With the US Speaker of the House, Nancy Pelosi, approaching an unusually high-level visit to China, various reports indicate an increase in military saber-rattling and a ramp-up of attacks against networks in Taiwan and the US.
So far, we have more anecdotal evidence vs. “real data.” But some of the initial indicators we have seen:
- A slight increase in scans for “nuisance vulnerabilities” like Word Press from Chinese consumer IP addresses.
- Reports of small/medium application-specific DDoS attacks similar to what our site has seen starting Friday
- A small (not quite significant based on preliminary data) increase in ssh scanning from Chinese consumer IP addresses.
Chinese hacktivists have a history of picking up on government sentiment communicated in local news reports . They will often show their patriotism by attacking various “unfriendly” websites. The targets are often somewhat random, and the attacks are not coordinated. But even a home user with a small botnet can harness significant “firepower” to take down many websites without dedicated DDoS protection. And, of course, sometimes they get lucky scanning for simple vulnerabilities. If a few million (probably more than a few thousand) “kids” are brute forcing passwords, they may just get lucky and find one.
What do you need to do?
Not much at this point. Monitor and be ready for a DDoS attack. In particular, if your website or company has a higher profile in China or is associated with the US government (this includes contractors, related organizations, and news sites reporting about the visit).
For example, the Taiwan president’s website experienced a DDoS attack of approximately 200 times the regular traffic . I do not consider this a “huge” attack and something likely within the capabilities of a few hacktivists getting together. A more organized “government-sponsored” DDoS attack would likely involve tools like “Great Cannon” (sometimes also called red-ion-cannon) that can harness a much larger attack power .
Please use our “contact us” form to report any attacks you are seeing.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.