Cyberstorm from Argentina
Anita Batari

Cyberstorm from Argentina

Two days ago storm clouds of cyberwar has reached our server from Argentina. In this article, we will share you some details about the attack.

22nd November started as a usual day. Until the afternoon nothing strange happened, then at about 5 o’clock a heavier request flood reached our servers, which has been increased until 7 o’clock, and stayed really high. As you can see on the chart below, the average request number has been doubled compared to numbers from a few hours before and even tripled compared to the result from a day ago.

The numbers are decreasing, because lots of the IPs reached the limitation of blacklist, and they are not able to reach the BitNinja protected servers at all.

(If you're not familiar with BitNinja's lists, on our documentation page you can grab a lot of essential information about the operation of our IP reputation system and the different kinds of lists.)

number of received request from Mirai botnet, attack from Argentina

What type of requests are these?

They are simple Telnet port scannings. :) 

 In our earlier blogpost you can read more about these scans and about the reason why they are especially harmful.

Because of the request pattern, the time gap and a huge number of dynamic addresses, we think the backbone of this botnet mainly consists of routers and other IoT devices.  And with high probability, it was caused by a variant of Mirai botnet, because as you know, these infected devices are often captured by Telnet Port Honeypots as well.

Do you know your enemy?

Nowadays the top 3 attacking countries - before the Argentine botnet - were:

  1. China
  2. Brazil
  3. Japan

Country based distribution of harmful requests against BitNinja protected servers

(Time range 21st 4 pm to 22nd 4 pm.)

During the storm, the top of the list has disheveled. 

  • Argentina
  • China
  • Brazil

Country based distribution of harmful requests against BitNinja protected servers during an ongoing attack

(Time range 22nd 5 pm to 23rd 4 pm.)

BitNinja provides a solution which enables you to defend your devices from these attacks without any manual intervention

If you would like to avoid a similar attack, we encourage you to test our 7-day free trial.  :)

Share your ideas with us about this article

Previous posts

ServerPilot compatibility test
Lots of our users are interested in using BitNinja with ServerPilot and our team was also very curious how much compatible they are. Therefore, I have tested it and today I show you the results. :) Test details Tested operating systems: Ubuntu LTS 14.04, Ubuntu LTS 16.04 The goal of this test is to check if BitNinja modules are compatible with ServerPilot and it's configurations. I used ServerPilot’s manual installer on two Ubuntu Vagrant boxes and two SoftLayer hosted Ubuntu servers. ServerPilot should be installed on a fresh installed/created server, meaning no Apache,...
Old botnets aren’t harmless - the presence of Cutwail botnet nowadays
Server operator faces many different types of attacks every day. Brute force, spam, CMS hacks and SQL injections are the most common - and the majority of them are automated botnet attacks. I think none of us can estimate how many servers and PCs are being unprotected against even the most simple botnets. But it’s not necessary to be a victim of an easily defendable attack. But even being careful, one thing you can fail about server security is underestimating the risk of old vulnerabilities and botnets. Thinking they’re doing no harm anymore, since they have been exposed and tracked d...