Spike in Endpoint Enumeration Attacks
The past year I've noticed an uptick in enumeration attacks on just about any service I deploy.
Whether it's on any cloud provider or on a self managed server the moment the service goes up the first 200 or so requests are from an enumeration attempt. The most recent one originated from Sweden, with around 1000 or so requests.
I would get these attacks before but the latency from deployment to first request from the attack is very short. Has anyone else noticed this uptick in attacks or requests or am I just experiencing detection bias?
This occurs on any domain, any new subdomain that gets setup. Are attackers listening to DNS propagation requests? I'd bet this is due to Certificate Transparency (CT) logs getting scraped in near-real time. Check it out: https://certificate.transparency.dev/logs/ I suspected something like that might be happening. Do you think this is new behavior?