and the authoritative DNS server one of the mechanism that we have to make sure that uh it's it's not a person that is attacking us or a script that is attacking us is doing challenges now you're doing a challenge against an ISP's DNS server well it's a real server so the challenge will come back positive saying yeah yeah it's a real DNS server so so that's what actually brought down the whole of Dyn DNS and that impacted so many other services because those Services depended on Dyn DNS to resolve their host name and if you bring down DNS yeah well there's no way to access the websites anymore and that's an attack that we still see as of this day and we had a very big increase it's also in the report in uh last year and the year before now circling back to HTTP2 and I already gave you an example of how the protocol like DNS can be abused for amplification attack on one side query floods on the other side when you look at HTTP2 there was at some point um and it was end end of 203 uh 2023 yeah I'm correct last year was 2024 so the year before in October there was a report that came out um that attacks were discovered in the wild that were using what they called Rapid Reset and Rapid Reset um if if we look at our internet when you're loading a web page you do a web request you get many components for that web page you get one frame you get text you get images now if you serialize all these requests so if first you would download the text and then you download the image and then the next image and then the next that takes a long time right so what HTTP2 started to do is allow concurrent sessions so it already was in HTTP 1.1 that was called pipelining but pipelining had a problem with uh head ofline blocking so that means if the first one was too slow well the other ones were also slowed down um so but they solve that problem in HTTP2 by using concurrent sessions so you have to look at your HTTP2 connection as like a tunnel a tunnel where you can create sub connections to download all the resources from the website now to make sure that it's not abused only 1,000 are allowed now somebody one of those attackers found out that you can start 1,000 sessions and before you get to the 1,000 you reset the first one so a new slot comes open however the server is already processing the request so even though HTTP2 knows that this session is reset that HTTP2 is a subprocessing the web server and he was already fetching the page and coming back with the answer and then he will see oh yeah you didn't need it anymore okay whatever I just threw up it but at the same time the server is busy so he found a way to just leverage that HTTP2 and make many many many new connections so sub connections inside that HTTP2 to a web server and one of the things to bring down and that was the point that I say when you want to go after an application in the Cloud how do you target that specific application from that company why you go application Level how do you go application Level that's by doing HTTP queries do many many many queries and actually anonymous many years ago at the start when anonymous came out and did DDoS attacks how did they do DDoS attack they was asking their members because they had a very big Community hey go to your browser and click refresh over and over and over again and if you have enough people doing that the website would go down interesting but that that is a very manual way of doing that nowadays they do it with a botnet that is leveraging many bots around the world and who is bringing that down another thing that we saw last year in in threat actors because keeping track of botnet is is very difficult so whenever you have a botnet and there there's lots of competition also out there if you have an IoT botnet net whenever you reboot an IoT device typically those Bots are not persistent when you reboot your device the bot is typically gone but then and I did some studies on that back in 2018 whenever it comes up again on average within two minutes it will be taken by another botnet because there's so many out there that are trying to take your device and leverage to your device for other things so it could be that as a bot herder or a provider as DDoS for higher services that you lose your botnets for some reason like an ISP does a mass reboot of all the modems across his Network and all a sudden you lose like 70% of your botnet capability that's bad for customers because customers want to do attacks and all of a sudden you have no capacity to run it so your tax are not doing anything anymore so so many of them started to move back to Cloud servers again and centrally managing Cloud so we have terraform we have all the tools all the good stuff that devops did to create and manage multiple nodes and and to scale that what they use now is scripts that are running on Central servers and those scripts to HTTP requests so all as many HTTP requests as possible and what they do to make sure that because if you are being attacked and you get like 100,000 HTTP requests per second from one IP address what you do are going to the IP address put it in my router so Hardware level not a problem anymore except for the bandwidth but the bandwidth is only small because those those are just requests so it's not a volumetric attack the idea is to actually make sure that the server is using too much CPU so you can have those attacks coming in at the HTTP2 level um all these requests and it comes from the same IP well that's too easy so what they found is there's many proxy providers around the world where you can rent like 100,000 proxies and those proxies most of them again run on IoT devices that were compromised and illegal so but instead of now being the bot that initiates the attack they are just a proxy so for every request that that server is generating he's switching to another proxy and even though it's a single server that is generating the attack traffic as a victim what you see is 100,000 servers that are coming at you and that are attacking you and then it becomes very difficult to block because some of those and that that's what we saw happening with noname