Re: Ransom DDoS attack - need help!

[Ian Clark]

FWIW the exact same thing (identical initial ransom email) happened to us
two weeks ago.  The "2 day" message was received on December 3rd.  The
group claiming responsibility has yet to follow through.

The messages came from a various bitmessage.ch addresses.

On Wed, Dec 9, 2015 at 10:21 PM, Joe Morgan  wrote:

> Just an update for those following. We have custom in house software that
> watches the traffic flows from our edge routers and automatically
> blackholes any ip getting targeted. The blackhole gets sent upstream which
> is what we did to maintain the network for our customers during the first
> attack. We did not suffer any network outage because of the attacks other
> than our public facing website which honestly is not critical. Since we
> submitted this thread originally we have gotten two responses from "Armada
> Collective". One basically a reminder telling us we had 24 hours left to
> pay. The next came tonight as they were supposed to be hitting us.  The
> second response said they were supposed to be hitting us but decided to
> give us two more days to get the cash into bitcoin. As of right now we have
> not replied to them and have no plans to do so. We never had plans to
> respond or pay them, although telling them whats on my mind sounds
> appealing. We have contacted the FBI and are working with them providing
> info. As for protecting our network from future attacks we put all public
> facing web sites behind Cloudflare and changed the ips from what they were.
> We left the old ips nulled at our edge and with our providers. We plan to
> null any ip they decide to hit and and wait it out. As of right now all
> they have done is take our website offline briefly so not much of a
> problems as it has not caused our customers issues. Thanks for all the help
> and info that has been provided and we plan to update this thread as things
> unfold. I know there are others that have had similar demands (several have
> reached out off list.) so hopefully the info is useful.
>
> --
> Thank You,
> Joe Morgan - Owner
> Joe's Datacenter, LLC
> http://joesdatacenter.com
> 816-726-7615
>



-- 
Ian Clark
Lead Network Engineer
DreamHost
m: 818.795.2216

Re: Ransom DDoS attack - need help!

[bzs]

On December 10, 2015 at 08:20 col...@gt86car.org.uk (Colin Johnston) wrote:
 > fingerprint shows China and Russia related as expected
 > Why do the abuse teams in China and Russia ignore basic abuse reports, why 
 > peer/setup connections to companies where abuse is ignored.

I wonder how much of this is due to language difficulties.

Imagine if all your abuse messages and lots of this often informal
(and formal) documentation was in Chinese or Russian.

Maybe that leads to more poorly managed network facilities and these
miscreants take advantage of that.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD
The World  | Public Access Internet | Since 1989 *oo*

Re: Ransom DDoS attack - need help!

[Joe Morgan]

These are the three e-mail addresses they have contacted me on so far.

armada.collect...@bk.ru
melvin.webst...@gmail.com
luciennemcglyn...@gmail.com

-- 
Thank You,
Joe Morgan - Owner
Joe's Datacenter, LLC
http://joesdatacenter.com
816-726-7615

Re: Ransom DDoS attack - need help!

[Colin Johnston]

fingerprint shows China and Russia related as expected
Why do the abuse teams in China and Russia ignore basic abuse reports, why 
peer/setup connections to companies where abuse is ignored.

Colin

> On 8 Dec 2015, at 07:24, Joe Morgan  wrote:
> 
> We received a similar ransom e-mail yesterday followed by a UDP flood
> attack. Here is a sample of the attack traffic we received as well as a
> copy of the ransom e-mail. Thought this might be useful to others who have
> been targeted as well. I will have to talk with our upstream providers to
> get a definitive on the size of the attacks. At the point in time we
> blackholed our ip we were seeing 20+Gbps.
> 
> *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
> during the ddos event:
> 
> 
> Top 10 flows by packets per pecond for dst IP: 96.43.134.147
>  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
> 0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
> 0.002 UDP120.199.113.49  1900  5417720481.0 M2.8 G
> 0.002 UDP27.208.164.227  1900  5417720481.0 M2.7 G
> 0.002 UDP  60.209.31.218  1900  1663220481.0 M3.0 G
> 0.002 UDP  27.220.71.238  1900  2245620481.0 M3.0 G
> 0.002 UDP  120.236.121.9  1900  6200520481.0 M2.5 G
> 0.002 UDP104.137.222.90  1900  1494420481.0 M3.7 G
> 0.002 UDP  121.27.133.72  1900  4441720481.0 M3.0 G
> 0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
> 0.002 UDP120.197.56.134  1900  3067220481.0 M2.7 G
> 
> Top 10 flows by flows per second for dst IP: 96.43.134.147
>  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
>   248.847 UDP  41.214.2.249123  472078.6 M34594  133.4 M
>   248.886 UDP91.208.136.126123  637756.7 M26813  103.4 M
>   150.893 UDP  85.118.98.253123  472075.1 M33843  130.5 M
>   151.053 UDP  80.179.166.7123  637755.0 M33292  128.4 M
>   151.230 UDP  69.31.105.142123  472074.9 M32657  125.9 M
>   150.436 UDP  182.190.0.17123  452914.8 M32128  123.9 M
>   248.832 UDP  95.128.184.10123  637754.7 M19020  73.3 M
>   150.573 UDP  188.162.13.4123  425714.6 M30514  117.7 M
>   150.261 UDP  205.128.68.5123  452914.2 M2  107.1 M
>   149.962 UDP  205.128.68.5123  425714.1 M27443  105.8 M
> 
> Top 10 flows by bits per second for dst IP: 96.43.134.147
>  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
> 0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
> 0.003 UDP190.184.144.7453  183402048  6826668.3 G
> 0.003 UDP190.109.218.6953  634922048  6826668.3 G
> 0.004 UDP103.251.48.24553  437012048  5120006.2 G
> 0.004 UDP46.149.191.23953  584392048  5120006.2 G
> 0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
> 0.006 UDP37.72.70.8553  639092048  3413334.1 G
> 0.006 UDP138.204.178.16953  21622048  3413334.1 G
> 0.006 UDP  200.31.97.10753  337652048  3413334.1 G
> 0.006 UDP  110.164.58.8253  613972048  3413334.1 G
> 
> 
> 
> Copy of the e-mail headers:
> 
> Delivered-To: j...@joesdatacenter.com
> Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
>Mon, 7 Dec 2015 15:32:22 -0800 (PST)
> X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
>Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Return-Path: 
> Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11])
>by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21
>for 
>(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Received-SPF: pass (google.com: domain of armada.collect...@bk.ru
> designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11;
> Authentication-Results: mx.google.com;
>   spf=pass (google.com: domain of armada.collect...@bk.ru
> designates 217.69.141.11 as permitted sender)
> smtp.mailfrom=armada.collect...@bk.ru;
>   dkim=pass header.i=@bk.ru;
>   dmarc=pass (p=NONE dis=NONE) header.from=bk.ru
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=bk.ru; s=mail;
>   h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From;
> bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=;
>   
> 

