DDoS attack in Iran was conducted through Telegram proxy servers
The Iranian cloud provider Arvan Cloud faced a DDoS attack that was conducted through Telegram proxies. Experts warn that the new method can be used to complicate the work of any sites and web services.
Problems started on the morning of November 6th and continued for several days. The peak capacity was about 5,000 requests per second, which does not pose serious difficulty for a large telecommunications company, but can cause failures in certain Internet resources.The company’s specialists immediately noted the unusualness of the DDoS attack. Attackers used a data link protocol operating at the data link layer (Layer 2) – in most cases Layer 3/4 and 7 are used for such campaigns. The target of the attack was the Arvan Cloud edge servers.
Experts have identified the source of malicious traffic by simply guessing. They were prompted by the popularity of MTProxy servers in Iran, which help local users bypass the state blocking of Telegram.
As Telegram continues to be banned in Iran, users in this country route their messenger communication through MTProxy servers, which make the traffic look random through encryption. This makes restricting it difficult, allowing servers to fulfill their anti-censorship purpose”, – BleepingComputer reporters write.
These systems encrypt traffic, making filtering difficult. The effectiveness of such measures explained by the fact that Iran quickly reached the first place in the Telegram audience, and the data exchanged by local messenger users occupies 60% of all the network traffic of this state.
At the same time, Arvan Cloud experts say, MTPoxy servers can be easily used for DDoS attacks.
Read also: BlueKeep Attack Warnings Didn’t Affect Users/
Experts confirmed this in practice by simulating an attack: during the experiment, they managed to create the same traffic as they had previously seen in their infrastructure.
According to Arvan Cloud, this precedent is especially dangerous in Iranian conditions, since now administrators of MTPoxy servers will be able to use their systems for malicious purposes.
“Leveraging these servers would not be too difficult, either, as the attacker would just have to replace the address for one proxy server with the IP of the target machine”, — report in Arvan Cloud.
The more effective organizations protect their infrastructure from DDoS attacks, the more sophisticated the methods of attackers become. Already in the first months of 2019, researchers noted another record for packet flow intensity, which was broken after three months. However, increasing the pps-indicator (the number of packets per second) to disable network equipment and running protection means is only one method from the arsenal of attackers who are constantly experimenting with new technologies.
Therefore, criminals organize attacks using HTML ping requests, use the power leased from cloud providers and services for remote control of macOS machines. Traditionally popular are IoT botnets, which also retain opportunities for technological experiments.