Home Blog

How to add static route point to PPPoE interface on Fortigate with WAN failover

How to add static route point to PPPoE interface on Fortigate with WAN failover

When an interface has some form of changing IP address (DDNS, PPPoE, or DHCP assigned address), routing needs special attention. The standard static route cannot handle the changing IP address. The solution is to use the dynamic-gateway command in the CLI. Say for example you already have four static routes, and you have a PPPoE connection over the wan2 interface and you want to use that as your default route.

The route is configured on the dynamic address VPN peer trying to access the static address FortiGate unit.

If you want to create static route on PPPoE on WAN 1 or WAN 2 and you have failover (Load balancing with FG) you need this command to Configure dynamic gateway routing via CLI on fortigate unit:

config router static
edit 5
set dynamic-gateway enable

*You cant do dynamic-gateway via GUI – its only available in CLI.

After the change you dont need to reboot your unit.


This is example of static route on WAN1 and WAN2 (PPPOE with dynamic-gateway)


P.s. Tasted on FortiOS 5.2.x and FortiGate 60C.

Some documentation:






For more info just visit my page https://www.securityinet.com/


NRPE Nagios Ahsay Backup Monitor


NRPE check Ahsay backup status

Summary: This is a plugin (backup_ahsay_checker) that monitors ahsay backup sets .

Full Description: This is a basic plugin that monitors ahsay backup sets that was created in ahsayCBS panel. This plugin have 2 main options:

Success status - all backups are ok
Error status - backup have errors or warnings

and will be more 🙂

Installation instructions:

Edit file /etc/sudoers and add the following;

nrpe ALL=(root) NOPASSWD: /usr/lib64/nagios/plugins/backup_ahsay_checker.sh nagios ALL=(root) NOPASSWD: /usr/lib64/nagios/plugins/backup_ahsay_checker.sh Edit file /etc/nagios/nrpe.cfg and add the following;

command[check_backup]=/usr/bin/sudo /usr/lib64/nagios/plugins/backup_ahsay_checker.sh Copy backup_ahsay_checker.sh to /usr/lib64/nagios/plugins/ and give this script 777 or just execute 🙂

And the Final step is to define service/define command to specific servers in Nagios server.

P.S. Dont forget to change IP , backupset id and etc in


This Plugin is under development – stay updated via plugin github main page  or via newsletter – just sign up ! 🙂

If you have questions you may send me a massage : kamtec1 (att) gmail.com or sergey (att) securityinet.com .



nrpe-nagios-ahsay-backup-monitor 14.02.2018 v0.1


Written by Sergey Babkevych SecurityInet https://www.securityinet.com

nrpe-nagios-ahsay-backup-monitor is licensed under the GNU General Public License v3.0

backup_restore_helper utility returned incorrect result. Extension with ID XX cannot be backuped.

backup_restore_helper utility returned incorrect result. Extension with ID XX cannot be backuped.


Hi ,

When you try to backup your domains via Plesk Backup you may get some errors regarding sxtensions that have problems/errors/ or some misconfiguration and etc…


In my case i had problem in Plesk 17 with extension ID 9 – this is the error that i got:

Error massage:

backup_restore_helper utility returned incorrect result. Extension with ID 9 cannot be backuped. Please, contact your service provider



The issue was caused by looped symlinks in Plesk Migrator extension.

[root@server ~]# find /usr/local/psa/var/modules/panel-migrator/ -type l
[root@server ~]# ll /usr/local/psa/var/modules/panel-migrator/sessions/sessions
lrwxrwxrwx 1 root root 50 Jul 24 03:11 /usr/local/psa/var/modules/panel-migrator/sessions/sessions -> /usr/local/psa/var/modules/panel-migrator/sessions


Remove /usr/local/psa/var/modules/panel-migrator/sessions/sessions , afterwards affected extension was backed up successfully.

Check if the problem is resolved:

/usr/local/psa/bin/sw-engine-pleskrun /usr/local/psa/admin/sbin/backup_restore_helper --backup-extension 9 -object-type server


To see the debug log you need to activate it with help of this post.

P.S. If you got an unused extension in your server or extensions that you used them only couple of times , i think the recommendation is to remove them and save some headache in the feature.

Good luck!

NRPE Nagios Plesk Backup Monitor

NRPE Nagios Plesk Backup Monitor

Summary: This is a plugin (backup_plesk_checker) that monitors backup status in Plesk panel – Success/Warning/Error/Date checker.

Full Description: This is a basic plugin (backup_plesk_checker) that monitors backup activities in Plesk panel. This plugin have 5 main options:

  1. Success status – backup ok
  2. Warning status – backup have warnings
  3. Error status – backup have errors
  4. Backup unsuccessful – date not equal to backup date
  5. Not all domains are backuped – How many domains have been backuped if the number is not equal it will give warning
  6. and will be more 🙂

Compatibility with plesk panel versions:
1) 17.8 – NO
2) 17.5 – NO
3) 17.0 – OK
4) 12.5 – OK
5) 12.0 – OK
6) 11.0 – OK

Last Update: 23.08.2017 v0.2

Some examples:

Success status

Warning status


Error/Date backup status


About NRPE with Nagios:

NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines. This allows you to monitor remote machine metrics (disk usage, CPU load, etc.). NRPE can also communicate with some of the Windows agent addons, so you can execute scripts and check metrics on remote Windows machines as well.

Installation instructions:

Edit file /etc/sudoers and add the following;

nrpe ALL=(root) NOPASSWD: /usr/lib64/nagios/plugins/backup_plesk_checker.sh
nagios ALL=(root) NOPASSWD: /usr/lib64/nagios/plugins/backup_plesk_checker.sh

Edit file /etc/nagios/nrpe.cfg and add the following;

command[check_backup]=/usr/bin/sudo /usr/lib64/nagios/plugins/backup_plesk_checker.sh

Copy backup_plesk_checker.sh to /usr/lib64/nagios/plugins/ and give this script 777 or just execute 🙂

And the Final step is to define service/define command to specific servers in Nagios server.