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi

On 12/10/15 at 11:07am, Joe Morgan wrote:
> These are the three e-mail addresses they have contacted me on so far.
> armada.collect...@bk.ru
> melvin.webst...@gmail.com
> luciennemcglyn...@gmail.com

Ian> messages came from a various bitmessage.ch addresses

# i wonder if they all have the same X-Originating-IP" or the ame
# X-Mailer sw which may imply the same script kiddie or the same 
# "group" sending the "i hope they pay up wish list emails"

Barry> I wonder how much of this is due to language difficulties.
Barry>
Barry> Imagine if all your abuse messages and lots of this often informal
Barry> (and formal) documentation was in Chinese or Russian.


i've always thought, since the 80's and 90's that the computers
( PCs, servers, routers ) managed by non-english speaking folks
and non-computer-geeks ( we seem to call them sys admins and 
IT dept nowdays ) will be more susceptable to "take over"
by those that know how to hijack computers/routers w/o being noticed

given that every culture has their criminals ... there is a possibility
that the english speaking criminals are the ones using mis-configured
servers and routers for their benefit and purposes 

side note, some folks are trying to make $$ with viagra and other meds
but, notice that most of that viagra/meds spam s!@#$ is gone 

there are the email marketer non-nonsense ... probably the ones
controlling the zombie bots ( foreign PCs ) spewing out 25% of the 
world's emails

there are very specific attacks from old culture chinese, N koreans, 
russians and other notorious groups ... etc
that are after certain info ( they may not be after $$$ since its
all gov't $$$ to start with ) .. something to protect against 24x7x365

i'd also worry about the well-known anonymous groups that can actualy
carry out the xxxGbps DDoS attacks and take out high profile targets
- they should be sending out their emails from
anonymous servers ... 
- i doubt that google/yahoo could be considered "anonymous"
( non-traceable ) vs throw away temp emails

the nuisance ransoms from script kiddies probably will not
be able to followup, but one did hopefully take preventative
measures spending time and $$$ ... i think they're the ones
asking ( demanding )  for $20 to not the more reasonable
$$$ per specific DDoS multi-national or large local businesses

--

locally, there seems to a modified virus running around infecting 
small business PCs wiping out their silly quickbooks and emails 
contacts unless the small biz pay up $xx,000 within couple days

no warnings or demands by emails ... all automated which also implies
they might not be able to stop the virus even if the ransom was paid

#
# automated, virus controlled ransoms are a very bad thing
#
removing the virus doesn't help .. since it'd already
removed some or all of your email contacts and quickboosk

hopefully they learned NOT to click on attachments

i donno why the biz's books is exposed to the world
and they don't have clean backups thus their panic to call
the local tv stations ..
( i say they hired a bad outsourced IT dept, but than again,
( some folks tend to be lazy and not listen to the IT dept

magic pixie dust
alvin
# DDoS-Mitigator.net
# Unix'ing since 1970's
#

Re: Ransom DDoS attack - need help!

[Anne Mitchell]

Last year when this happened to several large providers, it was a cluster all 
around the same time, and it turned out that it was the same org hitting all of 
them.  This quickly came to light as we (ISIPP) started coordinating with the 
targets, because the attacker was using the same gmail address for 
communicating with each target.  We had a preservation demand served on Google 
(so they wouldn't delete the gmail account when the complaints started 
happening), and the Feds were quickly involved.  In fact, the Basecamp group 
that I mentioned came out of that effort.

It seems that several of you here are now experiencing a similar ransom DDoS, 
all that the same time, so I would be very curious to know if this is similar - 
are the demands all coming from the same individual/email address?  I'd very 
much like to know.  Can each of you who is on the receiving end of this please 
send me the email address associated with the demands?  (I'm on digest here, so 
even if you post it here, *please* also cc: me).

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, Institute for Social Internet Public Policy
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Asilomar Microcomputer Workshop Committee
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi jean-f

On 12/08/15 at 11:46pm, Jean-Francois Mezei wrote:
> Since the OP mentioned a "ransom" demand (aka: extortion), should law
> enforcement be contacted in such cases ?

simply saying "these bozo's are attempting to extort $100 from me"
with their email demands probably will not get the law enforcements attention

yes ... only after you have done everything you can and ready to take
the attackers to court but need law enforcement to haul them into court
and/or seize their computers for evidence

- (ntpdate/ntpd) sync your clock so that your logs have accurate time 

- check the ip# of the email servers and routers it came thru

  you may or may not need to worry about spoof'ed ip# since they 
  want you to get hold of them to give um the $$

- contact the abuse@-the-ISP  for each of those routers and servers
- traceroute the IP# of the mail servers 
- "whois IP#" and contact each of the ISPs

- contact the ISPs that provide connectivity to your "drop off point"
  of where you "supposed to pay up" ... we're assuming that the
  dropoff point is NOT controlled/owned by the ddos attackers

- since you know what time/date/etc that they threaten to attack,
  you should verify your data on the backup systems
  ( build a clone and keep it offline )

  everybody ( you, the ISP, cops, etc ) can all be watching the 
  DDoS attacks and tracing it back to the originating script kiddie
  or the entire extortion network

  you should also get secondary connectivity to watch the DDoS attacks
  in progress and trace it back to the originating source

  let them attack ( the honeypot ) so you can trace it back...

  tarpit all the tcp-based services so that you have 2minutes to 
  trace the attacks back to them ... they cannot "hang up" until 
  the tcp connection attempts times out

- when everything is setup ... tell the DDoS attackers the $$$
  is ready for pickup and watch the DDoS attackers attempt to
  collect the $$$ that doesn't really exist

> Is there any experience doing this ? 

yup...

> Are they any help ?

nope if you don't have the info they want see .. 

you should make it easy for them to take action to get court orders 
to haul them in

yup ... if the cops are trying to collect evidence "on the DDoS attackers"
you'd be in luck

yup ... if the DDoS attackers are large enough and/or if they're attacking 
the high profile victims

> In North america, would that mean FBI in USA and RCMP in Canada, or
> local police force which then escalates to proper law enforcement agency ?

escalation starts with you to provide all the necessary info ...
nobody else will be doing that work for you

get hold of the security dept of your ISP  and any other ISP
along the traceroute and whois iP# way back to the DDoS attackers 

ISPs probably have their favorite agents they like to work with
to chase down the xxx-most-wanted DDoS attackers

magic pixie dust
alvin
# DDoS-Mitigator.net

Re: Ransom DDoS attack - need help!

[Stephen]

I believe that is what he meant, yeah. Figurative opening of the bank
account - showing them that you're willing to pay makes you a target
for future payments as well.
On Thu, 03 Dec 2015, Daniel Corbe wrote:

> 
> > On Dec 3, 2015, at 10:26 AM, Nick Hilliard  wrote:
> > 
> > On 03/12/2015 08:15, halp us wrote:
> >> a very well known group that has been in the news lately. Recently they've
> >> threatened to carry out a major DDoS attack if they are not paid by a
> >> deadline which is approaching. They've performed an attack of a smaller
> >> magnitude to prove that they're serious.
> > 
> > bear in mind that if you pay a ransom like this:
> > 
> > 1. you're opening up a bank account for them to dip into whenever they feel
> > they need more money.
> 
> Most of these types of service ransom deals are conducted via bitcoin.  So I 
> don’t see how this could be the case unless you mean to say that appeasing 
> your attackers is a bad idea because they might just be emboldened enough to 
> try and extort you again whenever the piggy bank is beginning to run dry.
> 

Re: Ransom DDoS attack - need help!

