DoS Attacks Archive

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.

A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff.

Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes.

Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures.

Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands.

Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well.

Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes.

Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona.

Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes.

While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data.

Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine.

Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once.

The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said.


The government department says the attack did not expose any sensitive or confidential information.

The South African Department of Labour has confirmed a recent cyberattack which disrupted the government agency’s website.

In a statement, the Department of Labour said that a distributed denial-of-service (DDoS) attack was launched against the organization’s front-facing servers over the weekend.

According to the department’s acting chief information officer Xola Monakali, the “attempt was through the external Domain Name Server (DNS) server which is sitting at the State Information Technology Agency,” and “no internal servers, systems, or client information were compromised, as they are separated with the relevant protection in place.”

The government agency has asked external cybersecurity experts to assist in the investigation.

DDoS attacks are often launched through botnets, which contain countless enslaved devices — ranging from standard PCs to IoT devices — which are commanded to flood a domain with traffic requests.

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.


Understand the essence of cyber security and the issues facing digital, internet and mobile users.

What is cyber security, and what kinds of security threats and implications face personal and business users of the internet and digital realm? These questions often confuse and occasionally overwhelm, as we’re bombarded on an almost daily basis with horror stories of major hacks, data breaches, and abuses of online privacy.

Building on our basic introduction to malware, viruses, and spyware online, in this article we’ll be looking not only to answer the question “What is cyber security?” but also to simplify some of the complexity surrounding its methods, and the security issues facing individuals and corporate users of digital, internet, and mobile technologies.

We’ll start with the basics.

What Is Cyber Security?

The word “cyber” is a fairly recent addition to the English vocabulary, and is a general term used to describe things in the world of computers, information and digital technology. And “security” is a term that’s been around for a very long time, which concerns the safety of people, corporate entities, and institutions, in the face of threats and dangers.

So it should come as little surprise that cyber security is a blanket term covering the people, processes, and technology involved in protecting computers, networks, mobile devices, software applications, and data from attacks and attempts to gain unauthorised access.

Cyber security embraces individuals, organisations, networks, and the infrastructure that connects them. And it runs the gamut from the protection of physical assets and hardware, through to the technology and procedures used in safeguarding digital assets such as software and information, and the assessment and management of the risks facing each of these environments.

Risk Management

Total security is an impossible ideal. No matter how “foolproof” a system or business process may seem, there’s always scope for something to go wrong. And with the ingenuity and resources available to hackers and cyber criminals, new threats and new methods of exploiting weaknesses in techniques and technologies are constantly developing.

The best that individuals and corporate bodies can hope to achieve is to manage the risks that they face in the best way possible. A risk management strategy for cyber security requires an understanding of the threat landscape, knowledge of the risks that are most likely to be relevant, and the establishment of procedures for reducing vulnerability to these threats.

Basically, this all boils down to:

  1. Becoming aware of what’s out there, and what’s likely or possible to hit you, then
  2. Taking steps to reduce the likelihood of you being affected, and
  3. Making plans for how to respond, and minimise the damage in the event that your precautions fail.

Cyber Security Tools and Methods

There’s an entire industry that’s grown out of the sale of cyber security tools like anti-virus applications, password managers, and data encryption software (which scrambles information, so that it can’t be read), as well as dedicated security hardware, and the contracting out of related services.

But tools and talent will only go so far. A comprehensive approach to cyber security requires not only these assets, but also the information and methodology needed to make the strategy effective.

Cyber Security and Regulatory Frameworks

Frameworks are sets of rules, guidelines, and best practices which provide a formalised structure for individual operators and corporate bodies to follow in order to beef up their security stance, or meet the requirements of regulatory compliance regimes and the law.

Frameworks for cyber security typically take the form of a set of recommendations. They may also describe procedures and tools that may be used to put those recommendations into practice.

Ten Steps to Cyber Security, a report issued by the National Cyber Security Centre (NCSC, a division of UK intelligence headquarters GCHQ) to help business executives get to grips with the subject, is an example of this approach.

In terms of regulatory compliance, frameworks will typically spell out the exact conditions that organisations or individuals will have to satisfy in order to continue operating in a particular industry, discipline, or market sector, without running the risk of fines or legal action.