# Change log
23.08.2017 – 0.2
1) EDIT: Removed bash debug (#set -x).
2) ADDED: NEW check!!! How many domains have been backuped – if the number is not equeal it will give warning.
3) EDIT: Comments in the code + some cleaning… .

20.08.2017 – 0.1a
1) First release.

This Plugin is under development – stay updated via plugin github main page  or via newsletter – just sign up ! 🙂

If you have questions you may send me a massage : kamtec1 (att) gmail.com or sergey (att) securityinet.com .


nrpe-nagios-plesk-backup-monitor 23.08.2017 v0.2


Written by Sergey Babkevych SecurityInet https://www.securityinet.com

nrpe-nagios-plesk-backup-monitor is licensed under the GNU General Public License v3.0

GeForce GTX 860M crashes to BSOD after driver 378.49 update

GeForce GTX 860M Crashes to BSOD after Driver 378.49 Update

Today my gaming laptop with GTX 860M crashes after the driver version 378.49 updated, the environment is Windows 10 Version 1607 64-bit on Lenovo Y50-70.

My screen always stuck with few seconds on booting and BSoD of VIDEO_SCHEDULE_INTERNAL_ERROR and CLOCK_WATCHDOG_TIMEOUT also appeared randomly even without any operating like drag and drop or opening my outlook.

With the 378.49 and the .57 hotfix, my Lenovo y50-70 laptop becomes completely unusable. The freezing / crashing starts occurring as soon as Windows 10 starts up. Took me a while to narrow it to the driver, and I also determined that uninstalling the GeForce Experience suite did not help fix the issue.

In short, like everyone else, the new driver packages are completely unusable for the GTX 860m. Rolled back to 376.33 and all issues are fixed 🙂

Its not the first time that GeForce NVIDIA had problems with GTX 860M just 1 year ago (12/2/15). Last year GeForce QA/DEV team worked on hotfix very long time and many users suffered because of that delay.


In my opinion GTX 860M was most unstable product with the most unstable drivers that i ever installed/seen in any PC/laptop.

How to fix BSOD after Driver 378.49 Update?

You need to rolle back to 376.33 update

Link: http://www.geforce.com/drivers/results/113444

Live forum updates :


UP.1. NVIDIA published hotfix 378.57 – NOT WORKING .

UP.2. 378.66 – working  🙂

Good luck!

Massive DDoS Attack Against Dyn DNS Service Popular Sites Offline

Massive DDoS Attack Against Dyn DNS Service Popular Sites Offline


outage-map_0Twitter, Reddit, Spotify, Etsy, Box, Wix Customer Sites Squarespace Customer Sites and bunch of other websites were offline earlier today. That’s because someone conducted a massive distributed denial of service (DDoS) attack on the Dyn, a world renowned Domain Name Servers (DNS) service provider.

Not all users were affected equally, however, and sites appear to have been intermittently accessible. To see a full list of sites that have reportedly been affected, click here.


Problems at Wikia


Problems at Uplay


Problems at Battle.net


Problems at T-Mobile


Problems at Cox


Problems at Photobucket


Problems at Quora


Problems at Salesforce.com


Problems at Office 365


Problems at Cloudflare


Problems at Steam


Problems at Go Daddy


Problems at Hulu


Problems at Cable One


Problems at The Division


Problems at Fatcow


Problems at WOW


Problems at PNC


Problems at Disqus


Problems at Suddenlink


Problems at Kayak


Problems at Bright House Networks


Problems at Zillow


Problems at WeTransfer


Problems at Hostgator


Problems at HBO Go


Problems at Verizon


Problems at Heroku


Problems at Star Wars Battlefront


Problems at Overwatch


Problems at eBay


Problems at Rocket League


Problems at CenturyLink


Problems at GTA 5


Problems at Call of Duty


Problems at Youtube


Problems at Origin


Problems at Crunchyroll


Problems at Reddit


Problems at Comcast


Problems at Frontier


Problems at Mediacom


Problems at Jive


Problems at Rainbow Six


Problems at Xbox Live


Problems at AT&T


Problems at 2k


Problems at Gmail


Problems at Whatsapp


Problems at RCN

All of these sites and services are reportedly experiencing outages and downtime, either completely or partially.

One more list of affected websites :

Schoology and Apex
Npmjs.com (Node Package Manager (major javascript package manager)
Netflix.com (slow loading time)
The Boston Globe
The New York Times
Playstation Network (PSN)
Fox News
Elder Scrolls Online
Starbucks rewards/gift cards
Zoho CRM
Iheart.com (iHeartRadio)
Business Insider
Credit Karma
Squarespace Customer Sites
Big cartel
Blue Host
Eve Online
Wix Customer Sites
Speed Test
Applicant Tracking System and Recruiting Software | iCIMS.com
Sterlingbank.com (sign in issues)



Recently, the Internet witnessed a record-breaking largest DDoS attack of over 1 Tbps against France-based hosting provider OVH, and now the latest victim of the attack is none other than Dyn DNS provider.
The attack appears to have started just after 7am ET and appears to have affected huge swaths of the East Coast and much of the Midwest. Level3, which monitors internet activity, shows the extent of the outage.

A sudden outage of popular sites and services, including Twitter, SoundCloud, Spotify, and Shopify, for many users, is causing uproar online. It’s because of a DDoS attack against the popular Domain Name System (DNS) service provider Dyn, according to a post on Ycombinator.DNS act as the authoritative reference for mapping domain names to IP addresses. In other words, DNS is simply an Internet’s phone book that resolves human-readable web addresses, like thehackernews.com, against IP addresses.