[Joe Morgan]

We received a similar ransom e-mail yesterday followed by a UDP flood
attack. Here is a sample of the attack traffic we received as well as a
copy of the ransom e-mail. Thought this might be useful to others who have
been targeted as well. I will have to talk with our upstream providers to
get a definitive on the size of the attacks. At the point in time we
blackholed our ip we were seeing 20+Gbps.

*Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
during the ddos event:


Top 10 flows by packets per pecond for dst IP: 96.43.134.147
  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
 0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
 0.002 UDP120.199.113.49  1900  5417720481.0 M2.8 G
 0.002 UDP27.208.164.227  1900  5417720481.0 M2.7 G
 0.002 UDP  60.209.31.218  1900  1663220481.0 M3.0 G
 0.002 UDP  27.220.71.238  1900  2245620481.0 M3.0 G
 0.002 UDP  120.236.121.9  1900  6200520481.0 M2.5 G
 0.002 UDP104.137.222.90  1900  1494420481.0 M3.7 G
 0.002 UDP  121.27.133.72  1900  4441720481.0 M3.0 G
 0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
 0.002 UDP120.197.56.134  1900  3067220481.0 M2.7 G

Top 10 flows by flows per second for dst IP: 96.43.134.147
  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
   248.847 UDP  41.214.2.249123  472078.6 M34594  133.4 M
   248.886 UDP91.208.136.126123  637756.7 M26813  103.4 M
   150.893 UDP  85.118.98.253123  472075.1 M33843  130.5 M
   151.053 UDP  80.179.166.7123  637755.0 M33292  128.4 M
   151.230 UDP  69.31.105.142123  472074.9 M32657  125.9 M
   150.436 UDP  182.190.0.17123  452914.8 M32128  123.9 M
   248.832 UDP  95.128.184.10123  637754.7 M19020  73.3 M
   150.573 UDP  188.162.13.4123  425714.6 M30514  117.7 M
   150.261 UDP  205.128.68.5123  452914.2 M2  107.1 M
   149.962 UDP  205.128.68.5123  425714.1 M27443  105.8 M

Top 10 flows by bits per second for dst IP: 96.43.134.147
  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
 0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
 0.003 UDP190.184.144.7453  183402048  6826668.3 G
 0.003 UDP190.109.218.6953  634922048  6826668.3 G
 0.004 UDP103.251.48.24553  437012048  5120006.2 G
 0.004 UDP46.149.191.23953  584392048  5120006.2 G
 0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
 0.006 UDP37.72.70.8553  639092048  3413334.1 G
 0.006 UDP138.204.178.16953  21622048  3413334.1 G
 0.006 UDP  200.31.97.10753  337652048  3413334.1 G
 0.006 UDP  110.164.58.8253  613972048  3413334.1 G



Copy of the e-mail headers:

Delivered-To: j...@joesdatacenter.com
Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
Mon, 7 Dec 2015 15:32:22 -0800 (PST)
X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
Mon, 07 Dec 2015 15:32:22 -0800 (PST)
Return-Path: 
Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11])
by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21
for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 07 Dec 2015 15:32:22 -0800 (PST)
Received-SPF: pass (google.com: domain of armada.collect...@bk.ru
designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11;
Authentication-Results: mx.google.com;
   spf=pass (google.com: domain of armada.collect...@bk.ru
designates 217.69.141.11 as permitted sender)
smtp.mailfrom=armada.collect...@bk.ru;
   dkim=pass header.i=@bk.ru;
   dmarc=pass (p=NONE dis=NONE) header.from=bk.ru
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=bk.ru; s=mail;
h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From;
bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=;

b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=;
Received: from [95.191.131.93] (ident=mail)
by f369.i.mail.ru with local (envelope-from )
id 1a65GX-0008H5-DO
for j...@joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300
Received: from [95.191.131.93] by e.mail.ru with HTTP;
Tue, 08 Dec 2015 02:32:21 +0300
From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= 

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi joe

On 12/08/15 at 01:24am, Joe Morgan wrote:
> We received a similar ransom e-mail yesterday 

:-)

dont pay real $$$ ... pretend that it was paid and watch for
them to come get the ransom ... never give your real banking info

ask them, where do you send the "$xx,000" mastercard gift card
by fedex/ups/dhl ... law enforcement might get lucky with real 
physical addresses ... once in a while, there are dumb criminals
that show up on tv news

> followed by a UDP flood attack. 

*pout* or not  ... their demo shows they've got the zombie botnet
capable of sending 20+Gbps  law enforcement and ISP security dept 
"should be interested" to trace them down ... but it takes
tons of (their) resources to take the next steps: who is it and
where are the attackers

*pout* ... udp ddos floods are "expensive" to solve ...

unfortunately, you cannot mitigate any incoming UDP-ddos attacks at your
server/router udp mitigation has to be done by"
- somehow, you need to find out who they are etc and legally seize their botnet
- your upstream ISP/peer whom doesn't send it to you
- or you setup and 2nd pipe at a geographically different colo ( cheaper )
- or you first send your udp traffic thru a ( expensive ) ddos scrubber

the idea of "limit" the udp traffic is basically useless, since
udp packets already came down the wire ... 

you should at least not reply to any udp ddos packet 
- don't send "host not available", etc etc

> Here is a sample of the attack traffic we received as well as a
> copy of the ransom e-mail. Thought this might be useful to others who have
> been targeted as well. I will have to talk with our upstream providers to
> get a definitive on the size of the attacks. At the point in time we
> blackholed our ip we were seeing 20+Gbps.
> 
> *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
> during the ddos event:

since it is a webserver they're playing with ... there's "dozen" things you
can do to mitigate the UDP flood attacks
- web server should only be running apache ...
  remove ntpd, bind, etc, etc, etc aka, remove the risks of udp amplification
- make sure required things like ntpd/sshd etc are using local non-routable ip#
- long common sense list of stuff to do ... including the 4 points listed above

everybody would want the timezone so they can check their "bandwidth" monitor
to see if 20Gbps hurts them too

> Top 10 flows by packets per pecond for dst IP: 96.43.134.147
>   Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
>  0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
>  0.002 UDP120.199.113.49  1900  5417720481.0 M2.8 G
>  0.002 UDP27.208.164.227  1900  5417720481.0 M2.7 G

what app do yu have that talks to port 1900 ?

these are probably spoof'd src address  but you will never know
until you look up these ip# to see if there is any common link to it
like it all belonging to the same zombie net

for all ListofZombiehosts
do
 - whois 175.43.224.99
 - traceroute 175.43.224.99
done