noname057(16) a pro Russian activist while they did is they did Recon uh and typically when you have DDoS attacks not a lot of people do Recon before DDoS attack yeah what they do is they try to find the origin IP if it's uh if it's behind uh caching servers but besides that there's not much Recon being done noname however went to all the applications that they attack and they look at the application and they look which web pages would use backend infrastructure for example a search if you have a search on your web page you know when you put in a search term that takes a lot of resources in the back end uh if you have a post form like governments have many post forms that are open to the public to provide feedback what they found was that using that crafting posts and leveraging the real variables of the website but putting junk inside them so randomizing but they even had specific random randomizer so for example when it's a phone number they would randomize a 10 digit if it's an email address they would put in a random email address if it's text they would put in random text so now those website are getting hit with thousands of requests per second but they all look legitimate it's only the data that is trash but if you know how a web application firewall Works a web application firewall will will be able to learn an application and can test for every variable that you have out there that the right variables are submitted and can also test if for example if you ask for a phone number that it's only digits so it will test for that if it's not it will block it as an illegal connection however in this case it's junk in it but yeah doesn't know that this is a junk y because it looks it falls within the confines of the application so they didn't find anything better than doing attacks like that and using that they didn't need a lot of volunteers even because their attacks were limited in number of requests per second um if we look at like attacks that have been seen in the past web based or web DDoS attacks can go up to 70 80 million or even 100 million and above requests per second request per second so that's a whole lot of they had enough with 100,000 maybe 10,000 requests per second to bring down the same website because they were targeting the back end imagine that you get 1,000 requests for a search in your database yeah well your database is going to go down going to fall over pretty fast unless it's really highly distributed and and lots of resources so so that's where the HTTP2 is in connections per second and requests per second to keep that server busy that's the most important metric now HTTP2 gives the attacker the ability so they can already generate like thousands of requests per second but if you write a go program and you have to each time make that TCP connection and then do do that negotiation then do the TLS negotiation TLS three-way handshake once that is done then you can submit the request and that's only for one request so you have to redo that thing over and over and over and over again so it takes a lot of resources now with HTTP2 you do the TCP-hand-shake you do the TLS handshake you have your tunnel and HTTP2 and now you put your requests in very fast and lightweight so all of the sudden they gain a lot of requests per second because they find a way to make it much lighter for them. It's amazing I mean I love the stories the um I wanted to ask you you spoke about like home routers um there's this protocol TRS-069 or something that ISPs use to TRS-069 yeah to manage their their the routers that's also a problem right because ISPs get compromised and or that protocol can be used to use home routers as botnet is that correct? Exactly and that is actually the protocol that for the first time has been abused and that's where I learned the protocol by Daniel Kaye remember that I talked about Daniel Kaye aka Spider-Man yeah uh he found that a lot of uh service providers leverage TRS- 069 and there was a command execution possibility by just sending an XML request in and TRS- 069 is just TCP with XML so so all you have is SOAP and XML so it's a SOAP envelope that you sent as a request to a modem to reconfigure it and he found out that there was a way to reconfigure it to put in a remote command execution and that's what typically botnets are after if they can do remote command execution what you will see in remote command execution is a wget or a curl towards a certain website and binary and then they download the binary and they execute it and and those IoT botnet are very stupid because they they don't even try to understand the platform that is there they have like six different binaries one is for arm uh the other one is for for x86 the other one is for 64bit one for 32 bit they have all the different binaries Al binaries for for Linux and they test them all and the right one will run and the wrong one will fail with the cordum so they just tried them all just tried to run them so all they need is remote command execution to infect a device so and that is exactly what happened with that TR 069 in that XML there was a command where you could put a remote command execution and he was able to download his um botnet onto that and back in 2016 he leveraged that attack against Deutsche Telecom and tried to compromise 900,000 modems now luckily it failed it failed because the modems for some reason they rebooted upon this command that he put in so but overnight 900,000 modems were rebooted and lost internet connection so dut Telecom had an issue but it could have been much worse because that guy already was sitting on almost a million Bots and he probably was going to add 900,000 more Post Office UK is another one that was affect by by those attacks and TR 069 is a protocol that came back over and over and over again in IoT bolut that is correct it's amazing because I we've done videos before on the channel where we talk about not using the your ISP router because it sounds like it's a cheap device it's not Harden rather put your own firewall in I see you you're nodding your head you agree with that mostly it depends on the person if it's a person