Dyn DNS is used by many websites and services as their upstream DNS provider, including Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku and Vox Media properties.

A couple of months ago researchers exposed Lizard Squad group hacking CCTV systems and carrying DDoS attacks on financial and government institutions in Brazil whilst the DDoS prevention firm Sucuri and Incapsula revealed that thousands of CCTV cameras have not only been hacked but also turned into DDoS botnet worldwide – reason, once again: their weak login credentials.

However, Linux-based IoT devices are the prime target for cyber criminals. Recently, Luabot and Bashlite aka Lizkebab malware were found taking over Linux-based CCTV cameras and attacking banking and small business worldwide.






DDOS Digital Attack Map  – not showing and not working during the attack :


Fortinet Threat Map



Norse Attack Map




Is i think there is a problem with iot devices and the only solution is to patch them . To mitigate thous kinds of attacks you need very powerful anti DDos Dos system and as we see today (21 October) there is a problem with that kind of device. Researches will now spend tons of time to learn how to mitigate thous kinds of attacks .

I think couple possible solutions L:

  1. Patch problematic/affected devices
  2. Invent an powerful anti DDos hardware that even an small comapy`s can buy.
  3. Mitigate the attack by learning it out – thous devices have signatures and by thous signatures the prevention hardware on ISP level need to prevent thous kinds of attacks.
  4. Block all traffic from thous kinds of devices – if this iot device is violating in big traffic activity (block IP in ISP level)




UPDATE 1# 22.10.2016 01:12




There is problem with PSN (Play Station Network)








UPDATE 2# 22.10.2016 01:40

Dyn Managed DNS – This incident has been resolved.



Virtuozzo 7 webinar October 18

Virtuozzo 7 webinar October 18

Today i was on very cool Virtuozzo 7 webinar (October 18 2016) and it was astonishing!!!

virtuozzoI am using Virtuozzo products since version 4.6 and i see very big potential in Virtuozzo 7 for big hosting company and for little – it think its the most cost-effective solution for VPS and cloud hosting.

One of the great (for me?) features that i was surprised to her (BETA stage?) – Disk encryption ! You can encrypt the data and the backup and the container would be encrypted  🙂 I think ReadyKernel is the second of the greatest things – No more “useless” Reboots !!! 🙂

One more likely the saddest news to hear was – “No more PVA”.  Yes , you are not in the dream… Virtuozzo killing its “baby” for new product that called “Virtuozzo Automator”. Virtuozzo team says that Virtuozzo Automator will have brand new features like LB (Load Balancer) , VPN , Network config and more ….

I remember a great story regarding Plesk Expand server – it was one of the best support hosting panels ever… some day Plesk (Paralles) decide to “kill” this solution and what is happening now is a mess, support department was confused with so many plesk panels…. Couple of years past and now Plesk (Paralles) developed “New Expand” as extension to Plesk platform that do the same thing … . I think the same would be with PVA (i think so…..)  and it will rise in couple of years with the new brand name but the same idea  🙂

Virtuozzo 7 Benefits

Virtuozzo 7 combines well-known Systems Container technology, KVM-based virtual machines and software-defined storage in a single solution covered by production support.

Think of Virtuozzo as your virtualization multi-tool: Our unique approach to combining the best virtualization tools and value-added services in a single console is proven to be the best fit for customers that want:

  • the freedom to choose the best technology for the job
  • the power to deliver exceptional performance to customers
  • a knock-your-CFO’s-socks-off ROI

By the Numbers

  • Virtuozzo VMs outperform CentOS KVM by up to 33%
  • Virtuozzo Containers™ deliver 40% better performance and 2x better density than most advanced hypervisors
  • Virtuozzo Storage outperforms Ceph—the most popular open source software-defined storage by 10x or more on identical hardware
  • 24×7 professional support service from a team with 15+ years experience

Virtuozzo 7 webinar invitation

This is a copy of the invitation that was sent by Virtuozzo team:


Virtuozzo 7 – Highlights

Virtuozzo Containers – whats new in Virtuozzo 7 ?

With system containers™, a single operating system kernel can support multiple isolated virtualized instances instead of just one. Such instances, called containers™, look and feel like a real server from your customer’s point of view.

Key Features

  • Designed to run a full Linux OS and any distribution
  • Low memory overhead; advanced memory management
  • Flexible and fine-grained CPU and memory management
  • Secure by default


  • Better performance and density compared to VMs
  • Containerize any application with native performance
  • Support for container™ management through libvirt and OpenStack

By the Numbers

  • 60% better performance compared to VM
  • 2x greater density compared to VM
  • Deploy hundreds of containers on a standard dual-CPU x86 server
  • Zero overhead costs
  • Fraction-of-a-second startup time

Measuring System Container™ Density


This graph depicts a density test comparison of CentOS 7 KVM and Virtuozzo 7 Containers™. Each virtualization solutions was loaded by a number of clients sending requests to every server at fixed rate. While adding more and more servers, we monitored the average response time and stopped the test when it reached the preset limit (200ms). As you can see, CentOS 7 KVM was able to handle 130 servers simultaneously, while Virtuozzo Containers™ can run more than 200 servers with the identical performance.

Virtuozzo 7 performance comparison: Windows VMS on CentOS and Virtuozzo

Figure 1. Performance comparison of Windows VMs running on CentOS KVM and Virtuozzo

Virtuozzo 7 Hypervisor – whats new ?