- udp is primarily used for ntp, dns, nfs, x11, snmp, etc
  if the service is not used, turn off the ntp/bind/nfsd/X11/snmpd daemons

> Top 10 flows by flows per second for dst IP: 96.43.134.147
>   Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
>248.847 UDP  41.214.2.249123  472078.6 M34594  133.4 M
>248.886 UDP91.208.136.126123  637756.7 M26813  103.4 M
>150.893 UDP  85.118.98.253123  472075.1 M33843  130.5 M

they like to play with ntpd ... make sure your NTPd sw is patched

> Top 10 flows by bits per second for dst IP: 96.43.134.147
>   Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
>  0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
>  0.003 UDP190.184.144.7453  183402048  6826668.3 G
>  0.003 UDP190.109.218.6953  634922048  6826668.3 G

they like to play with DNS ... make sure your bind sw is patched and
properly configured ( not open resolver, etc )

> 
> 
> Copy of the e-mail headers:
> 
> Delivered-To: j...@joesdatacenter.com
> Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
> Mon, 7 Dec 2015 15:32:22 -0800 (PST)

i assume this ip# is your own local lan ?

> X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
> Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Return-Path: 

something tangible to trace/monitor

good luck trying to get bk.ru and their ISP to help resolve the ransom issue

traceroute bk.ru
traceroute mail.ru

traceroute 217.69.141.11
traceroute 95.191.131.93

whois 217.69.141.11
whois 95.191.131.93

politely rattle the security cages of the NOC for each of the ISPs that
is listed in traceroute and especially the IP# owner

> Received: from 

Re: Ransom DDoS attack - need help!

[Baldur Norddahl]

>
>
> On 10 December 2015 at 01:48, alvin nanog  > wrote:
>
>> what app do yu have that talks to port 1900 ?
>>
>
> UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are
> also from a reflection attack.
>
>
Sorry I was made aware that UDP 1900 is SSDP. We still block it :-) To my
knowledge there is no real use case for it and no user has ever complained
about that being blocked.

Regards,

Baldur

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 8 Dec 2015, at 14:24, Joe Morgan wrote:


At the point in time we blackholed our ip we were seeing 20+Gbps.


These two presos discuss extortion DDoS and UDP reflection/amplification 
attacks, specifically - it isn't necessary to resort to D/RTBH to deal 
with these attacks:






---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Baldur Norddahl]

On 10 December 2015 at 01:48, alvin nanog 
wrote:

> what app do yu have that talks to port 1900 ?
>

UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are
also from a reflection attack.

We filter UDP 1900 at our border. Not to protect our network from attack,
although it still helps. The packets might have come down our IP transit
pipes, which are high capacity, but we can still stop it from doing further
damage at the smaller pipes in our access network.

We filter UDP 1900 because too many of our customers run vulnerable CPE
devices that can be abused as a Chargen reflector. We stop that hard by
dropping UDP 1900 both ingress and egress.

He is being hit with a volume based UDP reflection attack. The IP addresses
are not faked. They all lead back to people that run vulnerable CPE
devices, NTP servers or open DNS resolvers.

Reflection attacks require that you have the ability to send out faked IP
addresses. Botnets are generally unable to do that. Their max attack size
is limited by the bandwidth at the server, where they have the ability to
send out faked UDP packets.

Keep attacking you if you do not pay is bad business. They could be
attacking someone who will pay instead. No one has infinite attack
bandwidth available.

Regards,

Baldur

Re: Ransom DDoS attack - need help!

[Joe Morgan]

Just an update for those following. We have custom in house software that
watches the traffic flows from our edge routers and automatically
blackholes any ip getting targeted. The blackhole gets sent upstream which
is what we did to maintain the network for our customers during the first
attack. We did not suffer any network outage because of the attacks other
than our public facing website which honestly is not critical. Since we
submitted this thread originally we have gotten two responses from "Armada
Collective". One basically a reminder telling us we had 24 hours left to
pay. The next came tonight as they were supposed to be hitting us.  The
second response said they were supposed to be hitting us but decided to
give us two more days to get the cash into bitcoin. As of right now we have
not replied to them and have no plans to do so. We never had plans to
respond or pay them, although telling them whats on my mind sounds
appealing. We have contacted the FBI and are working with them providing
info. As for protecting our network from future attacks we put all public
facing web sites behind Cloudflare and changed the ips from what they were.
We left the old ips nulled at our edge and with our providers. We plan to
null any ip they decide to hit and and wait it out. As of right now all
they have done is take our website offline briefly so not much of a
problems as it has not caused our customers issues. Thanks for all the help
and info that has been provided and we plan to update this thread as things
unfold. I know there are others that have had similar demands (several have
reached out off list.) so hopefully the info is useful.

-- 
Thank You,
Joe Morgan - Owner
Joe's Datacenter, LLC
http://joesdatacenter.com
816-726-7615

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 10 Dec 2015, at 13:21, Joe Morgan wrote:

We have custom in house software that watches the traffic flows from 
our edge routers and automatically blackholes any ip getting targeted.


Suggest you take a look at the presos I posted earlier and look into 
S/RTBH, flowspec, some limited QoS, and some preemptive ACLs so that you 
aren't forced into completing the DDoS.


---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Jean-Francois Mezei]

Side question:

Since the OP mentioned a "ransom" demand (aka: extortion), should law
enforcement be contacted in such cases ? Is there any experience doing
this ? Are they any help ?

In North america, would that mean FBI in USA and RCMP in Canada, or
local police force which then escalates to proper law enforcement agency ?

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 9 Dec 2015, at 11:46, Jean-Francois Mezei wrote:

Since the OP mentioned a "ransom" demand (aka: extortion), should law 
enforcement be contacted in such cases ?


Yes.


Is there any experience doing this ?


Yes.


Are they any help ?


Operationally, no.  Investigatively, possibly.



In North america, would that mean FBI in USA and RCMP in Canada


Yes.

or local police force which then escalates to proper law enforcement 
agency ?


If you're asking about US and/or Canada, the relevant national LEA 
generally applies.  In other jurisdictions, it's situationally-specific.


---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Anne Mitchell]

Sorry this is so late, I get NANOG in Digest Mode...

> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I can't
> reveal here for obvious reasons). If you email me off-list with a
> name/email that you've previously used on-list, I will reply from my real
> email.
> 
> Alternatively, if you can post your experiences on-list with large scale
> high profile ransom DDoS attacks, I'd really appreciate it!

Please contact me offlist, and I will introduce you to the person who says the 
below - they are from $ENORMOUS-ESP, and were deeply involved in the efforts 
during last year's rounds of ransom DDoSs which saw many different targets 
coordinating in fending off the attacks (and working with the FBI).  The 
basecamp group to which he refers is the group of all of the different NOC and 
architect folks from the various companies, who strategized together, and all 
of their info is still there.  I'm familiar with this all as I was part of the 
coordination efforts, as so many of the targets also happened to be customers 
of ours and, you know, lawyer. ;-)

He says:

"I'm happy to invite him to the basecamp if he wants access, just need his 
email.