like you I would say yes do it if it's somebody else no like my mother yep yep because even the small and and they they got better so let's be honest this problem that I'm talking about this TR 069 that's from 2016 so it's it's a while ago many of the issues were already fixed um I'm not saying that is better it it's like it comes in waves you know it's like AI it goes up and down you have Winters and you have Summers the same with IoT devices I track many IoT botnet and bots and tread actors back in 2016 17 18 and then it slowed down but now it's coming back up now we see it back as a problem because we see more often poets being leveraged in a tax again and also for those proxies um I've got to is this question though because you said so I I think I've heard you say previously and I might have read in the report that attackers stopped using IoT devices because like you mentioned now if they reboot it it it goes back to factory defaults and um someone else could load you know their mway on it or whatever um but they started using cloud-based services and then the question is always but if you register on AWS then it's easy to find well you also have that that's on the public Cloud now you also have bulletproof cloud services you got to explain that bulletproof cloud service like underground Cloud providers so if you go to that cloud provider and and typically there there was a a couple of year like two years ago I think uh the bunker uh it was called that was a data center that was in an Old World War bunker hosted in an Old World War bunker and that was on on in the Netherlands close to the border with Germany so so there they were hosting servers and those servers Whenever there is a cease and deist from the authorities or if you would do a legal email or ask them file for abuse for example they just ignore it so and there sit all those servers that run in the underground so like p uh illegal P servers fishing servers malware Services um and also those attack servers so you can you just search for bulletproof Services you might find them uh this case was in in the Netherlands and it was underground because it was illegal but you also have things like Iceland uh jalar those are areas where there are different kind of laws and regulations that are much more lenient for such cyber services so typically they would be Panama is another one where you would see some of those things um typically where you have lots on gaming and bedding servers you might also see those uh underground Bulletproof cloud services and you can send as many abuse emails because that's typically what happens when you send an abuse email then the cloud provider looks into it looks at traffic logs says oh yeah he's right that's illegal and then if it's really a real big crime then the authorities might ask for more information and then go after follow the money and to credit card statements typically they will find out who is behind it and be able to apprehend them but typically it's just an abuse email and then you take down the server but in this case it doesn't help because they are running them in in what we call bulletproof service so that's interesting so the sort of attackers have moved to using cloud-based services like that and they launch huge traffic from that they can spin them up very easily launch these huge attacks but to mask the fact that it's a coming from say a single IP or range of ISP the traffic goes through proxy servers on IoT devices or other devices did I understand that right exactly yeah and that that makes it easier to scale their operation makes it easier to manage their operation before they had to manage tens of thousands of IoT bots and there's lots of competition so lots of fragmentation now with those proxies there are free proxy lists where you can easily I'm not saying that you're going to find 10,000 free proxies but uh free illegal proxies it's easy to find in several hundreds of them on free list you just go to GitHub to some of the gists that are not published you can download the whole list and then you test them and whatever works you can use it and and it's easy to get like 500 of them assemble them and then leverage them to perform attacks if you want to get more then you can go to Commercial Services commercial servic have already created those proxies and some of them are legal so actually there are some legal proxies uh to provide an Anon anonymity uh just like the same way with Tor Tor for example was created to be anonymous it was not created as an underground conduit right it was created for journalists to be able to submit information and and and talk with other people uh have chats without without compromising their Identity or compromising their location but Tor because of that anonymity was being leverag then by criminals for other things right so and the same goes with those proxy services so so some proxy Services can be a big Ubuntu Server running squid proxy for example and just renting or leasing a full residential IP range from the ISP and they can switch IPS between that ISP range now the most important for those proxies is to have residential IPS because if you look at bot management um bot manage or bot protection uh whenever you get connections coming into a website and I want to be sure that it's a human the first thing you're going to do is going to test does it come from a data center does it come from amazon.com okay
