heise PlusAbo
Anzeige

X outages: disruptions are due to DDoS attack on unprotected servers

A series of DDoS attacks targeting unprotected servers were responsible for X's outages. They were carried out by cameras and recorders.

listen Print view
X symbol on a smartphone. The smartphone is placed on a Mac notebook keyboard.

(Image: sdx15/Shutterstock.com)

3 min. read
By

DDoS attacks by a botnet consisting of cameras and video recorders were responsible for the outages of the short message service X on Monday. This is how independent security researcher Kevin Beaumont described it to the US magazine Wired. According to him, the fact that the far from innovative attacks were so successful in the first place is due to inadequate security precautions taken by X. Some of the service's servers, which respond to requests from the Internet and are therefore susceptible to DDoS attacks, were not covered by the DDoS protection that X had booked with Cloudflare. The endpoints could therefore be attacked directly. This has since been rectified.

Inadequate security precautions

X went offline several times on Monday as a result of the attacks and was unavailable to users. According to Wired, external experts have observed a total of five different waves of attacks. The errors observed varied, sometimes no connection to the server was established at all, sometimes the X site could at least be loaded, but the content was missing. X CEO Elon Musk has spoken of a massive cyberattack in which the resources used would point to a large group or country. The findings of external observers now contradict this. According to them, a lack of precautions was decisive for the scale of the attack.

Videos by heise

Musk also claimed that IP addresses “from the Ukraine” were responsible for the attack. However, while the IP addresses observed during a DDoS attack can at best provide an indication of where the compromised devices that access the attacked site en masse are located, they cannot be used to identify those responsible. In this specific case, however, there are even doubts that Ukrainian IP addresses have emerged in any significant quantity at all. An anonymous source assured Wired that none of the 20 most active IP addresses in the attack originated from Ukraine.

An expert from Nokia added on Mastodon that the IP addresses used come from all over the world – as is known from botnets. The distribution would therefore fit with a very young bot named Eleven11bot. According to Jérôme Meyer, this was only observed for the first time a few days ago and mainly consists of compromised webcams and video recorders. Within a very short time, it had grown to more than 30,000 devices, making it one of the largest to have emerged in the recent past. In this short period of time, it has already been behind attacks on a wide variety of sectors.

Read also

(mho)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten