Fixed wireless broadband provider Cirrus Communications has experienced a distributed denial of service (DDoS) attack that incapacitated half its network. Cirrus provides wireless networks to business, apartment complexes, residential colleges and military bases. The company says it is a last mile provider and prides itself on “competitive pricing … in metropolitan data centres to remote or broadband constrained areas,” an “ability to deliver high bandwidth where organisations need it” and an “Its ability to connect multiple locations for organisations on a breakthrough economic basis.” But over the last day, those services have not been available to all customers, as CEO Eric Heyde told The Register the company yesterday experienced a DDoS attack that took down “more than 50 per cent” of its network and that it experienced “struggles” in the wake of the event. “We are very close to full recovery,” Heyde told The Reg . “We’ve only got a couple of per cent of the network down at present.” [15:30 AEST – Ed} Heyde said the attack hit Cirrus’ core network, rather than the radio equipment on the edge. “It’s too early to say where the attack came from,” he added, and declined to offer further comment on the attack’s origins. Reg readers have suggested the attack has disrupted communications to other carriers that use Cirrus’ services. Source: http://www.theregister.co.uk/2014/07/30/ddos_takes_down_cirrus_communications/
Continued here:
DDoS attack takes down Cirrus Communications
DOSarrest Internet Security had a run in with the notorious Brobot Botnet, if the name sounds familiar it’s because this bot was responsible for sporadic outages on a number of large US based financial institutions in 2013. Said to be operated by al-Qassam Cyber Fighters (AKA QCF). Botnets are born, die, grow, shrink, and morph on a daily basis, if not hourly. It’s hard to keep track of them all. Then there are particularly nasty ones that are large, powerful and sophisticated. These particular botnets have some of their zombies or bots corralled off for research purposes by a number of organizations including private Botnet hunters, government cyber surveillance departments and other large law enforcement agencies. On to the attack Why ? One of our customers is a large media outlet specializing in Middle Eastern news. With all the conflict over there these days, they must have written a few stories that the attackers were not in agreement with. How ? Using Brobot, the attackers threw millions of TCP port 80 requests at the website. Unlike a SYN attack that tries to exhaust your TCP open sessions table buffers, this attack would open and close each session/request: 1) Request a TCP connection 2) Once established they would send one character 3) Then request the TCP session to close. The problem arises when you are receiving approximately 50 million of these per second. Where ? This botnet is comprised of infected webservers using PHP, hosted on various webhosting companies around the globe. Some hosting companies seem to be represented a little more than others. One notable observation of the Brobot is that it’s very US centric, not all of the bots are based in the US but approximately 40% are, which makes filtering based on countries very difficult. When under a large TCP port 80 attack, usually it is not evenly divided across our scrubbing nodes in the US and Europe. This was different, virtually all of our upstream links in every city had pretty much the same amount of Packets Per Second and Bandwidth. I can’t ever remember seeing that in the last 7 years All links had a graph like the one above Who cares ? Within a couple of hours of the attack starting we were contacted by a private Botnet hunter that knew we were dealing with Brobot. Soon followed by visits to our website from two US federal Law enforcement agencies. Hence the title, not all botnets are equal.