loading

178845 author: tdp_org@mastodon.social 12 Feb 12:29
tags: #bbc #ddos #infossec #webstats

I've been working on an automated triager for the frequent volumetric DDOS we see against www.bbc.com & www.bbc.co.uk.

The idea is to use our edge access logs (stored in BigQuery) to isolate & describe the attack traffic then recommend any additional mitigations/filters etc. It also gives us a database of DDOS metrics/sources we can reference.

Obviously I had to add the obligatory pew-pew map.

Dark mode map of the earth with an overlay of circles denoting the source countries for a recent DDOS. The circles are varying sizes, larger indicate more traffic from that country.
USA, India, Indosia, Vietnam & Germany have the largest circles & thus the larger sources of attack traffic though there are around 50 source countries in all.

46651 author: tdp_org@mastodon.social 09 Sep 2024 16:25
tags: #bbc #webstats

We monitor traffic to www.bbc.co.uk & www.bbc.com per country & got alerts that daily requests from Angola have dropped off loads recently.

Looking at the Angola traffic split by network AS. AS36907 traffic looks suspicious! Spidey sense triggered...the "before" traffic was *way* too consistent.

Digging in to the logs, looks like they removed their Fortigates on 6th Sept. which'd been sending 343k req/day for www.bbc.co.uk/ , every single day!

Gotta love being on the internet!

Grafana graph with a single, completely consistent (apart from 2 spikes) requests per day totals for the last month

Grafana graph with a line per network AS, with AS36907 nailed on at 343k requests per day until the 6th September when it dropped to almost nothing

Screenshot of the BigQuery web console for 4th Sept. showing 343K requests from user-agent "Fortigate..." to www.bbc.co.uk/ and tens of requests per day maximum for everything else

Screenshot of the BigQuery web console for 8th Sept. and the "fortigate" entry is not present!