Cyber Incident Victim: Arvan
Date:
Nov 2019
Location:
Iran
Summary
An Iranian cloud provider experienced a distributed denial-of-service attack leveraging Telegram's MTProxy servers, which Iranian users widely employ to bypass government restrictions on the messaging platform. Attackers redirected proxy traffic to overwhelm the company's edge servers with encrypted, protocol-agnostic requests peaking at 5,000 per second, exploiting the MTProxy infrastructure's anti-censorship design; security teams confirmed the attack vector through traffic simulation, highlighting risks from proxy server misuse in restricted networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 6, 2019, engineers at Iranian cloud infrastructure provider Arvan Cloud detected an unusual surge in traffic targeting their edge servers, marking the start of a distributed denial-of-service (DDoS) attack. The malicious traffic originated primarily from Iranian IP addresses and persisted throughout the week, peaking at approximately 5,000 requests per second. Analysis revealed the traffic exhibited atypical characteristics: requests lacked domain definitions, operated at the data link layer (Layer 2), and utilized non-standard protocols, distinguishing it from prior DDoS incidents observed by the company. Arvan Cloud’s security team traced the traffic to compromised MTProxy servers—tools widely adopted by Iranian Telegram users to circumvent government-imposed bans on the messaging platform. Attackers exploited MTProxy functionality by replacing legitimate proxy server addresses with Arvan Cloud’s IP addresses, effectively repurposing Telegram’s encrypted traffic routing system into a DDoS vector. This method leveraged Telegram’s architecture, which automatically distributes requests across all IP addresses associated with a proxy domain, amplifying the attack’s distribution. While the attack intensity was within manageable thresholds for a cloud provider with DDoS mitigation capabilities, Arvan noted it could severely disrupt smaller Iranian websites lacking comparable defenses.
Arvan Cloud’s investigation involved simulating the attack pattern to confirm their hypothesis about the MTProxy mechanism’s exploitation. The simulation successfully replicated the traffic patterns observed during the actual incident, validating the team’s assessment. The company attributed the attack’s scale to the prevalence of freely available MTProxy servers in Iran, where Telegram’s user base exceeded 50 million prior to its ban. These servers, designed to bypass state censorship through traffic obfuscation, presented a readily exploitable infrastructure due to their decentralized administration and ease of deployment. Arvan highlighted the inherent risk of proxy server administrators abusing their position to orchestrate DDoS campaigns, emphasizing that the incident underscored broader security challenges within Iran’s internet ecosystem. The attack subsided by the end of the same week, with no additional technical countermeasures or long-term operational disruptions reported by Arvan beyond the initial traffic surge.