{"id":42076,"date":"2018-05-07T04:00:00","date_gmt":"2018-05-07T04:00:00","guid":{"rendered":"https:\/\/stg.cira.ca\/blog\/weekly-web-security-warning-a-busy-weekend\/"},"modified":"2023-03-10T10:57:06","modified_gmt":"2023-03-10T15:57:06","slug":"weekly-web-security-warning-a-busy-weekend","status":"publish","type":"cira_news","link":"https:\/\/stg.cira.ca\/en\/resources\/news\/cybersecurity\/weekly-web-security-warning-a-busy-weekend\/","title":{"rendered":"Weekly web security warning \u2013 a busy weekend"},"content":{"rendered":"<p>Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA&#8217;s D-Zone DNS Firewall.<\/p>\n<p><!--more--><\/p>\n<p>This week&#8217;s big winner was a spambot using a random character .ru domain and unlike past weeks, the pattern was different. On the weekend, typically&nbsp;the usual number of blocked domains falls as users tend to be more offline, at least from the networked computers. However this week, there was a huge spike in the number of unique domains blocked that peaked at just over 4,900 on Saturday, May 5<sup>th<\/sup>. We aren&#8217;t charting this here, but traffic returned to more normal quieter weekend patterns on the 6<sup>th<\/sup>.<\/p>\n<p><img decoding=\"async\" class=\" size-full wp-image-2370\" src=\"https:\/\/stg.cira.ca\/uploads\/2018\/05\/blockedcount_0.png\" alt=\"\" title=\"\" width=\"926\" height=\"491\" srcset=\"https:\/\/stg.cira.ca\/uploads\/2018\/05\/blockedcount_0.png 926w, https:\/\/stg.cira.ca\/uploads\/2018\/05\/blockedcount_0-300x159.png 300w, https:\/\/stg.cira.ca\/uploads\/2018\/05\/blockedcount_0-768x407.png 768w\" sizes=\"(max-width: 926px) 100vw, 926px\" \/><\/p>\n<p>In terms of the rest of the top blocked domains, we see a couple of non-resolving domains like buysellstops.com and underpants.online that are using WHOIS privacy. We also see&nbsp;the usual cadre of randomized domains.<\/p>\n<table>\n<thead>\n<tr>\n<td>\n<p><strong>Domain<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Threat<\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\n<p>xdqzpbcgrvkj.ru<\/p>\n<\/td>\n<td>\n<p>Spambot<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>76236osm1.ru<\/p>\n<\/td>\n<td>\n<p>Trojan downloaders<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>buysellstops.com<\/p>\n<\/td>\n<td>\n<p>Malware Call Home<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>superyou.zapto.org<\/p>\n<\/td>\n<td>\n<p>Spybot<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>e51091eec8b619d50e44c8c29b7a0ee8.com<\/p>\n<\/td>\n<td>\n<p>Malware Call Home<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>ns6.wowrack.com<\/p>\n<\/td>\n<td>\n<p>Mirai<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>ns5.wowrack.com<\/p>\n<\/td>\n<td>\n<p>Mirai<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>0x3h32haer.underpants.online<\/p>\n<\/td>\n<td>\n<p>Malware Call Home<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>dj1.jfrmt.net<\/p>\n<\/td>\n<td>\n<p>Morto<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>soplifan.ru<\/p>\n<\/td>\n<td>\n<p>Trojan downloaders<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>And finally, we noted a spike in DNS amplification traffic this week that peaked on May 3<sup>rd<\/sup>.These are queries designed to get a response that is larger than the query and generally used for DDoS attacks on a third party.<\/p>\n<p>&nbsp;<\/p>\n<div class=\"media media-element-container media-default\">\n<img decoding=\"async\" class=\" size-full wp-image-2372\" src=\"https:\/\/stg.cira.ca\/uploads\/2018\/05\/threat-query-count-in-five-minute-brackets.png\" alt=\"\" title=\"\" width=\"895\" height=\"356\" srcset=\"https:\/\/stg.cira.ca\/uploads\/2018\/05\/threat-query-count-in-five-minute-brackets.png 895w, https:\/\/stg.cira.ca\/uploads\/2018\/05\/threat-query-count-in-five-minute-brackets-300x119.png 300w, https:\/\/stg.cira.ca\/uploads\/2018\/05\/threat-query-count-in-five-minute-brackets-768x305.png 768w\" sizes=\"(max-width: 895px) 100vw, 895px\" \/>\n<\/div>\n<p>On our end, we rate limit responses to these types of queries to sink them before they can cause slowdowns to ours, or the targets systems.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA&#8217;s D-Zone DNS Firewall.<\/p>\n","protected":false},"featured_media":1949,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"ngg_post_thumbnail":0,"slim_seo":{"title":"Weekly web security warning \u2013 a busy weekend - CIRA","description":"Every week, we examine the top trends in malicious activity we have seen in Canada using data obtained through CIRA's D-Zone DNS Firewall. This week's big winne"},"footnotes":""},"topic":[28],"class_list":["post-42076","cira_news","type-cira_news","status-publish","has-post-thumbnail","hentry","cira_news_type-cira-news-type-blog","cira_topic-cira-topic-cybersecurity","cira_author-rob-williamson"],"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/stg.cira.ca\/en\/wp-json\/cira\/v1\/news\/42076","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stg.cira.ca\/en\/wp-json\/cira\/v1\/news"}],"about":[{"href":"https:\/\/stg.cira.ca\/en\/wp-json\/wp\/v2\/types\/cira_news"}],"version-history":[{"count":0,"href":"https:\/\/stg.cira.ca\/en\/wp-json\/cira\/v1\/news\/42076\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/stg.cira.ca\/en\/wp-json\/wp\/v2\/media\/1949"}],"wp:attachment":[{"href":"https:\/\/stg.cira.ca\/en\/wp-json\/wp\/v2\/media?parent=42076"}],"wp:term":[{"taxonomy":"cira_topic","embeddable":true,"href":"https:\/\/stg.cira.ca\/en\/wp-json\/cira\/v1\/topic?post=42076"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}