Otherwise, feel free to share with him that others ended up using prolexic OR 
whatever the other large provider is out there. that seems to be the universal 
solution if they don't want to buy gear and roll their own solution. Amazon and 
Google cloud environments aren't impervious from this stuff, but they are 
getting better, and using some of the same technology."

---

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation Certification
Is Email You Send Being Junked? Get to the Inbox Using Your Own Mail System!
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

"Email marketing is the one place where it's better to ask permission than 
forgiveness." - Me

Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Ret. Professor of Law, Lincoln Law School of San Jose
303-731-2121 | amitch...@isipp.com | @AnnePMitchell
Facebook/AnnePMitchell  | LinkedIn/in/annemitchell

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi ya roland

On 12/04/15 at 11:09am, Roland Dobbins wrote:
> On 4 Dec 2015, at 9:34, alvin nanog wrote:
> >all that tcpdump jibberish
> 
> Is entirely unnecessary, as well as being completely impractical on a
> network of any size.

up to a point, probing around at the packet level is un-necessary depending
on what one is looking for as the end result

> Reasonable network access policies for the entities under attack plus flow
> telemetry collection/analysis, S/RTBH, and/or flowspec are a good start,
> along with this:

flows may address some of the DDoS issues but might not cover all
the various DDoS attacks and mitigation options and still stay within the
victims possibly non-existent DDoS mitigation budgets

> This business of attempting to use packet captures for everything is the
> equivalent of your doctor attempting to diagnose the reason you're running a
> fever by using an electron microscope.

sometimes, one does need to be able to crawl, before walking, before
running track vs running marathons or find someone that can run for you

in the case of ddos mitigation, no one solution can mitigate against all
the possible various attacks... mitigation is a multi-layered solutions

- who-what-when-where-how-why-etc:

- one does need to know what servers, ports and hw is being attacked

  it makes DDoS mitigation a lot easier if you know what is under attack
  and orders of magnitude less expensive to mitigate

- one does need to know who is attacking

  if one cannot defend against low level script kiddie ddos attacks, 
  it's unlikely one will survive a ddos attacks from a more skilled attacker
  determined to take out a server or break in etc

  if you can and have defended against all the basic script kiddie ddos attacks,
  then it might make it easier to find the next set of the various
  ddos mitigation options you need to take 

- one does need to know how often, what time, they are attacking

  if they are attacking after hours, some folks might not care compared
  to they attacking during regular business hours

- one does need to know how much traffic the attacks are costing you
  in terms of time and loss of productivity due to wasted bandwidth

  even at 10% of your bandwidth used up by useless DDoS traffic is still
  noticibly annoying if you were to looking to increase network performance

- nobody can really say why they are attacking, other than are you
  a low level fruit for easy picking or a target'd victim for
  many reasons ( paid ransom before, high profile servers, a bank, 
  govt servers, etc ) .. pay once and all the other DDoS ransom attackers
  will come knocking to collect their share

> Start with the BCPs, then move to the macroanalytical.  Only dip into the
> microanalytical when required, and even then, do so very selectively.

yup... selective and escalate the migitation process and procedure

magix pixie dust
alvin

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 4 Dec 2015, at 9:34, alvin nanog wrote:


all that tcpdump jibberish


Is entirely unnecessary, as well as being completely impractical on a 
network of any size.


Reasonable network access policies for the entities under attack plus 
flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good 
start, along with this:




This business of attempting to use packet captures for everything is the 
equivalent of your doctor attempting to diagnose the reason you're 
running a fever by using an electron microscope.


Start with the BCPs, then move to the macroanalytical.  Only dip into 
the microanalytical when required, and even then, do so very 
selectively.


---
Roland Dobbins 

Ransom DDoS attack - need help!

[halp us]

All,

I've been a NANOG member for many years but I'm emailing from an anonymous
account to reduce the chance of the attackers finding me.

A company that shall remain anonymous has received a ransom DDoS note from
a very well known group that has been in the news lately. Recently they've
threatened to carry out a major DDoS attack if they are not paid by a
deadline which is approaching. They've performed an attack of a smaller
magnitude to prove that they're serious.

Based on certain details that I can't reveal here, we believe the magnitude
of the upcoming attack may be in the several hundred Gbps.

I would really appreciate help in a few areas (primarily with certain
provider contacts/intros) so we can execute our strategy (which I can't
reveal here for obvious reasons). If you email me off-list with a
name/email that you've previously used on-list, I will reply from my real
email.

Alternatively, if you can post your experiences on-list with large scale
high profile ransom DDoS attacks, I'd really appreciate it!

Thanks

Re: Ransom DDoS attack - need help!

[Josh Reynolds]

Sounds like lizardSquad may be at it again
On Dec 3, 2015 8:53 AM, "halp us"  wrote:

> All,
>
> I've been a NANOG member for many years but I'm emailing from an anonymous
> account to reduce the chance of the attackers finding me.
>
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.
>
> Based on certain details that I can't reveal here, we believe the magnitude
> of the upcoming attack may be in the several hundred Gbps.
>
> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I can't
> reveal here for obvious reasons). If you email me off-list with a
> name/email that you've previously used on-list, I will reply from my real
> email.
>
> Alternatively, if you can post your experiences on-list with large scale
> high profile ransom DDoS attacks, I'd really appreciate it!
>
> Thanks
>

Re: Ransom DDoS attack - need help!

[John Kristoff]

On Thu, 3 Dec 2015 03:15:04 -0500
halp us  wrote:

> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I
> can't reveal here for obvious reasons). If you email me off-list with
> a name/email that you've previously used on-list, I will reply from
> my real email.

Hello,

Sorry for your troubles.  I'm happy to try to put you in touch with
people we know or specific providers that may be particularly important
for you, given the path attack traffic may follow to you.  Generally,
however, you need to be working with your upstream providers or peers.
Those are your best friends that are best able to mitigate traffic from
reaching you or to help trace back where it is coming from.

We also operate a free community service called UTRS, which is
essentially just a community remote triggered black hole (RTBH)
service.  Depending on the attack and where it is coming from, it may
be of some help.  It is another tool in the tool box that is relatively
easy to get going.  Technical details and sign up form here:

  
  

In case an attack does come, you must be able to provide some profile
of the attack traffic for others to help.  A sample of the attack
traffic (e.g. a pcap, flow data, logs), including any characteristics
that might help others help you mitigate is important.  This includes
source network, IP address(es) (but they may be spoofed), protocol,
port, packet size, payload, etc... anything that may uniquely identify
the traffic.  Keep track of the time an attack starts and let people
know what time zone you're working in, or convert to UTC (preferred).

> Alternatively, if you can post your experiences on-list with large
> scale high profile ransom DDoS attacks, I'd really appreciate it!

