Ransom DDoS attack - need help!

• Previous message (by thread): Ransom DDoS attack - need help!
• Next message (by thread): Ransom DDoS attack - need help!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

fingerprint shows China and Russia related as expected
Why do the abuse teams in China and Russia ignore basic abuse reports, why peer/setup connections to companies where abuse is ignored.

Colin

> On 8 Dec 2015, at 07:24, Joe Morgan <joe at joesdatacenter.com> wrote:
> 
> We received a similar ransom e-mail yesterday followed by a UDP flood
> attack. Here is a sample of the attack traffic we received as well as a
> copy of the ransom e-mail. Thought this might be useful to others who have
> been targeted as well. I will have to talk with our upstream providers to
> get a definitive on the size of the attacks. At the point in time we
> blackholed our ip we were seeing 20+Gbps.
> 
> *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
> during the ddos event:
> ================================================
> 
> Top 10 flows by packets per pecond for dst IP: 96.43.134.147
>  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
>     0.001 UDP      175.43.224.99  1900  22456    2048    2.0 M    5.8 G
>     0.002 UDP    120.199.113.49  1900  54177    2048    1.0 M    2.8 G
>     0.002 UDP    27.208.164.227  1900  54177    2048    1.0 M    2.7 G
>     0.002 UDP      60.209.31.218  1900  16632    2048    1.0 M    3.0 G
>     0.002 UDP      27.220.71.238  1900  22456    2048    1.0 M    3.0 G
>     0.002 UDP      120.236.121.9  1900  62005    2048    1.0 M    2.5 G
>     0.002 UDP    104.137.222.90  1900  14944    2048    1.0 M    3.7 G
>     0.002 UDP      121.27.133.72  1900  44417    2048    1.0 M    3.0 G
>     0.002 UDP        92.241.8.75    53  5575    2048    1.0 M  12.4 G
>     0.002 UDP    120.197.56.134  1900  30672    2048    1.0 M    2.7 G
> 
> Top 10 flows by flows per second for dst IP: 96.43.134.147
>  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
>   248.847 UDP      41.214.2.249    123  47207    8.6 M    34594  133.4 M
>   248.886 UDP    91.208.136.126    123  63775    6.7 M    26813  103.4 M
>   150.893 UDP      85.118.98.253    123  47207    5.1 M    33843  130.5 M
>   151.053 UDP      80.179.166.7    123  63775    5.0 M    33292  128.4 M
>   151.230 UDP      69.31.105.142    123  47207    4.9 M    32657  125.9 M
>   150.436 UDP      182.190.0.17    123  45291    4.8 M    32128  123.9 M
>   248.832 UDP      95.128.184.10    123  63775    4.7 M    19020  73.3 M
>   150.573 UDP      188.162.13.4    123  42571    4.6 M    30514  117.7 M
>   150.261 UDP      205.128.68.5    123  45291    4.2 M    27777  107.1 M
>   149.962 UDP      205.128.68.5    123  42571    4.1 M    27443  105.8 M
> 
> Top 10 flows by bits per second for dst IP: 96.43.134.147
>  Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
>     0.002 UDP        92.241.8.75    53  5575    2048    1.0 M  12.4 G
>     0.003 UDP    190.184.144.74    53  18340    2048  682666    8.3 G
>     0.003 UDP    190.109.218.69    53  63492    2048  682666    8.3 G
>     0.004 UDP    103.251.48.245    53  43701    2048  512000    6.2 G
>     0.004 UDP    46.149.191.239    53  58439    2048  512000    6.2 G
>     0.001 UDP      175.43.224.99  1900  22456    2048    2.0 M    5.8 G
>     0.006 UDP        37.72.70.85    53  63909    2048  341333    4.1 G
>     0.006 UDP    138.204.178.169    53  2162    2048  341333    4.1 G
>     0.006 UDP      200.31.97.107    53  33765    2048  341333    4.1 G
>     0.006 UDP      110.164.58.82    53  61397    2048  341333    4.1 G
> 
> ================================================
> 
> Copy of the e-mail headers:
> 
> Delivered-To: joe at joesdatacenter.com
> Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
>        Mon, 7 Dec 2015 15:32:22 -0800 (PST)
> X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
>        Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Return-Path: <armada.collective at bk.ru>
> Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11])
>        by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21
>        for <joe at joesdatacenter.com>
>        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>        Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Received-SPF: pass (google.com: domain of armada.collective at bk.ru
> designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11;
> Authentication-Results: mx.google.com;
>       spf=pass (google.com: domain of armada.collective at bk.ru
> designates 217.69.141.11 as permitted sender)
> smtp.mailfrom=armada.collective at bk.ru;
>       dkim=pass [email protected];
>       dmarc=pass (p=NONE dis=NONE) header.from=bk.ru
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=bk.ru; s=mail;
> 	h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From;
> bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=;
> 	b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=;
> Received: from [95.191.131.93] (ident=mail)
> 	by f369.i.mail.ru with local (envelope-from <armada.collective at bk.ru>)
> 	id 1a65GX-0008H5-DO
> 	for joe at joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300
> Received: from [95.191.131.93] by e.mail.ru with HTTP;
> 	Tue, 08 Dec 2015 02:32:21 +0300
> From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>
> To: joe at joesdatacenter.com
> Subject: =?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?=
> MIME-Version: 1.0
> X-Mailer: Mail.Ru Mailer 1.0
> X-Originating-IP: [95.191.131.93]
> Date: Tue, 08 Dec 2015 02:32:21 +0300
> Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>
> X-Priority: 3 (Normal)
> Message-ID: <1449531141.2696669 at f369.i.mail.ru>
> Content-Type: multipart/alternative;
> 	boundary="--ALT--7N12aTwEB8hvVlFgA0NbUaD4Daicjipu1449531141"
> X-Mras: Ok
> X-Spam: undefined
> 
> Copy of the e-mail:
> From: Armada Collective <armada.collective at bk.ru>
> Subject: Ransom request: DDoS Attack
> 
> Message Body:
> FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
> DECISION!
> 
> 
> We are Armada Collective.
> 
> If you haven heard for us, use Google. Recently, we have launched some of
> the largest DDoS attacks in history.
> Check this out, for example:
> https://twitter.com/optucker/status/665470164411023360 (and it was measured
> while we were DDoS-ing 3 other sites at the same time)
> And this: https://twitter.com/optucker/status/666501788607098880
> 
> We will start DDoS-ing your network if you don't pay 20 Bitcoins @
> 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday.
> 
> 
> Right now we will start small 30 minutes UDP attack on your site IP:
> 96.43.134.147 It will not be hard, just to prove that we are for real
> Armada Collective.
> 
> If you don't pay by Wednesday, massive attack will start, price to stop
> will increase to 40 BTC and will go up 2 BTC for every hour of attack and
> attack will last for as long as you don't pay.
> 
> In addition, we will be contacting affected customers to explain why they
> are down and recommend them to move to OVH. We will do the same on social
> networks.
> 
> Our attacks are extremely powerful - peaks over 1 Tbps per second.
> 
> Prevent it all with just 20 BTC @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe
> 
> 
> Do not reply, we will not read. Pay and we will know its you. AND YOU WILL
> NEVER AGAIN HEAR FROM US!
> 
> And nobody will ever know you cooperated.
> 
> -- 
> Thank You,
> Joe Morgan - Owner
> Joe's Datacenter, LLC
> http://joesdatacenter.com
> 816-726-7615

• Previous message (by thread): Ransom DDoS attack - need help!
• Next message (by thread): Ransom DDoS attack - need help!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]