fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

Kingdom Bank in the UK have got their online banking available in the past 30 minutes by... changing the URL. It's now onl1ne44.kingdom.bank

As before it's behind Microsoft Azure Application Gateway.

Many of the NoName victims over the last few days use Azure Application Gateway. I've been in touch with a few - they have DDoS mitigation enabled in the Azure service, but it doesn't work against NoName doing basic attacks. This includes councils etc.

This is the advanced* DDoS btw, see if you can spot how the rate limiting in Azure Front Door WAF isn't exactly well equipped for NoName arriving with 20k source IP addresses from Ddosia.

In other news, you may have noticed Microsoft have shifted many of their customer facing services from Azure Front Door to behind Akamai in recent times.

The other pattern for the past week is orgs with on prem systems, either just directly internet exposed or - more likely - behind BIG-IP.

Having a big link and DDoS scrubbing doesn't work on prem if you allow inbound web requests unfiltered - NoName just send valid HTTP requests from 20k systems at the same time 24/7 to search pages.

Orgs need cloud WAFs.

Another thought - somebody like the NCSC needs to provide a managed, central WAF service to councils. They can't deal with this stuff.

NoName is back to targeting 15 UK council sites this weekend, they've recycled config from earlier in the week.

Unfortunately a majority have fallen over again.

Councils should contact NCSC for assistance (what assistance there is I don't know). I can give you configs for what pages are being targeted if needed.

Btw, if you use Azure's anti-DDoS - it doesn't work against NoName because the rate limiting in Front Door sucks. The best move right now is disable or change the URL they are targeting. It's usually a search page.

NoName can adapt the config to change to a different URL.. but they usually don't bother, e.g. they use the same config that doesn't work on Liverpool.gov.uk for over a year, even today.

#NoName UK targeting today - 12 councils, 4 UK banks.

They're targeting my.kingdom.bank - which you may remember up thread, doesn't exist any more as the bank changed the URL. So their online banking remains online today.

If anybody is interested, out of the 12 councils targeted today, 7 are okay, 5 have websites down for past 4 hours.

The same five UK council websites have been down for 10 hours consecutively now. #NoName #threatintel