You should consider engaging your local federal law enforcement
office.  Don't expect miracles, but at least have that ball rolling.
They will probably tell you not to pay, and generally you shouldn't.
Keep a good evidence trail.  Be vigilant, but don't panic.

John

Re: Ransom DDoS attack - need help!

[William Herrin]

On Thu, Dec 3, 2015 at 3:15 AM, halp us  wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.

Hello,

Are you announcing your IP addresses via BGP or does your ISP manage
routing for you?

If BGP, contract with a DDOS mitigator now. During an attack, you
reroute the /24 containing the attacked destination to the mitigator
and let them scrub the bad traffic for you. I have no idea who to
recommend but I believe there was a recent discussion on nanog about
just that subject.

Make sure your ISP provides you with a small block of its addresses so
that you can anchor the tunnel from the DDOS mitigator no matter which
of your announced address blocks is attacked. And test to make sure
your addresses really do reroute to the mitigator at need: your ISP
can do a number of things to foul up your BGP announcement which you
won't notice until you try to reroute.

If not BGP, this is your ISP's problem. Notify them of the threat so
that they can get ready to mitigate it.


As others have said, don't pay the ransom. Even if the current thieves
honor the bargain, it'll become known that you paid. That paints a
great big target on your back for every other thief out there.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Ransom DDoS attack - need help!

[Daniel Corbe]

> On Dec 3, 2015, at 10:26 AM, Nick Hilliard  wrote:
> 
> On 03/12/2015 08:15, halp us wrote:
>> a very well known group that has been in the news lately. Recently they've
>> threatened to carry out a major DDoS attack if they are not paid by a
>> deadline which is approaching. They've performed an attack of a smaller
>> magnitude to prove that they're serious.
> 
> bear in mind that if you pay a ransom like this:
> 
> 1. you're opening up a bank account for them to dip into whenever they feel
> they need more money.

Most of these types of service ransom deals are conducted via bitcoin.  So I 
don’t see how this could be the case unless you mean to say that appeasing your 
attackers is a bad idea because they might just be emboldened enough to try and 
extort you again whenever the piggy bank is beginning to run dry.

Re: Ransom DDoS attack - need help!

[Nick Hilliard]

On 03/12/2015 08:15, halp us wrote:
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.

bear in mind that if you pay a ransom like this:

1. you're opening up a bank account for them to dip into whenever they feel
they need more money.

2. you're perpetuating the problem of ddos-or-ransom by turning it into a
viable business.

If you believe that someone who issues a ransom threat will stop if you pay
them off, you're smoking crack.

Nick

RE: Ransom DDoS attack - need help!

[Darden, Patrick]

Talk to your upstream provider.  They may already have mitigation in place 
(e.g. Arbor devices).  If not, then if you know much about this anticipated 
attack (and you seem to have some details) they can certainly implement ACLs 
and other moderating  tools.  Regardless, contact the FBI or similar LEA and 
get them involved: extortion and threats for now, and if they follow through 
then you have civil and very possibly criminal proceedings to look forward to.

I also highly recommend you contact EFF.  Start at eff.org

--patrick darden

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of halp us
Sent: Thursday, December 03, 2015 2:15 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Ransom DDoS attack - need help!

All,

I've been a NANOG member for many years but I'm emailing from an anonymous 
account to reduce the chance of the attackers finding me.

A company that shall remain anonymous has received a ransom DDoS note from a 
very well known group that has been in the news lately. Recently they've 
threatened to carry out a major DDoS attack if they are not paid by a deadline 
which is approaching. They've performed an attack of a smaller magnitude to 
prove that they're serious.

Based on certain details that I can't reveal here, we believe the magnitude of 
the upcoming attack may be in the several hundred Gbps.

I would really appreciate help in a few areas (primarily with certain provider 
contacts/intros) so we can execute our strategy (which I can't reveal here for 
obvious reasons). If you email me off-list with a name/email that you've 
previously used on-list, I will reply from my real email.

Alternatively, if you can post your experiences on-list with large scale high 
profile ransom DDoS attacks, I'd really appreciate it!

Thanks

Re: Ransom DDoS attack - need help!

[Josh Reynolds]

None of those names you just mentioned have made the international news.
On Dec 3, 2015 8:59 AM, "Chris Baker"  wrote:

> Can you provide some additional details? Is it someone claiming
> association with a known group like DD4BC or the Armada Collective or
> unbranded?
>
> Cheers,
> CBaker
>
>
> On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds 
> wrote:
>
>> Sounds like lizardSquad may be at it again
>> On Dec 3, 2015 8:53 AM, "halp us"  wrote:
>>
>> > All,
>> >
>> > I've been a NANOG member for many years but I'm emailing from an
>> anonymous
>> > account to reduce the chance of the attackers finding me.
>> >
>> > A company that shall remain anonymous has received a ransom DDoS note
>> from
>> > a very well known group that has been in the news lately. Recently
>> they've
>> > threatened to carry out a major DDoS attack if they are not paid by a
>> > deadline which is approaching. They've performed an attack of a smaller
>> > magnitude to prove that they're serious.
>> >
>> > Based on certain details that I can't reveal here, we believe the
>> magnitude
>> > of the upcoming attack may be in the several hundred Gbps.
>> >
>> > I would really appreciate help in a few areas (primarily with certain
>> > provider contacts/intros) so we can execute our strategy (which I can't
>> > reveal here for obvious reasons). If you email me off-list with a
>> > name/email that you've previously used on-list, I will reply from my
>> real
>> > email.
>> >
>> > Alternatively, if you can post your experiences on-list with large scale
>> > high profile ransom DDoS attacks, I'd really appreciate it!
>> >
>> > Thanks
>> >
>>
>
>

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 3 Dec 2015, at 22:26, Nick Hilliard wrote:

> If you believe that someone who issues a ransom threat will stop if you pay
> them off, you're smoking crack.

+1

These attacks aren't rocket-science to defend against.

OP, ping me 1:1.

---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 3 Dec 2015, at 15:15, halp us wrote:

Based on certain details that I can't reveal here, we believe the 
magnitude of the upcoming attack may be in the several hundred Gbps.


They lie.  The largest attacks we've seen from these threat actors are 
in the ~60gb/sec range - which is nothing to shake a stick at, mind.


Many times, they don't follow through.  But you're right to be prepared.

See these two presos:





I would really appreciate help in a few areas (primarily with certain 
provider contacts/intros) so we can execute our strategy (which I 
can't reveal here for obvious reasons).


All this super-secret squirrel stuff doesn't help, it's actually a 
hindrance.  The short answer is 'upstream ACLs'.


Nevertheless, contact me 1:1 and I'll work to hook you up with the right 
folks.


---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 3 Dec 2015, at 22:04, Josh Reynolds wrote:

> None of those names you just mentioned have made the international news.

Of course they have.

---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Chris Baker]

Can you provide some additional details? Is it someone claiming association
with a known group like DD4BC or the Armada Collective or unbranded?