Key Features

  • Improved density with AMM, auto ballooning, and Kernel same-page merging
  • KVM/QEMU cache optimizations
  • Set of kernel patches improving performance
  • Windows drivers with Hyper-V enlightenments
  • Powerful guest tools


  • Proven backup solution shipped by default
  • Reduced overall maintenance
  • Low cost
  • Software-defined storage runs together with compute
  • Upstream compatible and commitment to open standards

By the Numbers

  • 100% upstream KVM compatible
  • Up to 40% better performance results for latest Linux and Windows OS
  • 30% higher density than standard KVM
  • 24×7 highly skilled professional support

Performance Test: CentOS7 KVM vs Virtuozzo 7 Hypervisor


This graph depicts a SPECvirt performance test of Linux workloads for CentOS 7 KVM versus the Virtuozzo 7 Hypervisor. Tiles represent a set of workloads. A single tile deploys a number of different workloads, each of them generating output transactions. Here we measure the output total of all transactions.

Virtuozzo 7 Storage – whats new ?

Key Features

  • High availability, high performance
  • Low-cost scalability up to multiple petabytes and hundreds of nodes in a single cluster
  • Persistent, production-ready storage for Docker
  • Block storage optimized for big files; S3-compatible object storage
  • Web-based UI management


  • Use your existing hardware
  • Flexibility to deploy containers and VMS
  • Fast performance
  • Zero downtime
  • Live server migration in user space
  • Eliminate the need for costly, special-purpose storage devices
VIRTUOZZO STORAGE VS. CEPH I/O Performance Comparison: Link

Ceph vs Virtuozzo Storage


This graph compares sequential read, sequential write, random read, and random write operations between Virtuozzo Storage and open source storage solution Ceph.

docker_logo_205x185Need Persistent Storage for
Your Docker Containers?
Try Virtuozzo Storage for Docker. >>




Value-Added Services

On top of virtualization, Virtuozzo offers a helpful suite of value-added services right “out of the box”, keeping your total cost of ownership low.

  • 24×7 first-class support
  • Rebootless kernel updates with ReadyKernel
  • Advanced memory management enabling better density without performance impact
  • Application catalog powered by Bitnami
  • Additional Docker support including new storage plugin

Skype 1.10 for Linux Alpha now supports video calling

Skype 1.10 for Linux Alpha now supports video calling



Microsoft has released a new Skype version (1.10) for Linux users that brings video calling support. The arrival of the latest build is also discontinuing older versions to push the fresh experience.

The latest Skype for Linux Alpha, version 1.10, finally allows you to make video calls. But interestingly, there is a catch. You can presently make one-on-one video calls only between Skype for Linux Alpha clients. This means you might face bugs while making visual conversations on a Linux computer.

“The team has been working hard on bringing video calls on Linux and today we have the experimental version ready for you. We are not quite there,” the Skype team writes in a blog post.

In addition to the video calling support, the Skype team at Microsoft is set to disable the Linux Alpha version from 1.1 to 1.6. Users with these older versions will get an alert to install the latest version.

You can download Skype for Linux Alpha version 1.10 on your Linux system by visiting the official website. It comes in both deb and rpm formats.


This week, we have something special for you. The team has been working hard on bringing video calls on Linux and today we have the experimental version ready for you. We are not quite there. The 1-on-1 video calls work only between Skype for Linux Alpha clients for now. Despite the early phase, we’d like to ask you, the Linux community, to help us with testing. Please let us know how the video works for you.


With this release, we also decided to disable some older version of Skype for Linux Alpha (1.1 – 1.6). Those users will be asked to update to latest version. You can download the latest versions on following links…


Download Skype for Linux Alpha DEB
Download Skype for Linux Alpha RPM

By downloading and installing Skype for Linux Alpha, you agree to the terms of use and privacy statement.


Ref. skype

Good luck !

Most Promising Virtualization Solution Providers 2016-2017

Most Promising Virtualization Solution Providers 2016-2017


virtualAny discussion of server virtualization software typically ends in clicking glasses and high fives, heated discussions or slap fights.
When it comes to server virtualization software technology offerings, you might not require every bit and byte of programming they’re composed of, but you’ll rejoice at the components of their feature sets when you need them.

These solutions scale from a few virtual machines that host a handful of Web sites, virtual desktops or intranet services all the way up to tens of thousands of virtual machines serving millions of Internet users. If you don’t know all the virtualization software names on this list, it’s time for an introduction.

Containers may be stealing the headlines these days, but server virtualization software technology still dominates the data center. Check out 20 virtualization most promising virtualization solution providers for year 2016-2017:


Brain4Net  https://brain4net.com
Calsoft  http://www.calsoft.com
CloudPhysics  https://www.cloudphysics.com
Datometry  http://www.datometry.com
EPIOZ  http://epioz.com
Ericom  http://www.ericom.com
ITsavvy  http://www.itsavvy.com
Login VSI  https://www.loginvsi.com
MicroAge  https://microage.com
Midfin Systems  http://www.midfinsystems.com
Nexenta Systems  https://nexenta.com
Numecent  http://www.numecent.com
Quadric Software  http://www.quadricsoftware.com
Syneto  https://syneto.eu
Systancia  http://www.systancia.com/
TenAsys Corporation  http://www.tenasys.com
VDIworks  http://www.vdiworks.com
Virdatint  http://virdatint.com
Virtuozzo  https://virtuozzo.com/
Xperteks  http://www.xperteks.com

CloudFlare: Massive DDoS attacks coming from IoT cameras

CloudFlare: Massive DDoS attacks coming from IoT cameras


Over the last few weeks we’ve seen DDoS attacks hitting our systems that show that attackers have switched to new, large methods of bringing down web applications. They appear to come from the Mirai botnet (and relations) which were responsible for the large attacks against Brian Krebs.

Our automatic DDoS mitigation systems have been handling these attacks, but we thought it would be interesting to publish some of the details of what we are seeing. In this article we’ll share data on two attacks, which are perfect examples of the new trends in DDoS.

CC BY 2.0 image by E Magnuson

In the past we’ve written extensively about volumetric DDoS attacks and how to mitigate them. The Mirai attacks are distinguished by their heavy use of L7 (i.e. HTTP) attacks as opposed to the more familiar SYN floods, ACK floods, and NTP and DNS reflection attacks.

