A few days ago, news appeared on Habr and other resources that MTProxy servers attacked the Iranian cloud provider Arvan Cloud.
On the one hand, the news is not entirely true. But on the other hand, the ingenious approach of hackers reached me!
For a long time I could not understand for what purpose they publish free proxies . After all, it is necessary to be a stupid altruist in order to share your Internet connection for the whole world. And in Russia, for the actions of third parties through this proxy they can put the owner of the proxy, as it happened with the creator of Kate Mobile .
In this case, I do not consider broken devices that are used without the knowledge of the owner.
It turned out all ingenious - simple!
How it works
- A hacker organization takes an order for DDoS of some resource (most often a site).
- A domain name is created in which the IP address of the real server is indicated as an A record in the DNS. In this case, the TTL is set to minimum.
- A proxy server is launched on its servers (MTProxy, socks, etc.)
- The proxy port is the target port on the attacked server.
- They publish lists of their "free" and are waiting for a set of "clients" on the proxy.
- At the right time, hackers change A record on the required number of their domains, which were distributed as proxies, to the ip address of the attacked server.
Proxy clients start trying to establish connections on the specified ports. And this happens until the owner of the device notices that the proxy has broken.
After an attack, hackers return A record of their domains to a real proxy.
Thus, a person may not notice the “disappearance” of the proxy, and the clients will retain the “client” base for further attacks.
Considering that in the Russian Federation Telegram is used by more than 3 million people and devices, then everyone will use proxies when they block. How many devices can be redirected for DDoS?
Even SYN flood can be well done.
There are many groups in telegrams that give out "free proxies."
And as you can see, there are a lot of freeloaders.
Even if a person saw that the proxy was broken, he would select a new one from the same telegram channel and remain in the ranks of the botnet.
What is fake news?
MTProxy alone cannot attack for the following reasons:
- It is not economically viable. The meaning of the hackers to "shoot" the source of the attack. And their number is not enough to conduct a full DDoS attack.
- Durov is not a fool to use MTProto for such low purposes. Even if there are some hidden tasks of this protocol, they will not be used to attack some small provider.
Who's guilty?
States (in this case, Iran) are trying to control the lives of their citizens and block resources that do not fit their managerial patterns.
But citizens are trying to get what they need and are looking for ways to circumvent bans. And hackers just use the natural needs of people for their own purposes.
It turns out that the government, trying to "tighten the screws", itself created a weapon against itself and its citizens.
The only way to stop using the Telegram is to create something that will be cooler and more convenient. But the tactics of the government are only to “prohibit” and not to “create better” ...
Therefore, before using a free proxy, I highly recommend checking its reliability! Or buy / create your own personal ...