Your DNS is an Asset (Twitter DNS Woes…)

Given all the hoopla surrounding yesterday’s Twitter outage, and the apparent source of the outage being the result of nothing more than some maliciously modified DNS resource records enabled by a simple password compromise of Twitter’s DNS administrator account with their DNS services provider, Dyn Inc., I’d like to again take this opportunity to share […]

Twitter-based Botnet Command Channel

UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s […]

The Other Attacks Last Thursday

Yesterday morning was a busy time for Internet security. As an illustration of this activity, the graph below shows a summary of attack traffic across the 77 Observatory ISPs reporting anonymized attack statistics. Each line or rectangle represents a distinct attack (we saw over 770 attacks Thursday covering a wide variety of scale and targets). […]

Where Did All the Tweets Go?

At roughly 9:00am (EDT) this morning, the Twitisphere fell silent (or at least significantly fewer twitters). And though you could not follow the outage via tweets, Twitter’s blog announced the popular site was under DDoS. The below graph shows Observatory data from 55 providers around the world to Twitter’s two NTT hosted addresses blocks:, […]

Iran DDoS Activity: Chatter, Tools and Traffic Rates

I’m here in Talinn at the CCD COE Cyber Warfar Conference listening to Martin Libicki’s perspectives on information warfare in modern warfare theories. This is an interesting week to be here with last week’s Charter97 attacks in Belarus (with someone from Charter97 speaking yesterday) and the unrest in Iran leading to a wealth of activity. […]

Many Days of DDoS for Everyone

The past few weeks have been a flurry of activity for me and everyone at Arbor. We’ve been very involved in the Conficker Working Group efforts and notifying lots of people using ATLAS. Even after that Herculean effort and the great “fizzle” (thank goodness!), there’s lots to do. Blogging has not been at the top […]

Metasploit And Other Sites DDoSed

At about 12:52 PM Feb 7th, HD Moore (leader of the Metasploit project) twittered “heh, is being DDoS’d again”. A little while he pointed to a traffic graph and asked, “see if you can pick out the DDoS”. Hint: it’s obvious. He later started blogging the incident: On Friday, starting around 9:00pm CST, the […]

Follow the ASERT blog with Twitter

Twitter is a free service that lets you keep in touch with people through the exchange of quick, frequent answers to one simple question: What are you doing? Join today to start receiving Arbor Networks updates, or add to your favorites! UPDATED to fix the HREF. Thanks to all who noted it to us […]

Twitter and MSN: Driving Malcode Distribution

We recently came across a bot that merged MSN Messenger link spam with Twitter to get users to download malcode. Twitter malcode is nothing new, but this one adds a twist to those that monitor IM link spam bots. You have to do an extra level or two of link analysis to figure it out. […]