Many DDoS mitigation systems are tuned to handle volumetric L3/4 attacks; in this instance attackers have switched to L7 attacks in an attempt to knock web applications offline.

Seeing the move towards L7 DDoS attacks we put in place a new system that recognizes and blocks these attacks as they happen. The L7 mitigator recognizes attacks against a single host and distributes a fingerprint that protects all 4 million Cloudflare customers. We’ll write more about it in the future.

HTTP Requests per second

Often when DDoS attacks are reported the size of the attack is reported in Gbps (or even Tbps), but there are many ways to measure the size of an attack.

For L7 HTTP-based attacks it also makes sense to measure requests per second. That’s because, unlike volumetric L3/4 attacks, HTTP-based attacks eat up resources by making actual HTTP requests to the attacked server.

Recently we were hit by a couple of unusually large L7 attacks, crossing 1 million HTTP requests per second (1 Mrps). Here is one of them:

This attack continued for 15 minutes. Multiple recent attacks had >1 Mrps and lasted for minutes.

This particular attack peaked at 1.75 Mrps. It was composed of short HTTP requests (around 121 bytes per request), without anything unusual in the HTTP headers. The requests had a fixed Cookie header. We counted 52,467 unique IP addresses taking part in this attack.

Due to the Anycast nature of the Cloudflare network, the malicious traffic was spread across multiple Cloudflare cities and with 100 cities we are able to get a good picture of where the bots are located.

Here are the top affected datacenters:

This attack went largely to our Hong Kong and Prague datacenters. This is another common characteristic; most of the recent attacks looked similar.

Since the attack looks concentrated, we wondered if only a small number of AS numbers (networks) were the source of the attack. Unfortunately no, the IP addresses participating in the flood are evenly distributed. Out of 10,000 random requests we analyzed, we saw source IP addresses from over 300 AS numbers. These are the biggest sources:

   48 AS24086 ; Vietnam
  101 AS4134  ; China
  128 AS7552  ; Vietnam
  329 AS45899 ; Vietnam 
 2366 AS15895 ; Ukraine

These attacks are a new trend, so it’s not fair to blame the AS operators for not cleaning up devices participating in them. Having said that, the Ukrainian ISP and Vietnamese AS45899 seem to stand out. We’ll get back to those in a moment.


Although requests per second is a common metric for measuring these attacks, it’s not the only one. We can also measure the bandwidth used in the attack.

By this count the attack mentioned above was pretty small (since we’ve got used to DDoS attacks being reported in 100s of Gbps). It peaked at roughly 2Gbps. But recall that these L7 attacks end up hitting a web server and are not simply volumetric: they use server resources.

However, we saw another attack that was unusual in that it was an L7 with similar bandwidth consumption to traditional L3/4 volumetric attacks. First, here’s the requests per second graph:

This attack generated “only” 220k requests per second at peak. However, it generated significant inbound bandwidth:

This attack topped out at 360Gbps per second of inbound HTTP traffic. It’s pretty unusual for an HTTP attack to generate a substantial amount of network traffic. This attack was special, and was composed of HTTP requests like this:

GET /en HTTP/1.1  
User-Agent: <some string>  
Cookie: <some cookie>  
Host: example.com  
Connection: close  
Content-Length: 800000


It’s the long payload sent after the request headers that allowed the attackers to generate substantial traffic. Since this attack we’ve seen similar events with varying parameters in the request body. Sometimes these attacks came as GET requests, sometimes as POST.

Additionally, this particular attack lasted roughly one hour, with 128,833 unique IP addresses. The datacenter distribution was different, with most of the attack concentrated on Frankfurt:

As the attack was composed of a very large number of bots, we expected the AS distribution to be fairly even. Indeed, in the 10,000 request sample we recorded a whopping 737 unique AS numbers. Here are the top sources:

  286 AS45899 ; Vietnam
  314 AS7552  ; Vietnam
  316 AS3462  ; Taiwan
  323 AS18403 ; Vietnam
 1510 AS15895 ; Ukraine

Once again, the Ukrainian ISP and couple of Vietnamese networks are the top hitters.


More on the sources

We wondered why AS15895 was so special. First, we investigated our traffic charts. Here is the inbound traffic we received from them over last 30 days:

The first significant attack was clearly seen as a spike on September 29 and reached 30Gbps. A very similar chart is visible for AS45899:

We can see some smaller attacks attempted around September 26. A couple of days later the attackers turned the throttle up hitting 7.5Gbps non-stop from this ASN. Other AS numbers we investigated reveal a similar story.


While it’s not possible for us to investigate all the attacking devices, it is fair to say that these attacks came from Internet-of-Things (IoT) category of devices.

There are multiple hints confirming this theory.

First, all of the attacking devices have port 23 (telnet) open (closing connection immediately) or closed. Never filtered. This is a strong hint that the malware disabled the telnet port just after it installed itself.

Most of the hosts from the Vietnamese networks look like connected CCTV cameras. Multiple have open port 80 with presenting “NETSurveillance WEB” page.

The Ukrainian devices are a bit different though. Most have port 80 closed, making it harder to identify.

We had noticed one device with port 443 open serving a valid TLS cert issued by Western Digital, handling domain device-xxxx.wd2go.com suggesting it was a hard drive (Network Attached Storage to be precise).

未来: the future of DDoS

We plan to continue our investigation and collaborate with external researchers to find a permanent solution to this rising threat.

Although the most recent attacks have mostly involved Internet-connected cameras, there’s no reason to think that they are likely the only source of future DDoS attacks. As more and more devices (fridges, fitness trackers, sleep monitors, …) are added to the Internet they’ll likely be unwilling participants in future attacks.