that's not a human yeah most probably not so so residential IPS are very important also for bots bots who do price agree because bots we don't talk about B protection we talk about bot management because you need to manage the bots it's it's different like DS attacks a DDoS attack you want to block it right you don't want to manage it it's block it and keep it out however if it's bots you need to manage them because they have good bots and bad bots the good bots might be price aggregators for example if you want a flight you go to a price aggregator you ask for a price and they will get all the information can be done by apis but sometimes it's also B that are scraping information from the internet so like mostly when when you want to buy keyboard and you go to one of those price comparisons websites typically they go scraping for that information now those are good BS because they can enable your business you want to let them in you also want to let in Google Google also comes crawling your website with a bot but do you want to block Google no because you're probably paying your your marketing officer might be paying thousands of dollars per month for SEO optimization and to get higher in Google and you're going to block it no it's not a good idea now bad bots also exist because they come and scrape your content and they might leverage your content so so that's where we talk about bot management and then it's important for those bots to leverage residential IPS and that's where we see a lot of those bots uh also being leveraged for for those IPS the so the devices that that are getting used in the botnet is it like we've mentioned like home router or modems is it other types of devices as well I'm assuming it's like cameras and stuff like that oh yeah yeah yeah yeah so so so anything that is insecure and on the internet IP cameras is yeah unfortunately there's many IP cameras that are out there um building Security Services quote unquote that put an IP camera on a apartment that they are responsible of and they put that IP camera directly on the public side of the Wi-Fi thinking that well it only has an IP address nobody will ever find it right yeah right and username password well well no it says whoever going to guess that my password is password or password one 12 three well maybe nobody's going to guess it but anyone has access to the manual anyone can Google what is the default password of whatever camera vendor you will find it so cameras but also later on um Linux servers because those iot devices while good they are typically Limited in their capabilities they have limited CPU limited memory imagine there that that was also the time where we had Docker coming up and many Docker images out there on the internet and also VMware images out there on the internet that you can download now many of those VMware images have a default password or have secure shell enabled with root without password and of course they tell you to change the password but that's somewhere in the manual now who read the manual come on exactly exactly you download the VM you run the VM and then you go whatever oh it works yeah great next project very efficient but yeah at the same time you have a BM running in the cloud with a s enabled and Route open so they started leveraging the same kind of botnet that did SSH and tried username password to just get into Linux service first it was by accident and then after they saw that oh yeah hey there there there's a good opportunity here we can go after service and then they found even bigger ones uh which were Hadoop clusters there there is a protocol I I forgot what the what the name of the protocol was but there there is a way through XML and the again XML now to submit a task for the cluster to execute now many University had a do prining and put in on the internet so that people students from home could submit task for their big howo cluster but there was no security by default in haloop so you should have put a proxy in front of it with authentication but they didn't do that some attackers found out that hey there's some really big performance clusters out there where we can run commands all we have to do is just submit an XML and try to get it in now how do we know all that because yeah we're running honey Poots so I have honey pots running in the cloud and even at my home I have a Honeypot and that's listening on all the ports and whatever command comes in I try to grab it I try to talk with them so it's it's it's not like a a Linux device that I let them do anything and I monitor because that's too dangerous you don't want to do that because they they might jump even if you think that you're well isolated there's always a way that they might jump laterally so I just have a conversation with them so I accept the the incoming connection I convert with them and I try to trig them into giving me the download location of the malware and once you have the download location then you can download it you can reverse you can find out what attack factors they have is it for DDoS is it for another case is it for account takeover attacks there you can find all the information now when they do these Hadoop attacks of course at home I'm not running a Hadoop server yeah but they don't care they just go they just scan the whole internet range now they can be more precise so they know that if they scan the whole internet range they're going to over a couple of thousands of Honeypot from security research in only a matter of time before their command and control is taken down and they lose everything so they got smarter they leveraged services like um Showdown gry noise and Showdown for example I don't know if you know showon but showon is a we call it an iot search engine it searches more than iot but what showon done is scanning the whole internet IP range and then it will do a port scan and whenever it finds a port like for example Port 22 is open it will connect and then it will scrape the banner keep that in a database whenever there's a web server open it will scrape the web server keep in a in a database so now when I go to showon and I say show me all the Apache servers with that version showon will give you a list of all the IPS to make things worse now shown also provides you with cves you want to attack a certain CV you just put in the CV you get all the IP addresses where Shan found this cve to be open and to be vulnerable so now they can go much more targeted than before before they had to scan the whole thing and then they tripped up the honeypots but they're still tripping up I I still see a lot of attacks coming into my house a couple of thousands per day I've heard you say that attackers were getting people to download stuff onto Android phones and devices to also launch attack is that right yeah of course it it happens with well there