Cheers,
CBaker


On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds  wrote:

> Sounds like lizardSquad may be at it again
> On Dec 3, 2015 8:53 AM, "halp us"  wrote:
>
> > All,
> >
> > I've been a NANOG member for many years but I'm emailing from an
> anonymous
> > account to reduce the chance of the attackers finding me.
> >
> > A company that shall remain anonymous has received a ransom DDoS note
> from
> > a very well known group that has been in the news lately. Recently
> they've
> > threatened to carry out a major DDoS attack if they are not paid by a
> > deadline which is approaching. They've performed an attack of a smaller
> > magnitude to prove that they're serious.
> >
> > Based on certain details that I can't reveal here, we believe the
> magnitude
> > of the upcoming attack may be in the several hundred Gbps.
> >
> > I would really appreciate help in a few areas (primarily with certain
> > provider contacts/intros) so we can execute our strategy (which I can't
> > reveal here for obvious reasons). If you email me off-list with a
> > name/email that you've previously used on-list, I will reply from my real
> > email.
> >
> > Alternatively, if you can post your experiences on-list with large scale
> > high profile ransom DDoS attacks, I'd really appreciate it!
> >
> > Thanks
> >
>

Re: Ransom DDoS attack - need help!

[Chris Baker]

OSINT has a plethora of detail available:

http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130
http://www.ibtimes.co.uk/armada-collective-who-are-hackers-extorting-bitcoin-ransoms-what-can-we-do-1528253
http://www.bloomberg.com/news/articles/2015-09-09/bitcoin-ddos-ransom-demands-raise-dd4bc-profile

On Thu, Dec 3, 2015 at 10:04 AM, Josh Reynolds  wrote:

> None of those names you just mentioned have made the international news.
> On Dec 3, 2015 8:59 AM, "Chris Baker"  wrote:
>
>> Can you provide some additional details? Is it someone claiming
>> association with a known group like DD4BC or the Armada Collective or
>> unbranded?
>>
>> Cheers,
>> CBaker
>>
>>
>> On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds 
>> wrote:
>>
>>> Sounds like lizardSquad may be at it again
>>> On Dec 3, 2015 8:53 AM, "halp us"  wrote:
>>>
>>> > All,
>>> >
>>> > I've been a NANOG member for many years but I'm emailing from an
>>> anonymous
>>> > account to reduce the chance of the attackers finding me.
>>> >
>>> > A company that shall remain anonymous has received a ransom DDoS note
>>> from
>>> > a very well known group that has been in the news lately. Recently
>>> they've
>>> > threatened to carry out a major DDoS attack if they are not paid by a
>>> > deadline which is approaching. They've performed an attack of a smaller
>>> > magnitude to prove that they're serious.
>>> >
>>> > Based on certain details that I can't reveal here, we believe the
>>> magnitude
>>> > of the upcoming attack may be in the several hundred Gbps.
>>> >
>>> > I would really appreciate help in a few areas (primarily with certain
>>> > provider contacts/intros) so we can execute our strategy (which I can't
>>> > reveal here for obvious reasons). If you email me off-list with a
>>> > name/email that you've previously used on-list, I will reply from my
>>> real
>>> > email.
>>> >
>>> > Alternatively, if you can post your experiences on-list with large
>>> scale
>>> > high profile ransom DDoS attacks, I'd really appreciate it!
>>> >
>>> > Thanks
>>> >
>>>
>>
>>

Re: Ransom DDoS attack - need help!

[Dovid Bender]

The last I spoke with NTT they said the largest they ever saw was > 300GB
and most of the time they don't follow through. They threaten 100 networks
and hope that x% will pay them off 'just in case'

On Thu, Dec 3, 2015 at 10:20 AM, Roland Dobbins  wrote:

> On 3 Dec 2015, at 15:15, halp us wrote:
>
> Based on certain details that I can't reveal here, we believe the
>> magnitude of the upcoming attack may be in the several hundred Gbps.
>>
>
> They lie.  The largest attacks we've seen from these threat actors are in
> the ~60gb/sec range - which is nothing to shake a stick at, mind.
>
> Many times, they don't follow through.  But you're right to be prepared.
>
> See these two presos:
>
> 
>
> 
>
> I would really appreciate help in a few areas (primarily with certain
>> provider contacts/intros) so we can execute our strategy (which I can't
>> reveal here for obvious reasons).
>>
>
> All this super-secret squirrel stuff doesn't help, it's actually a
> hindrance.  The short answer is 'upstream ACLs'.
>
> Nevertheless, contact me 1:1 and I'll work to hook you up with the right
> folks.
>
> ---
> Roland Dobbins 
>

Re: Ransom DDoS attack - need help!

[Lyndon Nerenberg]

Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should 
be able to mitigate
some to much of the damage caused by filled pipes by blocking incomming UDP 
trafic at your ISP level.


This is the Armada Collective, based on the description.  We just went 
through a round with them. The hardest they were able to hit us peaked at 
a little under 80 Gbits/second. Primarily DNS and NTP amplification 
attacks. They also hit our web servers with a little over 80 million 
requests over a one hour period, and played some games with TCP to try to 
mess with the protocol stacks on the servers and network gear.


Cloudflare took care of the web attacks.  For DDoS, something like 
Incapsula will take care of the layer 3 stuff.  Not cheap, but very 
effective.


--lyndon

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 4 Dec 2015, at 2:38, Dovid Bender wrote:

> The last I spoke with NTT they said the largest they ever saw was > 300GB

That wasn't DD4BC or Armada Collective.

---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Robban]

Hi!
This is my first mail to the list.
Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should 
be able to mitigate 
some to much of the damage caused by filled pipes by blocking incomming UDP 
trafic at your ISP level.
 
//Robban
 
> * On Thu, Dec 03, 2015 at 03:15:04AM -0500, halp us 
>  wrote:
> > All,
> > 
> > I've been a NANOG member for many years but I'm emailing from an anonymous
> > account to reduce the chance of the attackers finding me.
> > 
> > A company that shall remain anonymous has received a ransom DDoS note from
> > a very well known group that has been in the news lately. Recently they've
> > threatened to carry out a major DDoS attack if they are not paid by a
> > deadline which is approaching. They've performed an attack of a smaller
> > magnitude to prove that they're serious.
> > 
> > Based on certain details that I can't reveal here, we believe the magnitude
> > of the upcoming attack may be in the several hundred Gbps.
> > 
> > I would really appreciate help in a few areas (primarily with certain
> > provider contacts/intros) so we can execute our strategy (which I can't
> > reveal here for obvious reasons). If you email me off-list with a
> > name/email that you've previously used on-list, I will reply from my real
> > email.
> > 
> > Alternatively, if you can post your experiences on-list with large scale
> > high profile ransom DDoS attacks, I'd really appreciate it!
> > 
> > Thanks

-- 
Robert Soderlund

Re: Ransom DDoS attack - need help!

[Clay Curtis]

F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
protection.  Don't pay up, use ddos protection.