The recently launched General Data Protection Regulation or GDPR is one such framework, created by the European Union (EU) to set conditions guarding the data privacy of its citizens and residents.

There are many different frameworks in existence, and organisations have to be careful to choose the ones that are most effective and appropriate for them. After all, what is cyber security to one business may be too complex, or not far-reaching enough, for others.

Security Policies

Based on the demands of the law, regulatory requirements, and the conditions of their own working environment, organisations are usually advised to draw up a formalised policy, laying out how security matters should be handled.

Security policies will usually spell out what practices are permissible and which ones aren’t, in promoting and maintaining cyber security for the enterprise. They’ll also specify the powers and privileges that every member of the organisation has in respect to things like network and database access, control of intellectual property, and other issues. Fines and penalties for abusing corporate security policy may also be laid out here.

Security Architecture

The security architecture of an establishment is the structure of physical hardware, software applications, procedures, partnerships, and related services that maintain and monitor the cyber security of the enterprise. These may include:

  • Physical security measures: Gates, security cameras, scanners, locks, identity tags, and associated hardware.
  • Access control: The mechanisms and procedures that keep unauthorised users or visitors at bay.
  • Authentication and validation: Methods of ensuring that only authorised members of an organisation or invited guests can check in and out of the networks and resources they’re entitled to.
  • Intrusion detection and/or intrusion prevention: Hardware and software that guard against attempts to infiltrate networks and systems by hackers and spies.
  • Monitoring: Qualified security and IT personnel, dedicated hardware, and/or automated systems running constant checks against threats and signs of infection or system compromise.
  • Incident Response: Deployment of specialised teams of responders, in the case of alerts or confirmed evidence of an attack.

Cyber Threat Intelligence

With new attack methods and new strains of malware (malicious software) emerging or being developed even as we speak, much of the security challenge for private individuals and businesses lies in staying on top of the latest happenings in the world of cyber security. This is where cyber threat intelligence comes into play.

As its name suggests, cyber threat intelligence consists of detailed information (or intelligence) on current security threats, the people, technology, and criminal organisations currently responsible for them, and the latest methods for combating the threats that they pose.

Cyber threat intelligence may come in several forms. Common among these are online databases, white papers (advisory documents), discussion forums, specialist consultants, and pools of shared knowledge drawn from experts in the field, and from organisations that have been affected by cyber threats of various kinds.

Security Awareness Training

With human error, poor judgement, and just plain foolishness often assisting hackers and cyber criminals more than the malicious software and other tools they use, it’s important for network and internet users to become aware of the threats they actually face, and the best methods for avoiding them. That’s where cyber security awareness training comes into the picture.

Aside from raising awareness, the aim of security awareness training is to instil a culture and attitude that makes cyber security and risk management a part of daily life.

This training may be formally conducted (e.g., by a business organisation), or sought out independently. Interactive exercises, tests, and engaging presentation techniques are typically used to explain prevailing cyber threats, the risks to individuals and businesses, and best practices for staying safe.

Penetration Testing

All the tools and security training in the world don’t help if systems and people crumple under the pressure of a real security incident or hacking attack. So many business enterprises conduct what are known as random penetration tests. These are the equivalent of live drills, for fire or emergency response.

In penetration testing, external contractors are usually called in and given a free hand to stage a cyber attack on an organisation’s network and personnel, using various methods such as brute force assaults on passwords, email and message phishing (trying to fool people into giving up sensitive information, visiting booby-trapped websites, or opening file attachments loaded with malware), or overloading system resources.

The goal of these exercises is to gauge and monitor the performance of workers and incident response teams under the pressure of a real attack, and to highlight areas where the security defences of an enterprise can be improved.

Penetration testing is typically performed by security professionals who have a familiarity with the latest hacking techniques, but use these skills for benevolent purposes. So if you ever come across terms like “white hat hackers” or “ethical hacking”, this is what they’re referring to.