Ref. cloudflare

CC BY 2.0 image by CODE_n

Be safe

Opera was hacked – server breach incident

Opera was hacked – server breach incident


The company revealed that attackers gained access to Opera Sync, a service that lets users synchronize their browser data and settings across multiple platforms. It is investigating the incident, but initially believes the attack may have compromised user data, including passwords and login names.

Opera counts 350 million users across its range products, but it said that a small portion of those use the Sync service. Last month, for example, it counted 1.7 million active Sync users, but more may have registered for it and, in doing so, provided Opera with data. The company has reset all passwords and emailed all registered Opera sync users with details.

Opera Sync is used to synchronize user data between different computers but it is apparently used by under “0.5% of the total Opera user base”. However, with a user base of 350 million this means that upwards of 1.7 million people could be affected.

“Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution,” it explained in a blog post.

Opera Security blog statement

In a statement on the Opera Security blog, Tarquin Wilton-Jones says:

Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.

Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution.

We have also sent emails to all Opera sync users to inform them about the incident and ask them to change the password for their Opera sync accounts. In an abundance of caution, we have encouraged users to also reset any passwords to third party sites they may have synchronized with the service.

To obtain a new password for Opera sync, use the password resetting page.

The total active number of users of Opera sync in the last month is 1.7 million, less than 0.5% of the total Opera user base of 350 million people.

The remaining Opera browser users who do not use Opera sync, do not need to take any actions.

We take your data security very seriously, and want to sincerely apologize for the inconvenience this might have caused.

Mail sent to millions of users

Dear Opera sync user,

We wanted to let you know that in order to protect your Opera sync account we have reset your password. In order to continue to synchronize your data, you will have to go to the Opera sync service and make a new one.

The reason we have done this is because we detected an attack on some of our Opera sync servers. Our investigations are continuing but we believe some of our users’ passwords (that are still encrypted or securely hashed) and account information such as login names may have been compromised. As a precautionary measure, we have reset all of the Opera sync users’ passwords. In an abundance of caution, we also encourage you to change any passwords to third party sites that you have synchronized through the Opera sync service.

To regain access to Opera sync, click “Forgot password” from the synchronize dialog in the Opera browser menu and then create a new password.

We take your data security very seriously and want to sincerely apologize for the inconvenience this might have caused you.

Thank you for your cooperation,
The Opera sync team


Suggestions and recommendations

All Opera Sync users affected by the breach have been informed about it via email. The email asks users to change the password to their Sync account as soon as possible

Please change your Opera account password!!!




WhatsApp announces sharing user data with Facebook

WhatsApp announces sharing user data with Facebook



After WhatsApp was bought by Facebook in 2014, users worried that the messaging app’s strong stance on privacy might be compromised. Co-founder Jan Koum hoped to stem these fears, writing in a blog post at the time: “Respect for your privacy is coded into our DNA, and we built WhatsApp around the goal of knowing as little about you as possible.” Today, though, the company is loosening some of its own restrictions, and has announced it will begin sharing a limited amount of user data — including individuals’ phone numbers — with parent company Facebook.

WhatsApp says that sharing this information means Facebook can offer better friend suggestions by mapping users’ social connections across the two services, and deliver more relevant ads on the social network. Additional analytics data from WhatsApp will also be shared to track usage metrics and fight spam.

According to the blog post, these changes are a result of WhatsApp’s desire to allows businesses to directly communicate with its more than 1 billion users.

You can read WhatsApp’s full updated documents here.

Partial opt-out

Opting out of the data-sharing entirely does not seem to be possible, but WhatsApp is offering a partial opt out — specifically for Facebook ad targeting and product-related purposes.

However it notes that data will still be shared “for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities”.

So there is no way to totally opt out, short of short of stopping using WhatsApp.

A WhatsApp spokesperson declined to comment on why it is not offering users a complete opt out of data-sharing with Facebook, but in a statement the spokesperson said: “We understand people with WhatsApp accounts might want to opt out of sharing their account information to improve their Facebook experiences. They have an additional 30 days to opt out after accepting the new terms so they have time to consider their choices.”




How to opt out of sharing data for Facebook ad targeting 

WhatsApp details two ways to opt out of sharing data for Facebook ad targeting on its blog here.

Firstly if you haven’t already agreed to the new T&Cs you can opt out before agreeing to the new terms by tapping to read the full terms of service and privacy policy — and scrolling to a control at the bottom of the document — where there’s a check-box option for sharing the data which you then untick before hitting agree…


If you’ve already accepted the new T&Cs without unchecking the box to share your information with Facebook WhatsApp is also offering a thirty-day window to make the same choice — via the settings page in the app.

To exercise your opt out in this scenario you need to go to Settings > Account > Share my account info in the app and uncheck the box/toggle the control displayed there. And so so within the thirty-day window. Presumably, after that, even this partial opt out will expire.

No Option to Completely Opt-Out of Data Sharing

An F is given to a student for poor work.

However, the company notes that data will still be shared “for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.”

WhatsApp promises the changes won’t lead to a “spammy” service

Despite these assurances, WhatsApp’s users are still likely to feel annoyed that the company is sharing information with Facebook. Part of the app’s popularity has always come from its unobtrusive (and unprofitable) business model, which gives users an easy way to communicate without using their data to serve ads. WhatsApp’s commitment to user privacy has even brought it into conflict with law enforcement, with a Brazilian court temporarily banning the app in July for refusing to hand over messages (it argued it couldn’t if it wanted to).

WhatsApp is keen to preempt criticism, and says that although it’s changing its privacy policy, it continues to support end-to-end encryption. “Even as we coordinate more with Facebook in the months ahead, your encrypted messages stay private and no one else can read them,” says the company in a blog post. “Not WhatsApp, not Facebook, nor anyone else. We won’t post or share your WhatsApp number with others, including on Facebook, and we still won’t sell, share, or give your phone number to advertisers.”