Clay



On Thu, Dec 3, 2015 at 3:11 PM, Roland Dobbins  wrote:

> On 4 Dec 2015, at 2:38, Dovid Bender wrote:
>
> > The last I spoke with NTT they said the largest they ever saw was > 300GB
>
> That wasn't DD4BC or Armada Collective.
>
> ---
> Roland Dobbins 
>

Re: Ransom DDoS attack - need help!

[A . L . M . Buxey]

Hi,
> F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
> protection.  Don't pay up, use ddos protection.

you know how many ponder whether AV companies write some of the viruses

;-)

alan

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi "need help"

On 12/03/15 at 03:15am, halp us wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. 

use an email reader that allows you to see all the received email headers
to see which STMP routers they came thru to reach your smtp servers

contact each of the ISP that owns those IP# ranges to forewarn them of
your upcoming DDoS attacks .. if you're/we're lucky, the actual DDoS
attacks would pass thru the same ISPs again

> Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.

cool .. more proof that they can carry out an attacks allows you ( law 
enforcement
and the ISP ) to track down who they are, where they come from, etc, etc, etc

since you also kinda know what time/date they will be attacking, the ISP and
law enforcement can be watching for the incoming attacks reverse track the
originating and probably cracked routers ... and hopefully, one-in-a-million
chance to find the ddos-extorter's computers

if the extorter is in the same city ( your local bully ) using the same ISP, 
finding the extorter should be trivial

you can also catch the extorter by "pretending" to have put up the 
and tell the FBI/interpol/ISPs/PayPal/etc to watch the non-existent account
for incoming connections from the extorter ... and keep telling the
extorter the $$$ is there even if they can't seem to get their $$$

> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I can't
> reveal here for obvious reasons).

most folks would like to see that you have done your "homework" too 
trying to stop incoming DDoS attacks ... aka, you need to able to provide 
them the necessary info for them to help you ...

run tcpdump and/or etherreal to capture the DDoS attacks

==

---
ALL servers are under kinda harmless script kiddie attacks every second ...
- defend against those ( free ) ddos attacks scenarios
#
# if you cannot figure out how to stop these harmless probes, you're
# gonna be in trouble when the DDoS attacks are intent on their attacks
#
---

Simple things you should do BEFORE getting outside DDoS mitigation help, 
because they will probably ask and probably perform the same thing:

- prepare a ( time, $$$, technical expertise ) budget to stop that DDoS 
attacks

- get the received headers from the extorter's emails
-

- get the ph# and email contacts of your ISP's security dept and 
their peers/uplinks  .. similarly for the ph# of your local FBI/police 
dept

- at a minimum, update patch all servers to today's patch releases
--

- "confirm" means use the FREE online test tools to test your servers
- confirm your DNS servers are NOT open resolvers
- confirm your SMTP servers are NOT open relays

- use the NTP servers from your ISP if you're not sure if your NTPd is 
secure


---
- install IPtables + tarpit to defend against almost all TCP-based 
attacks
-   imho, it is pointless to run iptables without tarpit support
-   http://NetworkNightmare.net/Tarpits/#Install

---

- defending against UDP attacks requires you get help from your ISP
- usually against DNS, NTP, NFS, SNMP, X11, etc

- defending against ICMP attacks requires you get help from your ISP
  
#
# you cannot stop, block, prevent, mitigate UDP-based or ICMP-based
# ddos attacks at your servers .. 
#
# the ddos attack damage ( wasting your time, $$$ and bandwidth ) 
# is already done if it reaches your servers
#

- backup your user ( /home, /etc ) data ...
- build a brand new server from latest distro and restore your data 
from backup

- if you don't have time for all this DDoS stuff and willing to do only 1 
thing,
  install and learn iptables with tarpits on all your servers exposed to the 
internet

- it's trivial or NOT trivial depending on your abilities
- it is trivial ( few minutes/hours work ) for those folks familiar 
with IPtables

http://IPtables-BlackList.net

- if you do decide to go with outside DDoS scrubbers, you definitely will need 
$$$

if you don't have the time but have the $$$, hire a couple different DDoS 

Re: Ransom DDoS attack - need help!

[dennis]

Many online business have learned how to deal with these threats.  Just 
recently Protonmail hit the news and found out the hard way whether to pay or 
NOT.  Have a quick read at the log of events for yourself.
http://arstechnica.com/security/2015/11/how-extorted-e-mail-provider-got-back-online-after-crippling-ddos-attack/
Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone

 Original message 
From: Roland Dobbins <rdobb...@arbor.net> 
Date: 12/3/2015  3:10 PM  (GMT-05:00) 
To: NANOG <nanog@nanog.org> 
Subject: Re: Ransom DDoS attack - need help! 

On 3 Dec 2015, at 22:04, Josh Reynolds wrote:

> None of those names you just mentioned have made the international news.

Of course they have.

---
Roland Dobbins <rdobb...@arbor.net>

Re: Ransom DDoS attack - need help!

[Lyndon Nerenberg]

On Dec 3, 2015, at 5:00 PM, alvin nanog  wrote:

> run tcpdump and/or etherreal to capture the DDoS attacks

 Of course! If we had only thought of this sooner! 

:-)

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi lyndon

On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote:
> On Dec 3, 2015, at 5:00 PM, alvin nanog  
> wrote:
> > run tcpdump and/or etherreal to capture the DDoS attacks
>
>  Of course! If we had only thought of this sooner! 
> :-)

yupperz.. the problem is, capturing is nice, you have all this data ... now 
what ,,

all that tcpdump jibberish needs to be converted and presented in a format
suitable for the bean counters to allocate $$$ to mitigate and minimize the
effects of the "free n hopefully relatively harmless" DDoS attacks occuring
every second

lets assume required services are properly configured and excluded
- acl's only for your own dns queries
- ssh only from specific ip#
- ntp to/from your isp

lets assume you allow incoming ssh only from w.x.y.z ... all other connections 
are DoS attacks
  tcpdump -n -l ! host w.x.y.z and port 22

lets assume mail is your mail server .. all traffic NOT on port 25 are DoS 
attacks
  tcpdump -n -l host mail.example.com and ! port 25

lets assume www is your web server .. all traffic NOT on port 80 are DoS attacks
  tcpdump -n -l host mail.example.com and ! port 80

if you are running all the services ( mail + apache + mysql ) on one servr
the remaining tcp connections are DoS attacks
  tcpdump -n -l host mail.example.com and \( ! port 80 and ! port 80 and ! port 
3306 \)

lets assume dns is your dns server .. i consider all tcp traffic from outside 
as DoS attacks
  tcpdump -n -l tcp host dns.example.com

to see possible udp attacks .. don't forget to exclude your own DNS and NTP 
queries
  tcpdump -n -l udp

to see possible icmp attacks
  tcpdump -n -l icmp

too many gazillions options makes the world go round n round ...
- where does it end :-) ... it doesn't ...

if you get a screenful of data flying by of stuff you don't recognize,
you're probably under light DDoS attacks

magic pixie dust
alvin
http://DDoS-Mitigator.net/cgi-bin/IPtables-GUI.pl