Tomcat
Professional
- Messages
- 2,687
- Reaction score
- 1,038
- Points
- 113
At the peak of the attack, there were about 5,000 requests per second, disrupting many websites in Iran.
The Iranian cloud service provider Arvan Cloud has undergone a DDoS attack via Telegram's MTProxy servers. Since Telegram is still banned in Iran, users launch the messenger through MTProxy servers, masking traffic using encryption.
The malware campaign began on the morning of November 6 and ended by the end of the week. At the peak of the attack, there were about 5,000 requests per second, disrupting many websites in Iran.
As told in the Arvan Cloud company, these attacks differed from those observed earlier in that the requests did not specify the domain, and the traffic was recorded at the data link layer. In addition, the attack did not use common protocols.
The company's engineers were able to identify the source of the malicious traffic by making an assumption about the use of MTProxy servers. This assumption is due to the popularity of MTProxy servers in Iran due to their free use and ease of use. Using these servers will not be difficult, since an attacker only needs to replace the IP address of one proxy server with the IP address of the target system. Proxy domains can have multiple IP addresses, and Telegram sends requests to each of them. Replacing one IP address (if the rest will work normally) will not affect the operation of the service in any way, and the user will not notice anything suspicious, experts noted.
The Iranian cloud service provider Arvan Cloud has undergone a DDoS attack via Telegram's MTProxy servers. Since Telegram is still banned in Iran, users launch the messenger through MTProxy servers, masking traffic using encryption.
The malware campaign began on the morning of November 6 and ended by the end of the week. At the peak of the attack, there were about 5,000 requests per second, disrupting many websites in Iran.
As told in the Arvan Cloud company, these attacks differed from those observed earlier in that the requests did not specify the domain, and the traffic was recorded at the data link layer. In addition, the attack did not use common protocols.
The company's engineers were able to identify the source of the malicious traffic by making an assumption about the use of MTProxy servers. This assumption is due to the popularity of MTProxy servers in Iran due to their free use and ease of use. Using these servers will not be difficult, since an attacker only needs to replace the IP address of one proxy server with the IP address of the target system. Proxy domains can have multiple IP addresses, and Telegram sends requests to each of them. Replacing one IP address (if the rest will work normally) will not affect the operation of the service in any way, and the user will not notice anything suspicious, experts noted.
