Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

CryptoWall, Locky and Cerber Are Today's Top 3 Ransomware Threats
Softpedia News
There were unconfirmed rumors among infosec experts exchanged on Twitter that TeslaCrypt's authors may have moved on to distributing Cerber instead. This is only speculation at this point, but Fortinet's data shows a rise in popularity for this new ...

 

Softpedia News

Ancient Bayrob Backdoor Trojan Resurfaces After Nine Years with Updated Versions
Softpedia News
After lying dormant for around nine years, new versions of the Bayrob trojan have surfaced, and security researchers say its operators have kept up with the times and updated their malicious code with new features. Security experts first stumbled upon ...

 

I was sent this past week a file containing 10,711 unique IP addresses used in a DDoS. The entire DDoS occurred over a period of about 48 hours. This traffic is from the second day where all requests at the firewall were logged (1.5M reqs) and the traffic was dropped. Using the logs I was provided, I generated 3 graphs: a list of the TCP flags and the Top 10 ASN and countries associated with the source IPs.

The time frame of this activity occurred between 02:28 - 17:37 GMT. The first graph represents the TCP flags captured in this traffic. The data contains over 1.5M SYN packets followed by just over eighteen thousand TCP RST packets, etc. This is not a huge DDoS since it occurred over a period of 15 hours, it amounts to about 104,300 packets per hour.

TCP Flags

I used Maxmind geoiplookup[1] tool to graph only the top 10 Autonomous System Number (ASN) and countries assigned to each inbound IPs. Since it is a DDoS, I have to assume the traffic is likely spoofed and likely controlled by a botnet.

Maxmind Analysis of IPs by ASN - Top 10

Maxmind Analysis of IPs by Countries - Top 10

Just for fun, I also sorted the TCP options. Below is the Top 20 list. What is also interesting in this output is the most common windows of 8192 which is usually associated with the Windows OS. The maximum segment size (MSS) is anywhere between 1360 to 1460 use to indicate the maximum payload a packet can carry which might be associated with smaller MTU. For example, an MTU of 1452 is often associated with PPPoE and DSL routers.[4] The 16,628 packets with a win 0, length 0 are all the Reset packets captured in the traffic.

Count TCP Options

131661 win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
115274 win 8192, options [mss 1460,nop,nop,sackOK], length 0
69531 win 8192, options [mss 1452,nop,nop,sackOK], length 0
66714 win 65535, options [mss 1460,nop,nop,sackOK], length 0
66670 win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
61611 win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
43965 win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
35975 win 65535, options [mss 1452,nop,nop,sackOK], length 0
31301 win 8192, options [mss 1412,nop,wscale 2,nop,nop,sackOK], length 0
25286 win 8192, options [mss 1412,nop,nop,sackOK], length 0
19160 win 8192, options [mss 1400,nop,nop,sackOK], length 0
18457 win 8192, options [mss 1440,nop,nop,sackOK], length 0
18290 win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0
17903 win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17418 win 8192, options [mss 1360,nop,wscale 2,nop,nop,sackOK], length 0
16628 win 0, length 0
15921 win 8192, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
15058 win 8192, options [mss 1360,nop,nop,sackOK], length 0
14720 win 8192, options [mss 1400,nop,wscale 2,nop,nop,sackOK], length 0
14651 win 8192, options [mss 1380,nop,wscale 2,nop,nop,sackOK], length 0

[1] https://github.com/maxmind/geoip-api-c
[2] http://kbeezie.com/geoiplookup-command-line/
[3] https://isc.sans.edu/forums/diary/DDOS+is+down+but+still+a+concern+for+ISPs/20701
[4] http://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12918-router-mtu.html
[5] http://dev.maxmind.com/geoip/legacy/geolite/
[6] https://en.wikipedia.org/wiki/Autonomous_system_%28Internet%29

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Deccan Chronicle

Twitter paid 2.1 crores under its 'HackerOne' programme in 2 years
Deccan Chronicle
Apart from these measures, they also engaged with the broader infosec community through the company's bug bounty programme, allowing security researchers to responsibly disclose vulnerabilities to us so that we can respond and address these issues ...

and more »
 
Internet Storm Center Infocon Status