there are some setup boxes for TVs for example and I don't know if you you ever owned the setup box and you were running one of those Plex clone services are free one of those Services I'm not going to give the name but what one of those Services when you go in there manual it's open source when you go in there manual you will read that to be able to install it you need to enable debug mode otherwise you cannot s load it it never tells you to disable debug mode now when you enable debug mode you're also enabling ADB the Android debugger which is a port that opens Port 99 9,000 something I forgot it so that ADB protocol can now be used and if you scan for the ad protocol you will find some setup boxes that are explicitly open and there were even bolt Nets that were scanning the land for those setup boxes to infect those boxes as well so so that is one way the other way of fishing and so on is is less of a tactic from from IoT botnet so when I talk IoT botnet you have to imagine those are very unsophisticated malwares written for Linux they do zero evasion why because who's running an antivirus on his IP camera or on his router yeah even today we're not doing it right so there's no need for evasion there's nobody who looks at the device when you sit behind your computer and you're infected with a malware and you get a popup oh that's strange I had a popup yeah hey my CPU is going crazy hey my network is going up there's always something to find and you need to already evade all the malware and all the other trip wires that were set up to get onto that desktop so writing Windows malware is much more diff difficult than writing an iot modware some iot modares are just Python scripts they just download it leverage whatever python is is on the machine and just run it so it's it's it's crazy that it's very unsophisticated because it comes on that layer which is on the public site so there there's no such thing as tricking user of downloading that's more like the the Android specific malware that is to steal credentials for example info Stealers might be a good example of that so the these things will typically ask you to download some something on your Android phone and execute it or on your windows but iot malware it doesn't work like that all they need is remote command execution in some way or another a vulnerability around that once they get access either by default passwords or a remote command execution they can load their bought onto the device executed nobody ever knows Pascal I got to ask you two topics which we haven't covered I'm amazed we haven't really got into it yet um apis and ai ai is obviously All the Rage Technologies like these uh sounds like apis are a nightmare as well because people can just get direct access to very important data um and AI it seems like attackers have the advantage with AI but perhaps you can talk about that you know it's easy for me to say these things but like what are you seeing yeah so let's start with apis okay um apis are hard to secure because in in the case of for example a website you can verify if it's a human on the other side an API however it's machine to machine so you cannot verify interactivity or click on this or do a cap show whatever you cannot do that so so apis are not that easy to to secure another problem with apis is that not everybody gets full control of their apis meaning that uh sometimes they have a developer team or a team that was contracted that wrote an API to support your application and put it somewhere in the cloud uh and they're still testing and developing it but they put it out in the cloud and they're not using the production database but they just use a copy of it however that copy contains the sensitive data of people it's only a matter of time before that API has been found another problem is zombie API so so apis that are forgotten or Legacy let's call them Legacy apis um instead of zombie apis some apis are still out there because there is one or two big customers that are still using them however those Legacy apis are Legacy for a reason because they didn't have the same security control they were not using the latest version of the compilers that that were compiling the applications uh they don't have all the auth indication and and all all the other new features that the new Services have however there's still online wide to support this one or two customers well yeah those Legacy apis are the first ones to be attacked and and to be uncovered now in some cases the security team is not even aware of certain apis that are being developed or that being mounted for development so if they're not aware they cannot put all the security protocols and all the security um controls that they would like to put on API they cannot put them in place so biggest problem is actually and that's that's what I said in the beginning is that thread surface because we start to see more and more often that people are starting to build applications but we we don't build monolithic applications anymore we learned that in the Mainframe time and it was not a good idea for flexibility so when you started doing agile we started to cut that in all smaller pieces and those smaller pieces now start to be outside of the company because sometimes why would would I write an payment provider and payment checking program if I can use tripe or something else that's already out there y so many applications now consist of third-party apis that are being connected to them and and those third party apis and that that's where supply chain attacks come in when a third party API might not have all the security controls in place or even when they have all the security controls in place if you if you are against one of the nation states where you have very sophisticated attackers that found the zero day vulnerability that got into their server infected them and then through that API that you're using all your all your users data is being leaked well this is something that can happen if you have a very good attackers there and it happened not so long ago um remember the how much was it$ 1.5 billion dollar
2025-04-02 22:08
