Ransom DDoS attack - need help!
Colin Johnston
colinj at gt86car.org.uk
Thu Dec 10 08:20:35 UTC 2015
fingerprint shows China and Russia related as expected
Why do the abuse teams in China and Russia ignore basic abuse reports, why peer/setup connections to companies where abuse is ignored.
Colin
> On 8 Dec 2015, at 07:24, Joe Morgan <joe at joesdatacenter.com> wrote:
>
> We received a similar ransom e-mail yesterday followed by a UDP flood
> attack. Here is a sample of the attack traffic we received as well as a
> copy of the ransom e-mail. Thought this might be useful to others who have
> been targeted as well. I will have to talk with our upstream providers to
> get a definitive on the size of the attacks. At the point in time we
> blackholed our ip we were seeing 20+Gbps.
>
> *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
> during the ddos event:
> ================================================
>
> Top 10 flows by packets per pecond for dst IP: 96.43.134.147
> Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps
> 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G
> 0.002 UDP 120.199.113.49 1900 54177 2048 1.0 M 2.8 G
> 0.002 UDP 27.208.164.227 1900 54177 2048 1.0 M 2.7 G
> 0.002 UDP 60.209.31.218 1900 16632 2048 1.0 M 3.0 G
> 0.002 UDP 27.220.71.238 1900 22456 2048 1.0 M 3.0 G
> 0.002 UDP 120.236.121.9 1900 62005 2048 1.0 M 2.5 G
> 0.002 UDP 104.137.222.90 1900 14944 2048 1.0 M 3.7 G
> 0.002 UDP 121.27.133.72 1900 44417 2048 1.0 M 3.0 G
> 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G
> 0.002 UDP 120.197.56.134 1900 30672 2048 1.0 M 2.7 G
>
> Top 10 flows by flows per second for dst IP: 96.43.134.147
> Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps
> 248.847 UDP 41.214.2.249 123 47207 8.6 M 34594 133.4 M
> 248.886 UDP 91.208.136.126 123 63775 6.7 M 26813 103.4 M
> 150.893 UDP 85.118.98.253 123 47207 5.1 M 33843 130.5 M
> 151.053 UDP 80.179.166.7 123 63775 5.0 M 33292 128.4 M
> 151.230 UDP 69.31.105.142 123 47207 4.9 M 32657 125.9 M
> 150.436 UDP 182.190.0.17 123 45291 4.8 M 32128 123.9 M
> 248.832 UDP 95.128.184.10 123 63775 4.7 M 19020 73.3 M
> 150.573 UDP 188.162.13.4 123 42571 4.6 M 30514 117.7 M
> 150.261 UDP 205.128.68.5 123 45291 4.2 M 27777 107.1 M
> 149.962 UDP 205.128.68.5 123 42571 4.1 M 27443 105.8 M
>
> Top 10 flows by bits per second for dst IP: 96.43.134.147
> Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps
> 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G
> 0.003 UDP 190.184.144.74 53 18340 2048 682666 8.3 G
> 0.003 UDP 190.109.218.69 53 63492 2048 682666 8.3 G
> 0.004 UDP 103.251.48.245 53 43701 2048 512000 6.2 G
> 0.004 UDP 46.149.191.239 53 58439 2048 512000 6.2 G
> 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G
> 0.006 UDP 37.72.70.85 53 63909 2048 341333 4.1 G
> 0.006 UDP 138.204.178.169 53 2162 2048 341333 4.1 G
> 0.006 UDP 200.31.97.107 53 33765 2048 341333 4.1 G
> 0.006 UDP 110.164.58.82 53 61397 2048 341333 4.1 G
>
> ================================================
>
> Copy of the e-mail headers:
>
> Delivered-To: joe at joesdatacenter.com
> Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
> Mon, 7 Dec 2015 15:32:22 -0800 (PST)
> X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
> Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Return-Path: <armada.collective at bk.ru>
> Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11])
> by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21
> for <joe at joesdatacenter.com>
> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
> Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Received-SPF: pass (google.com: domain of armada.collective at bk.ru
> designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11;
> Authentication-Results: mx.google.com;
> spf=pass (google.com: domain of armada.collective at bk.ru
> designates 217.69.141.11 as permitted sender)
> smtp.mailfrom=armada.collective at bk.ru;
> dkim=pass [email protected];
> dmarc=pass (p=NONE dis=NONE) header.from=bk.ru
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=bk.ru; s=mail;
> h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From;
> bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=;
> b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=;
> Received: from [95.191.131.93] (ident=mail)
> by f369.i.mail.ru with local (envelope-from <armada.collective at bk.ru>)
> id 1a65GX-0008H5-DO
> for joe at joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300
> Received: from [95.191.131.93] by e.mail.ru with HTTP;
> Tue, 08 Dec 2015 02:32:21 +0300
> From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>
> To: joe at joesdatacenter.com
> Subject: =?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?=
> MIME-Version: 1.0
> X-Mailer: Mail.Ru Mailer 1.0
> X-Originating-IP: [95.191.131.93]
> Date: Tue, 08 Dec 2015 02:32:21 +0300
> Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>
> X-Priority: 3 (Normal)
> Message-ID: <1449531141.2696669 at f369.i.mail.ru>
> Content-Type: multipart/alternative;
> boundary="--ALT--7N12aTwEB8hvVlFgA0NbUaD4Daicjipu1449531141"
> X-Mras: Ok
> X-Spam: undefined
>
> Copy of the e-mail:
> From: Armada Collective <armada.collective at bk.ru>
> Subject: Ransom request: DDoS Attack
>
> Message Body:
> FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
> DECISION!
>
>
> We are Armada Collective.
>
> If you haven heard for us, use Google. Recently, we have launched some of
> the largest DDoS attacks in history.
> Check this out, for example:
> https://twitter.com/optucker/status/665470164411023360 (and it was measured
> while we were DDoS-ing 3 other sites at the same time)
> And this: https://twitter.com/optucker/status/666501788607098880
>
> We will start DDoS-ing your network if you don't pay 20 Bitcoins @
> 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday.
>
>
> Right now we will start small 30 minutes UDP attack on your site IP:
> 96.43.134.147 It will not be hard, just to prove that we are for real
> Armada Collective.
>
> If you don't pay by Wednesday, massive attack will start, price to stop
> will increase to 40 BTC and will go up 2 BTC for every hour of attack and
> attack will last for as long as you don't pay.
>
> In addition, we will be contacting affected customers to explain why they
> are down and recommend them to move to OVH. We will do the same on social
> networks.
>
> Our attacks are extremely powerful - peaks over 1 Tbps per second.
>
> Prevent it all with just 20 BTC @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe
>
>
> Do not reply, we will not read. Pay and we will know its you. AND YOU WILL
> NEVER AGAIN HEAR FROM US!
>
> And nobody will ever know you cooperated.
>
> --
> Thank You,
> Joe Morgan - Owner
> Joe's Datacenter, LLC
> http://joesdatacenter.com
> 816-726-7615
More information about the NANOG
mailing list