Kevin BeaumontNoName057(16) back to targeting UK this week, they're going to run all week. Thread for the week.
Current DDoS config, 17 orgs, UK councils and transport. Approx 70% success rate.
Tracking for UK councils https://stats.uptimerobot.com/TlxHfUlrvc
Council websites generally host this kind of thing, if you want to know why they get targeted - it's local support basically.
UK Councils doing a much better job at coming back online this time around compared to last month's NoName attacks - 8 out of the 9 targeted (which are still in the botnet DDoS config, so attacks continue) are back online, only eastsuffolk.gov.uk remains down.
So far every council you've mentioned the issues has pretended it's a generic issue, lol
Edit: although in fairness I guess some of these councils might not actually know the cause
To bring this to life btw about why NoName is so successful in terms of bringing things down - this is entire config for eastsuffolk.gov.uk, which has been down since 7am UK time.
There's no packet flood. There's no large packets. There's nothing like that. It's a layer 7, application layer attack.
All they do is send lots of web search requests with gibberish -- $_1 and $_5 are just large random strings. It's enough to CPU and memory exhaust most webservers.
Also if anybody is wondering it's less than a thousand attacking IPs, and they're largely volunteer's PCs and mobile phones - this isn't an infected router botnet.
A group of us has been aggressively taking down the config C2s for about a year which cuts off the volunteers, the numbers are down about 8 times from a year ago, but NoName have become better at their target config.
NoName changed yesterday's UK council targets today at 7am, they're all back online. #NoName #threatintel
New UK targets, they intend to expand this later today.
Impacts and tracker: https://stats.uptimerobot.com/TlxHfUlrvc
Keighley.gov.uk is down despite being behind Cloudflare as the host has an opsec error - NoName attack the origin IP which is open to the internet, to bypass Cloudflare.
Very common for NoName to do this, I think they just check online databases for the SSL hostname and attack direct to bypass cloud WAF.
Private company tracker https://stats.uptimerobot.com/fseoaKBaYk
https://keighley.gov.uk have come up with a unique NoName DNS solution today - they redirected their site to Keighley-ddos.gov.uk, which doesn't exist.
NoName UK impact for the day - 3 of the 5 council websites targeted are still down
For some reason NoName still target liverpool.gov.uk, which has had working mitigations for well over a year. They still pretend to their supporters they DDoS that one, but never do. They don't even bother to change their attack config.
Keighley literally redirected their site to a site with "DDoS" in the name.
In private companies/orgs, 3 of the 8 orgs are still down. Albion 8% uptime.
IMHO, NCSC UK should use NoName to get budget for expanding Active Cyber Defence to include a managed WAF for councils (that can be expanded to other public services later).
Cloudflare don't do anything too fancy, just nginx proxies basically - the protection could be recreated without too much cost to shield orgs centrally and give assistance and intelligence on demand.
One other observable from the #NoName activity - same problem as last time they targeted UK: Azure Application Gateway sites folded immediately and never returned.
I’d be really careful if you use that service, NoName definitely know it is weak AF.
NoName UK targets today, I'm 4 hours late.
9 councils, all new (bar Dover, who are getting a revisit)
National Rail
Ministry of Defence Police
From yesterday, the DDoS has stopped but Keighley council's website has been suspended by their webhost.
Albion Water's website has been deleted apparently.
UK public service impact tracker https://stats.uptimerobot.com/TlxHfUlrvc
UK private company impact tracker https://stats.uptimerobot.com/fseoaKBaYk
https://www.mod.police.uk/ is on 7 hours of downtime, their host appears to have deleted them now. #NoName #threatintel
Portsmouth City Council have stuck Azure WAF in front of their Azure Application Gateway site and managed to get it back online! https://www.portsmouth.gov.uk/
This is a good blog for NoName defence if you use Azure Application Gateway or Azure Front Door
tl;dr you need to put Azure Web Application Firewall in front, and config specific rate limiting rules, and set them to block. Azure DDoS Protection doesn't work for NoName due to it being layer 7.
The big caveat is you'd have to manually identify and configure rate limited IPs - which is about a thousand and change as they're driven by volunteer's PCs
UK Police website has been redirected by, I'm guessing, their provider to a domain that doesn't exist. Similar situation to that council yesterday.
As a review of the NoName UK activity for the day
13 sites targeted
3 down at end of day (MOD Police, City of Ely Council, North East Combined Authority)
Councils did a really good job - Belfast City, Crewe Town Council, Eastleigh, Northeast and Leicester had no downtime at all. Dover, Southampton and Portsmouth recovered during the day.
National Rail had zero downtime. HHA (Harwich Haven Authority) recovered a few hours ago.
NoName’s main Russian Telegram channel has been shut down this evening.
If anybody from NCA/NCSC etc that are dealing with Telegram follow me, get them to nuke:
https://t.me/noname05716engver
https://t.me/CyberArmyofRussiaReborn
https://t.me/+LpLxgU4upoYxMzQ8
https://t.me/+c6nkFWrv5XA3OTU0
https://t.me/Not_Realy_DDoSia_Bot
https://t.me/c/2013394917/1/4069
Email account:
[email protected]
This is 100% of their messaging infrastructure.
NoName UK targets for today. I'm many hours late again as been busy doing actual work, @NoName57Bot for live config updates.
All of these are prior targets from prior months, with the same config as before.
I'll set up the uptime tracking now so we see how many implemented mitigations from previous runs or ignored it/didn't have the budget to do anything.
In terms of yesterday's targets, https://www.mod.police.uk is still down, along with https://www.cityofelycouncil.org.uk/
Ministry of Defence Police have not mentioned it anywhere
Medway.gov.uk have done a really good trick to evade NoName - they've disabled their search function. NoName just stuff search with random strings which overloads CPU, it's a really good way to mitigate the problem quickly.
Here's today's NoName impact tracking
Public services: https://stats.uptimerobot.com/TlxHfUlrvc
Private companies/orgs: https://stats.uptimerobot.com/fseoaKBaYk
NoName UK impact for the day
9 UK council websites targeted
3 still down at end of day
4 had no downtime at all
2 disabled search to keep services online 🙌 which is by far the most effective temp mitigation, which was done by sharing the botnet attack config
Of the 4 private business/org sites targeted, 2 stayed 100% online - G4S (physical security org) and Parker Meggit (a Fortune 250 motion and control company).
West Atlantic air freight = 50% downtime.
Lewes county town = still offline
And yes, if you're wondering, https://www.mod.police.uk/ is still down 2 days later
NoName UK run continues. They're reusing same targets and target config from prior attacks.
Config snapshot for today:
Impact tracker: https://stats.uptimerobot.com/TlxHfUlrvc
NoName impact summary for the day is basically the same as it began, the sites online and offline is still the same as when the attacks began for the day.
https://www.mod.police.uk/ is still down
NoName have moved on to France, as… Trump is there 🫡 or something.
I’ll stop tracking threads now as I’m selfish. Although I do enjoy being an undercover Russian, and Russian sense of humour is pretty good (and odd).
Ministry of Defence Police’s website is still down 18 days later. The latest is they’ve tried to move it behind Cloudflare, but don’t know how to configure DNS.
MOD Police’s website is back online today, almost 3 months after NoName DDoS’d it. https://www.mod.police.uk/
KileenFor any UK councils caught in the #NoName DDoS thing on Azure in the recent rounds - MS have finally implanted CAPTCHA in Azure Front Door, worth enabling for floods of traffic from same IPs