WhatsApp new features

The company also shared it has rolled out several new features such as end-to-end encryption and WhatsApp Calling alongside various other messaging tools like WhatsApp for web and desktop.

Twhatsapp-windows-phone-8-app-out-0-200x200hough privacy policies are being relaxed, WhatsApp assured its users that thanks to the new end-to-end encryption, private messages will remain private.

The latest version of WhatsApp will encrypt user messages by default, which means that no one outside of the conversation will be able to read them. “Even as we coordinate more with Facebook in the months ahead, your encrypted messages stay private and no one else can read them. Not WhatsApp, not Facebook, nor anyone else,” WhatsApp wrote in the blog post.

Announcing PowerShell is open sourced and is available on Linux

Announcing PowerShell is open sourced and is available on Linux


What is PowerShell?

IC816797PowerShell is an automation platform and scripting language for Windows and Windows Server that allows you to simplify the management of your systems. Unlike other text-based shells, PowerShell harnesses the power of the .NET Framework, providing rich objects and a massive set of built-in functionality for taking control of your Windows environments.

PowerShell Desired State Configuration (DSC)

PowerShell Desired State Configuration (DSC) is a platform for testing and ensuring the declarative state of a system. DSC allows you to scale complex deployments across environments, enables collaboration of management, and corrects for configuration drift.


Microsoft today released its PowerShell scripting language and command-line shell as open source. The project joins .NET and the Chakra JavaScript engine as an MIT-licensed open source project hosted on GitHub.


Alpha version prebuilt packages of the open source version are available for CentOS, Ubuntu, and OS X, in addition, of course, to Windows. Additional platforms are promised in the future.

Announcing the release, Microsoft’s Jeffrey Snover described the impetus for the move: customers liked the use of PowerShell for management, remote control, and configuration but didn’t like that it was Windows-only. To address this concern, Microsoft first had to bring .NET, and then PowerShell itself, to Linux and other platforms. Snover says that PowerShell will be extended so that remote scripting can natively use ssh as its transport instead of Windows remoting.

Longer term, this move should mean that Windows’ and Azure’s management tools such as Operations Management Suite and Desired State Configuration will have much greater reach, allowing a common set of tools and skills to reach a far greater range of systems.



This is my opinion and somewhat educated speculation, but it seems to me that they want to make it so you can manage anything from anywhere. Maybe you’re a Unix person who has some Windows machines (either local or in Azure) that you need to manage. You can use PowerShell from Linux to do that. Maybe you’ve got some bash scripts at your company AND some PowerShell scripts. Use them both, interchangeably.


If you know PowerShell, you’ll be able to use those skills on Linux as well. If you manage a hybrid environment, PowerShell isn’t a replacement for bash but rather another tool in your toolkit. There are lots of shells (not just bash, zsh, but also ruby, python, etc) in the *nix world so PowerShell will be in excellent company.

Fast forward to today and Microsoft is announcing PowerShell on Linux powered by .NET Core and it’s all open source and hosted at http://GitHub.com/PowerShell/PowerShell.



PowerShell community

The PowerShell team has always prided itself on being a very community focused team but this announcement takes it to the next level by making the source code available and by adopting an open source development model where we can enjoy a deeper connection with the community in RFCs, issues and accept contributions directly. We also needed to extend our community since open source, like so many things, takes a village and that village is key to a great experience! We are partnering with third party companies – Chef, Amazon Web Services, VMware, and Google to name a few – to create a rich, seamless experience across the platforms you know and use.

As we port PowerShell to Linux, we are making sure that we are a first class citizen on that platform. We fit in well with the architecture, idioms and existing tools. This was pretty easy as most of the original PowerShell team had deep Unix backgrounds and that shows in our design. There were a number of little changes that we made and two big things:

  1. We created a PowerShell Editor Service. This allow users to choose from a range of editors (VS Code and Sublime with others to follow) and get a great PowerShell authoring experience with Intellisense, debugging, etc.
  2. We will be extending the PowerShell Remoting Protocol (MS-PSRP) to use OpenSSH as a native transport. Users will have the option to use SSH or WINRM as a transport.

The initial release is an “alpha” and is community supported. In the future, we will deliver an official Microsoft released version of PowerShell based on open source to anyone running a supported version of Windows or *nix. The timing of the official Microsoft version will be based upon community input and business needs. We hope all of you will help us get it right!


The journey to opening up PowerShell


If you are new to PowerShell, a great way to start learning is with our Learning PowerShell repository on GitHub. We also offer a free Microsoft Virtual Academy online course: Getting Started with PowerShell 3.0 Jump Start. You’ll want to join/participate in the PowerShell Community at powershell.org/ and follow thePowerShell Team blog. We’ll be updating these to meet the needs of the Linux community (e.g. examples) in the near future.



Be sure to check out the coverage from around the web and lots of blog posts from different perspectives!

Have fun! This open source thing is kind of catching on at Microsoft isn’t it?

Ransomware overview – on-line updates


Ransomware overview – on-line updates!

What is ransomware ?

is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it.

Upon compromising a computer, ransomware will typically either lock a user’s system or encrypt files on the computer and then demand payment before the system or files will be restored.

More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer’s Master File Table (MFT) or the entire hard drive. Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.


What does ransomware do?


_88981406_petya_figure1There are different types of ransomware. However, all of them will prevent you from using your PC normally, and they will all ask you to do something before you can use your PC.

They can target any PC users, whether it’s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.

Ransomware can:

  • Prevent you from accessing Windows.
  • Encrypt files so you can’t use them.
  • Stop certain apps from running (like your web browser).

Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files. We have also seen them make you complete surveys.

There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.


Big news  – No-More-Ransom project 2016

no-more-ransomThe “No-More-Ransom” project has just started, but we are continuously working with other security companies and law enforcement agencies to identify as many keys as possible, for as many variants as possible.  If you have some information that you think can help, please share it with us.

Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.

The “No-More-Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Since it is much easier to avoid the threat than to fight against it once the system is affected, the project also aims to educate users about how ransomware works and what countermeasures can be taken to effectively prevent infection. The more parties supporting this project the better the results can be. This initiative is open to other public and private parties.




#1 On-line ransomware updates -link



#2 On-line ransomware updates -link



*The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works,
and there’s no guarantee you’ll get the decryption key you need in return.


Good luck and stay safe!

DWS- Destroy Windows 10 Spying

DWS- Destroy Windows 10 Spying


If data collection in Windows 10 is one of your main concerns, then you probably already know that there are a lot of apps out there which can help you with that and block the operating system from sending any of your own information to Microsoft.

Destroy Windows Spying – is the most popular program to remove spyware in Windows 7/8.1/10

Very fast speed

The program runs as quickly as possible, because its algorithms are optimized and elaborated.

Large audience

Millions of users are using the program, and help her improve, complementing the source code.

Advanced Settings

The program has advanced settings that allow you to further customize the removal of spying.


* High efficiency
* Disable\Enable Windows Update

* Remove spying apps

* Disable Windows Defender

* Blocking IP addresses

* Removing METRO applications

* Open source

* Add to hosts spying domains!

* Support Windows 7/8/8.1/10 or Server 2008-2012 R2

* Remove Office 2016 telemetry!




latest release
source code .zip
source code .tar.gz

Original website and ref.:

Massage from the author of a DWS- Destroy Windows 10 Spying:

Hello. Since you here, means that you are looking for a new version of DWS? How you see, it’s absent yet, and sources are raw and there are not ready for usage. The project is not abounded (State since 04/30/2016). I just have no time to work closely with it. We will glad if you would help us to build a new version. If you are asking, Why we have published that? Because carry a release date has become ashamed, and we want to show that development still in process and we are not forgetting about you.

Waiting your suggestions and commits =)


DWS EXTENDED https://github.com/nullptrspace/DWS

Determination of the system language

We get the language from the command-line arguments to the function:

private string _GetLang(IEnumerable<string> args)

Next we set language in function:

private void SetLanguage(string currentlang = null)

And call function to change the language:

private void ChangeLanguage()

EasyApache 4 Announcement

EasyApache 4 Announcement

Over the past several months, we have been working on the next generation of EasyApache. In EasyApache 4, we will make quite a few major changes to the way cPanel & WHM utilizes Apache HTTPd & PHP. This will initially be an opt-in update so that users can choose when to move to the new ecosystem, but at some point, this will be a required change.

The major changes that we plan to introduce are:

  • Improved Operating System Integration and migrating to OS standard paths for services
  • EasyApache will use the system package manager (yum)
  • Full binary distribution of Apache HTTPd and PHP via RPM & yum
  • Use of modern Apache releases (2.4)
  • Automatic updates of Apache HTTPd & PHP
  • Ability to set different PHP versions on a per-vhost basis

As you can tell, there are many changes compared to what EA3 has delivered over the years. The purpose of this article is to solicit feedback about what is being planned for EasyApache 4 delivery. We absolutely want to know what our customers think of this plan! See the link at the end of the blog post to provide us with your feedback.

Improved Operating System Distribution Integration
In order to adjust cPanel & WHM better to the operating system that the server runs, we will move the various Apache files & directories to match the file system paths that CentOS and RHEL use. This will allow better customizations to Apache and make the deployment of new Apache modules a rapid process. Symlinks will be left behind in /usr/local/apache to help old scripts work with the new paths.

With these changes, porting most Apache modules that already have an RPM built for CentOS/RHEL should be relatively easy: tweak the spec file, ensure proper dependencies are provided, and recompile the RPM. Alternatively, it means that the existing resources for building RPMs for Apache modules will remain relevant and follow the process used by RHEL Administrators.

EasyApache Interface to move to the System Package Manager
With the initial release of EasyApache 4, we will move the EasyApache interface to the Package Manager, which will provide an interface for yum. cPanel will create yum repositories that hold the EasyApache4 RPMs, which includes Apache, PHP, and friends.  Using yum will also allow your own customized repositories.

To shorten processing time and provide better quality control over the packages, EasyApache will begin utilizing RPMs. This will meet one of our project goals of cPanel & WHM becoming a better member of the Operating System’s ecosystem.

Package Manager Screenshot 2

The purpose of this UI is to provide a general-purpose interface into the packages and repositories available on a system. 

Multi-PHP Domain Support
The release of EasyApache 4 will include Multi-PHP support at the VirtualHost level. We will utilize Red Hat’s Software Collections to allow the installation of multiple PHP versions simultaneously. WHM and cPanel Interfaces will allow users and administrators to select system level and per-domain default PHP versions. This will be achieved by using AddHandler entries in .htaccess files.

Screen Shot 2015-01-08 at 5.50.59 PM

Modern Apache only (2.4)
EasyApache 4 will only provide RPMs for Apache 2.4. This allows us to provide better support for Apache and simplifies the process of rolling out customizations.

Automatic Updates
We plan to automatically update Apache & PHP by default. This will be an opt-out process so that hosts can easily put updates of Apache & PHP under their control.

Introduction to EasyApache 4


Current Status of EasyApache 4


Release Notes For cPanel & WHM 58



P.S For CloudLinux servers – EasyApache 4 is still in BETA:

Make CloudLinux™ and EasyApache 4 compatible

CloudLinux released support for EasyApache 4 in cPanel & WHM version 56. Read their blog post for how to install EasyApache 4 on your CloudLinux system. This is a beta release.


We absolutely want to hear what you think of our plans for EasyApache4! Please visit the comment thread for this post on our forums.

Ref. link



Good luck!