Notices by Jérôme Meyer (jmeyer@infosec.exchange)

About this X DDoS campaign: I've seen reports of attribution to Ukraine, and at least based on attack data at network level — I just don't see it. (And I should note: attribution is hard, so I am generally skeptical.)

Top contributors are 🇺🇸🇲🇽🇪🇸🇮🇹🇧🇷, and as with most botnets: very geographically distributed.

Most of the source IPs intersect with #Eleven11bot as we started seeing them on 26 February.

OK, now back to regularly scheduled skiing.

#threatintel

Supposed to be enjoying a week off skiing, but the X DDoS-related outage brought me back a bit.

Hint: that attack has been botnet-driven.

@GossiTheDog The target is a subnet in X own network. Haven’t had a chance to look at what those hosts might be exactly.

@F_kZ_ @GossiTheDog Looks like their shiny new bot (and even their main English channel) just disappeared — all while they closed the DDoSia English support channel

@GossiTheDog Most of the traffic stopped a few hours ago, it's now down to a trickle.

The website from one of the big US telcos still partially loads elements from Edgio even though most of the website is now on Akamai.

@GossiTheDog I was looking around for services still using Edgio in traffic delivery today, and for the most notable ones: Amazon Prime Video, Disney+, Samsung apps. (most other big players, like Microsoft for Xbox Live/updates, Paramount+, Playstation, and even Redtube stopped using them in early/mid December).

@GossiTheDog Also, worth noting that nearly all adult content sites stopped using Edgio in the second half of December, so in a way — they're better run than Amazon Prime Video or Samsung Bixby 🤷🏻♂️

@GossiTheDog Overall traffic from Edgio seems to be about a tenth of what it was a month ago. Definitely interesting to see what traffic continues or suddenly stops, and indeed Microsoft is a bit all over the place with LinkedIn continuing still but Office mostly stopped yesterday.

Germany is NoName’s focus again today, with a mix of government websites and industrial/energy company sites being targeted.

About two thirds of the websites are affected so far. (And the two sites from the federal government are still standing, thanks to an anti-bot challenge/rate limiting.)

#DDoS #threatintel https://social.circl.lu/@NoName57Bot/113666772362281488