Cybersecurity Newsletter, February 1 - 7
Qrator Newsletter

Greetings, fellow subscribers! As usual on Sundays, we are back with the most relevant and interesting articles published between February 1 and 7, 2021.

Chromium cleans up its act – and daily DNS root server queries drop by 60 billion

"Before the software release, the root server system saw peaks of ~143 billion queries per day," he wrote. "Traffic volumes have since decreased to ~84 billion queries a day. This represents more than a 41 per cent reduction of total query volume."

Reduce requests to critical DNS zones with LocalRoot

"When authoritative servers are unavailable, an ISP's cache will likely help ride out the random bumps that may occur in Internet DNS infrastructure availability. For the root server system's information, RFC 8806 specifies another potential mechanism for functionally pre-caching the entire contents of the root zone at once by pre-filling a pseudo-cache before users even send the resolver a request.
My LocalRoot project at USC/ISI implements and extends RFC 8806 with a number of additional features."

A Wild Kobalos Appears

"ESET Research has analyzed Kobalos, previously unknown and complex multiplatform malware targeting Linux, FreeBSD and Solaris systems. Given that the victims of this threat are mostly high-profile organizations, it seems almost certain this malware is deployed against chosen targets rather than opportunistically. When deployed, this malware gives access to the file system of the compromised host and enables access to a remote terminal, giving the attackers the ability to run arbitrary commands."

BGP, RPKI, and MANRS: 2020 in review

"In 2020, the Internet was a lifeline for many people across the world as COVID-19 shifted schools and businesses online. It was only logical then that we would see an increase in Internet usage across the globe. As Fastly highlighted in this blog post, the global rise in Internet demand was indeed dramatic."

FOSDEM 2021 is taking place this weekend with tons of awesome scheduled talks and presentations;


New Threat: Matryosh Botnet Is Spreading

"On January 25, 2021, 360 netlab BotMon system labeled a suspicious ELF file as Mirai, but the network traffic did not match Mirai's characteristics.
This anomaly caught our attention, and after analysis, we determined that it was a new botnet that reused the Mirai framework, propagated through the ADB interface, and targeted Android-like devices with the main purpose of DDoS attacks.
It redesigns the encryption algorithm and obtains TOR C2 and the TOR proxys from remote hosts via DNS TXT."

Plex Media SSDP (PMSSDP) Reflection/Amplification DDoS Attack Mitigation Recommendations

"On January 7, 2021, Baidu Labs, in a Chinese-language weblog post, described a UDP reflection/amplification DDoS attack vector leveraging Plex Media Server instances running versions of the Plex software prior to 1.21. In early February 2021, NETSCOUT Arbor were notified that reflection/amplification DDoS attacks which appeared to leverage abusable Plex Media Server instances were actively taking place on the public Internet."

Running a fake power plant on the internet for a month

"One of the systems often used to get more information about digital attackers are called honeypots. These mechanisms detect attempts at unauthorised use of computer systems. You could think of these as a digital version of bait cars used by the police to catch thieves. For this particular project I wrote a small HoneyTrap listener (an open-source project by DTACT) that can interact with systems scanning for devices on the s7comm protocol."

Linux Kernel vs. Memory Fragmentation (Part I)

"(External) memory fragmentation is a long-standing Linux kernel programming issue. As the system runs, it assigns various tasks to memory pages. Over time, memory gets fragmented, and eventually, a busy system that is up for a long time may have only a few contiguous physical pages.
Because the Linux kernel supports virtual memory management, physical memory fragmentation is often not an issue. With page tables, unless large pages are used, physically scattered memory is still contiguous in the virtual address space."

Thanks for being a keen reader!
For feedback, please write to us at