Security Threats to Personal Users

In terms of what is cyber security for the individual, the sad truth is that it’s a precarious environment out there, and pretty much always has been. Among the numerous security threats facing personal users of networks, the internet, and mobile devices are:

  • Malicious software or malware, in general: Traditional computer viruses, Trojans or Trojan Horse programs (look like one thing, actually do another), and worms (software capable of reproducing itself so that it can spread from one computer to the next over a network), plus things like spyware, adware, and key-loggers (which can record your strokes on the keyboard, or mouse movements) are all examples.
  • Ransomware: A specialised breed of malware that can immobilise complete systems by encrypting all the information on them, so that the owner can’t understand or access it. Victims are extorted for money (usually in the form of Bitcoin or some other cryptocurrency), for the keys to unlock their devices. The likes of WannaCry and Petya have wreaked havoc and made considerable sums for the criminals distributing them.
  • Crypto-jacking software: Programs hidden inside otherwise legitimate software or websites that hijack a user’s or visitor’s system resources to mine for cryptocurrencies.
  • Phishing and social engineering: Bogus messages (email, SMS, false advertising, or voice calls) aimed at getting victims to divulge useful information, or at leading them to download malicious file attachments or visit web sites booby-trapped with malware.
  • Identity theft: Gathering of personal and business information (from browsing activity, social media, company profiles, etc.) that enables cyber criminals to impersonate victims, or sell their digital identities on to third parties.
  • Information leaks: Exposure of personal, financial, and other sensitive data due to hacks, security breaches, mobile apps with links to third parties, or indiscreet practices online.

Security Threats to Businesses

Business organisations are composed of individual people, so of course all of the above security threats apply to businesses as well. But in addition to the personal threats, there are other more institutional cyber security risks that businesses have to consider. These include:

  • Infiltration of corporate networks: This may occur through direct action (such as successful attempts at password breaking) or indirectly (e.g. using spyware slipped to an employee through a phishing email).
  • Corruption of corporate data: If hackers gain access to corporate information, in some cases they can insert their own data as acts of sabotage or market manipulation.
  • Theft of intellectual property or copyright infringement: Secret projects, hot new products, or top-selling existing material that can be pirated for profit or claimed as someone else’s are all vulnerable, here.
  • Leakage of company credentials: Often as a result of workers using office email and other credentials on public sites like social media, which are then hacked.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks: Organised assaults against online services, networks, and web applications that clog the system so that users can’t get through.
  • System hijacking: In extreme cases (or as the final pay-off for sustained attacks known as APTs or advanced persistent threats), individual systems or entire networks may fall under the control of cyber criminals.
  • Insider threats: Often overlooked as a possibility until it’s too late, the work of disgruntled former employees or dissatisfied current ones can lead to mistakes or deliberate attempts at sabotage that give the upper hand to cyber criminals.

Final Thoughts

So, what is cyber security, and what does it involve? All of the above, plus techniques and tools to bolster your security stance and provide protection against known and unknown threats. We’ll be considering some of those in our next instalment of this series.

In the meantime, you can check out the security advice and commentary on the FileHippo blog and news feeds, and get access to some great software that’s all available to download for free.


Using automated analysis via a Python script, researchers at eSentire observed an increase in exploitation attempts on gigabit passive optical network (GPON) routers. Though the router attacks had declined since the surge reported back in June, the researchers identified a new, coordinated weaponization campaign targeting D-Link routers on 20 July.

The company reported a botnet recruitment campaign being launched and saw a surge of exploit attempts from over 3,000 different source IPs, introducing a variation of the OS command injection attack against the 2750B D-Link router.

“A sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet. Variants of Mirai code have been spotted in the Satori botnet,” researchers wrote.

While none of these exploits appeared to be successful in corporate environments, likely because they lack consumer-grade routers, “it is unknown whether this attack had any success on home networks where these devices are more likely to be deployed. A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” researchers wrote in a blog post.

The mass number of attacks is indicative of a potential botnet and researchers suggested that the botnets built using the compromised routers could be offered as a service, adding “It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.”

In addition, the company also released an advisory on the topic and noted that only Dasan routers using ZIND-GPON-25xx firmware and some H650 series GPON are vulnerable, and that there are no official patches at this time. Researchers are continuing to monitor the associated signatures.