Ransom DDoS attack - need help!

• Previous message (by thread): Ransom DDoS attack - need help!
• Next message (by thread): Ransom DDoS attack - need help!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We received a similar ransom e-mail yesterday followed by a UDP flood
attack. Here is a sample of the attack traffic we received as well as a
copy of the ransom e-mail. Thought this might be useful to others who have
been targeted as well. I will have to talk with our upstream providers to
get a definitive on the size of the attacks. At the point in time we
blackholed our ip we were seeing 20+Gbps.

*Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
during the ddos event:
================================================

Top 10 flows by packets per pecond for dst IP: 96.43.134.147
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
     0.001 UDP      175.43.224.99  1900  22456    2048    2.0 M    5.8 G
     0.002 UDP    120.199.113.49  1900  54177    2048    1.0 M    2.8 G
     0.002 UDP    27.208.164.227  1900  54177    2048    1.0 M    2.7 G
     0.002 UDP      60.209.31.218  1900  16632    2048    1.0 M    3.0 G
     0.002 UDP      27.220.71.238  1900  22456    2048    1.0 M    3.0 G
     0.002 UDP      120.236.121.9  1900  62005    2048    1.0 M    2.5 G
     0.002 UDP    104.137.222.90  1900  14944    2048    1.0 M    3.7 G
     0.002 UDP      121.27.133.72  1900  44417    2048    1.0 M    3.0 G
     0.002 UDP        92.241.8.75    53  5575    2048    1.0 M  12.4 G
     0.002 UDP    120.197.56.134  1900  30672    2048    1.0 M    2.7 G

Top 10 flows by flows per second for dst IP: 96.43.134.147
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
   248.847 UDP      41.214.2.249    123  47207    8.6 M    34594  133.4 M
   248.886 UDP    91.208.136.126    123  63775    6.7 M    26813  103.4 M
   150.893 UDP      85.118.98.253    123  47207    5.1 M    33843  130.5 M
   151.053 UDP      80.179.166.7    123  63775    5.0 M    33292  128.4 M
   151.230 UDP      69.31.105.142    123  47207    4.9 M    32657  125.9 M
   150.436 UDP      182.190.0.17    123  45291    4.8 M    32128  123.9 M
   248.832 UDP      95.128.184.10    123  63775    4.7 M    19020  73.3 M
   150.573 UDP      188.162.13.4    123  42571    4.6 M    30514  117.7 M
   150.261 UDP      205.128.68.5    123  45291    4.2 M    27777  107.1 M
   149.962 UDP      205.128.68.5    123  42571    4.1 M    27443  105.8 M

Top 10 flows by bits per second for dst IP: 96.43.134.147
  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
     0.002 UDP        92.241.8.75    53  5575    2048    1.0 M  12.4 G
     0.003 UDP    190.184.144.74    53  18340    2048  682666    8.3 G
     0.003 UDP    190.109.218.69    53  63492    2048  682666    8.3 G
     0.004 UDP    103.251.48.245    53  43701    2048  512000    6.2 G
     0.004 UDP    46.149.191.239    53  58439    2048  512000    6.2 G
     0.001 UDP      175.43.224.99  1900  22456    2048    2.0 M    5.8 G
     0.006 UDP        37.72.70.85    53  63909    2048  341333    4.1 G
     0.006 UDP    138.204.178.169    53  2162    2048  341333    4.1 G
     0.006 UDP      200.31.97.107    53  33765    2048  341333    4.1 G
     0.006 UDP      110.164.58.82    53  61397    2048  341333    4.1 G

================================================

Copy of the e-mail headers:

Delivered-To: joe at joesdatacenter.com
Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
        Mon, 7 Dec 2015 15:32:22 -0800 (PST)
X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
        Mon, 07 Dec 2015 15:32:22 -0800 (PST)
Return-Path: <armada.collective at bk.ru>
Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11])
        by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21
        for <joe at joesdatacenter.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 07 Dec 2015 15:32:22 -0800 (PST)
Received-SPF: pass (google.com: domain of armada.collective at bk.ru
designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of armada.collective at bk.ru
designates 217.69.141.11 as permitted sender)
smtp.mailfrom=armada.collective at bk.ru;
       dkim=pass [email protected];
       dmarc=pass (p=NONE dis=NONE) header.from=bk.ru
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=bk.ru; s=mail;
	h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From;
bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=;
	b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=;
Received: from [95.191.131.93] (ident=mail)
	by f369.i.mail.ru with local (envelope-from <armada.collective at bk.ru>)
	id 1a65GX-0008H5-DO
	for joe at joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300
Received: from [95.191.131.93] by e.mail.ru with HTTP;
	Tue, 08 Dec 2015 02:32:21 +0300
From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>
To: joe at joesdatacenter.com
Subject: =?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?=
MIME-Version: 1.0
X-Mailer: Mail.Ru Mailer 1.0
X-Originating-IP: [95.191.131.93]
Date: Tue, 08 Dec 2015 02:32:21 +0300
Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>
X-Priority: 3 (Normal)
Message-ID: <1449531141.2696669 at f369.i.mail.ru>
Content-Type: multipart/alternative;
	boundary="--ALT--7N12aTwEB8hvVlFgA0NbUaD4Daicjipu1449531141"
X-Mras: Ok
X-Spam: undefined

Copy of the e-mail:
From: Armada Collective <armada.collective at bk.ru>
Subject: Ransom request: DDoS Attack

Message Body:
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
DECISION!


We are Armada Collective.

If you haven heard for us, use Google. Recently, we have launched some of
the largest DDoS attacks in history.
Check this out, for example:
https://twitter.com/optucker/status/665470164411023360 (and it was measured
while we were DDoS-ing 3 other sites at the same time)
And this: https://twitter.com/optucker/status/666501788607098880

We will start DDoS-ing your network if you don't pay 20 Bitcoins @
19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday.


Right now we will start small 30 minutes UDP attack on your site IP:
96.43.134.147 It will not be hard, just to prove that we are for real
Armada Collective.

If you don't pay by Wednesday, massive attack will start, price to stop
will increase to 40 BTC and will go up 2 BTC for every hour of attack and
attack will last for as long as you don't pay.

In addition, we will be contacting affected customers to explain why they
are down and recommend them to move to OVH. We will do the same on social
networks.

Our attacks are extremely powerful - peaks over 1 Tbps per second.

Prevent it all with just 20 BTC @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe


Do not reply, we will not read. Pay and we will know its you. AND YOU WILL
NEVER AGAIN HEAR FROM US!

And nobody will ever know you cooperated.

-- 
Thank You,
Joe Morgan - Owner
Joe's Datacenter, LLC
http://joesdatacenter.com
816-726-7615

• Previous message (by thread): Ransom DDoS attack - need help!
• Next message (by thread): Ransom DDoS attack - need help!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]