Categories
News Security

NoName057(16) DDoS January 2024

Before the World Economic Forum in January 2024 in Davos Switzerland, Chinese Premier Li Qiang arrived in Switzerland on Sunday and was officially received with military honors. On the same day, Ukrainian President Volodymyr Zelensky visited the Swiss Parliament Building in Bern. The World Economic Forum began in Davos on Monday. By Wednesday January 17th 2024, the first public reports appeared regarding DDoS attacks against websites in Switzerland, attributing them to the group NoName057(16).

This is very similar to the attacks in June of 2023. NCSC – Technical report DDoS

NoName057(16) attack

Targets of NoName057(16)

The news reported that multiple websites of the Swiss government were briefly unavailable. Another target was the Geneva Airport.

https://www.gva.ch/de/ (2024-01-18 11:43)

The blog post from Sekoia describes how the target list could have been obtained back in June 2023. I am not a security researcher and did not attempt to retrieve the list myself. Fortunately, the list has been published by a researcher.

This GitHub repository regularly publishes data from the NoName057(16) attack list. GossiTheDog -> Monitoring / NoName

Targets January 18th, 2024 – Estonia and Switzerland

myyk.inges.ee
marketplace.e-resident.gov.ee
epp.energia.ee
www.tallinn.ee
www.nordica.ee
www.sob.ch
www.post.ch
www.gva.ch
airport-grenchen.ch
www.bernairport.ch
engadin-airport.ch
peoples.ch
www.geneve.com
www.stadt-zuerich.ch
www.myswitzerland.com
www.postauto.ch
www.zvv.ch
www.mnt.ee
pilet.ee
lengmatta-davos.ch
alpenhof-davos.ch
www.davos-pischa.ch
europe-davos.ch
kajakallas.ee

Source: Kevin Beaumont @[email protected] (2024-01-18)

Targets January 19th, 2024 – Ukraine and Switzerland

cvp.tax.gov.ua
kyiv.tax.gov.ua
tax.gov.ua
wvp.tax.gov.ua
www.vtg.admin.ch
www.swisshelicopter.ch
www.bs.ch
ekonto.egov.bs.ch
www.lausanne.ch
www.montreux.ch
www.stadt.sg.ch
www.bellinzona.ch
www.stadt-schaffhausen.ch
www.swissprivatebankers.com
www.juliusbaer.com
www.swissbanking.ch
www.geneve-finance.ch
www.nw.ch
www.stans.ch
www.buochs.ch
zir.tax.gov.ua
map.tax.gov.ua
ca.tax.gov.ua

Source: Kevin Beaumont @[email protected] (2024-01-19)

Targets January 20th, 2024 – France and Lithuania

www.adrem.lt
www.credit-agricole.com
eurolines.fr
www.star.fr
www.lignesdazur.com
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.compensa.lt
www.if.lt
www.bta.lt
auth-aode.edf.fr
www.orano.group
www.enercoop.fr
mon-espace.enercoop.fr

Source: Kevin Beaumont @[email protected] (2024-01-20)

Targets January 21st, 2024 – UK and Netherlands

pa.eastcambs.gov.uk
politics.leics.gov.uk
www.liverpool.gov.uk
over.gvb.nl
www.cranbrooktowncouncil.gov.uk
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.bngbank.nl
services.belastingdienst.nl
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
9292.nl
a-bike.nl
www.justice.gov.uk
www.cbi.org.uk

Source: Kevin Beaumont @[email protected] (2024-01-21)

Targets January 22nd, 2024 – Romania

dnsc.ro
gov.ro
www.presidency.ro
www.mae.ro
www.mapn.ro
www.cdep.ro
sts.ro
www.senat.ro
www.mai.gov.ro
mmuncii.ro
www.olgutavasilescu.ro
www.baneasa-airport.ro
www.metrorex.ro
www.pmb.ro
www.mt.ro
www.mfinante.gov.ro
www.mdlpa.ro

Source: Kevin Beaumont @[email protected] (2024-01-22)

Targets January 23rd, 2024 – Romania

gov.ro
www.presidency.ro
www.mae.ro
sts.ro
mmuncii.ro
www.bnro.ro
www.bvb.ro
www.scj.ro
www.ccr.ro
www.just.ro
mobile.telekom.ro
www.gts.ro
www.orange.ro
www.petrom.ro
www.omvpetrom.com
www.kmginternational.com
www.rompetrol.com
www.omv.ro
molromania.ro
www.roviniete.ro

Source: Kevin Beaumont @[email protected] (2024-01-23)

Targets January 24th, 2024 and later

Attacks in Switzerland have stopped or paused. I have stopped following up on current targets in this blog. It’s best to check directly with Kevin Beaumont for further developments on this front.

Find latest targets here: https://social.circl.lu/@NoName57Bot

NoName057(16) on Telegram

The group is also publicly posting about their actions on Telegram.

https://t.me/s/noname05716eng (2024-01-19)

https://t.me/s/noname05716eng (2023-01-19)

WEF

The World Economic Forum Annual Meeting in 2024 concluded on Friday, January 19th, 2024. The WEF was cited as one of the reasons for the NoName057(16) attacks towards Switzerland.

DDoS Mitigation

Defending against DoS and DDoS attacks has become a regular occurrence for many online service operators. Developing a good strategy is key.

IP Address list

Govcert-ch has published a list of IP addresses that were part of the attack. This list can be a good starting point for preventing attacks if they target your infrastructure. You should add those IP addresses to your block list.


ASN: 212238, IP Count: 303
ASN: 60068, IP Count: 256
ASN: 9009, IP Count: 233
ASN: 174, IP Count: 64
ASN: 62282, IP Count: 24
ASN: 51765, IP Count: 20
ASN: 12310, IP Count: 13
ASN: 25369, IP Count: 11
ASN: 63949, IP Count: 10
ASN: 11831, IP Count: 7
ASN: 51430, IP Count: 7

IP based blocking

One option is to search for patterns in the traffic and begin blocking malicious traffic based on the IP addresses that are sending an excessive amount of traffic. This could potentially be automated with rate-limiting rules. Another option could involve blocking based on geo-location.

CDN

If you are not using a CDN yet, you should consider switching to one such as Fastly, Cloudflare, or Azure Frontdoor. This will immediately take care of network layer attacks on OSI Layer 3/4. However, you will still need to fine-tune the protection for HTTPS requests on OSI Layer 7.

To enhance your security, consider changing your origin IP address when adding a CDN to your hosting. Block all direct access to the origin (server). This approach can help conceal the true origin of your network.

JA3 Fingerprinting

JA3 is a method for creating fingerprints of Secure Socket Layer (SSL)/Transport Layer Security (TLS) client applications. It generates a unique MD5 hash based on the attributes of the TLS handshake process. This hash can then be used to identify clients based on the application layer SSL/TLS properties, regardless of the underlying IP address.

In mitigating Distributed Denial of Service (DDoS) attacks, JA3 can be particularly useful. DDoS attacks often involve a large number of requests from different IP addresses, making them hard to block based on IP alone. However, many of these requests might be coming from a limited set of tools or scripts, which could have similar or identical JA3 hashes. By identifying and blocking these hashes, defenders can filter out malicious traffic more effectively without impacting legitimate users, even if attackers change their IP addresses. This adds an additional layer of defense against DDoS attacks that rely on exploiting SSL/TLS protocols.

Emergency plan

If your entire data center network connection is full, or if your ISP or colocation provider starts null routing, you should ensure that you have independent internet uplinks and an alternative VPN channel to your systems in the data center.