[Tier1 ISP]: Vulnerable to a new DDoS amplification attack

Thu Dec 22 13:53:46 UTC 2016

I just reviewed our data  at http://radar.qrator.net  provided network list.

I am highly skeptical.
<tapping my feet neurotically>

On Thu, Dec 22, 2016 at 4:51 PM, Mike Hammett <nanog at ics-il.net> wrote:

> Let's wait and see if his stated message of being here to discuss
> technical matters of the vulnerability with the aforementioned carriers
> bears anything out. If not, don the torches.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
>
> Midwest Internet Exchange
>
> The Brothers WISP
>
> ----- Original Message -----
>
> From: "j j santanna" <j.j.santanna at utwente.nl>
> To: jean at ddostest.me
> Cc: nanog at nanog.org
> Sent: Thursday, December 22, 2016 5:01:23 AM
> Subject: Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
>
> I am saying!
>
> As far as I understand you are offering DDoS attacks as a paid service,
> right? Some people would say that you offer DDoS for hire. What is the
> difference between your service and a Booter service. Only a “validation"
> that your client is “stress testing” him/herself does not make you legal.
> Sorry man but you can NOT claim yourself as a legal/moral acceptable stress
> tester if you misuse devices on the Internet, such as amplifiers, webshell,
> and botnets.
>
> Although you don’t consider yourself a Booter, you are one of them!
>
> I leave up to you the definition of stupid.
>
> Cheers,
>
> Jair Santanna
> jairsantanna.com<http://jairsantanna.com>
>
>
>
> On 22 Dec 2016, at 11:45, Jean | ddostest.me<http://ddostest.me> <
> jean at ddostest.me<mailto:jean at ddostest.me>> wrote:
>
> I admit that I have a lot of guts.
>
> Not sure who said that I am a booter or that I operate a booter. I fight
> booter since more than 5 years and who would be stupid enough to put his
> full name with full address to a respected network operators list?
> Definitely not me.
>
> I want to help and fix things and I am not the kind of person to break
> things.
>
>
> Jean
>
> On 16-12-22 03:46 AM, j.j.santanna at utwente.nl<mailto:
> j.j.santanna at utwente.nl> wrote:
> Hi Jean,
>
> You are either naive or have a lot of guts to offer a Booter service in
> one of the most respected network operators list. Man, as long as you use
> amplifiers (third party services) or botnets your “service” is illegal &
> immoral. In case you use your own infrastructure or rent a legal (cloud)
> infrastructure to provide your "service" it will not pay your costs. Not at
> least by the price that you offer your service: 0, 13, 100 bucks. Even if
> you have a legal/moral acceptable attack infrastructure, if you throw those
> big attacks that you advertise will possibly take down many others
> third-parties on the way.
>
> Sometimes you folks say that (mis)use amplifiers for “testing” purpose is
> not a problem because those services are open and publicly available on the
> Internet. Come on… if I leave my car open with the key inside it doesn’t
> give you the right to use my car to throw into a third party company. And
> if you do, it is YOUR CRIME, not mine.
>
> I don’t need to explain why using botnets is illegal and immoral, right?
>
> Man, it is up to you decide between cyber crime and cyber security (
> https://www.europol.europa.eu/activities-services/public-
> awareness-and-prevention-guides/cyber-crime-vs-cyber-
> security-what-will-you-choose). Now, we are also looking to you on
> http://booterblacklist.com<http://booterblacklist.com/>. Thanks!
>
> Cheers,
>
> Jair Santanna
>
>
>
>
> On 22 Dec 2016, at 07:51, Alexander Lyamin <la at qrator.net<mailto:la@
> qrator.net><mailto:la at qrator.net>> wrote:
>
> I am just trying to grasp what is similarity between networks on the list
> and why it doesn't include, say NTT or Cogent.
>
>
>
> On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me<http://ddostest.me/><
> http://ddostest.me/> via NANOG <
> nanog at nanog.org<mailto:nanog at nanog.org><mailto:nanog at nanog.org>> wrote:
>
> Hello all, I'm a first time poster here and hope to follow all rules.
>
> I found a new way to amplify traffic that would generate really high
> volume of traffic.+10Tbps
>
> ** There is no need for spoofing ** so any device in the world could
> initiate a really big attack or be part of an attack.
>
> We talk about an amplification factor x100+. This mean that a single
> computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS.
> Imagine what a botnet could do?
>
> The list of affected business is huge and I would like to privately
> disclose the details to the Tier1 ISP as they are highly vulnerable.
>
> XO Comm
> PSINET
> Level 3
> Qwest
> Windstream Comm
> Eearthlink
> MCI Comm/Verizon Buss
> Comcast Cable Comm
> AT&T
> Sprint
>
> I know it's Christmas time and there is no rush in disclosing this but, it
> could be a nice opportunity to meditate and shed some lights on this new
> DDoS threat. We could start the real work in January.
>
>
> If you are curious and you operate/manage one of the network mentioned
> above, please write to me at tornaddos at ddostest.me<mailto:t
> ornaddos at ddostest.me><mailto:tornaddos at ddostest.me> from your job email to
> confirm the identity. I will then forward you the DDoS details.
>
> Best regards
>
> Jean St-Laurent
> ddostest.me<http://ddostest.me/><http://ddostest.me/>
> 365 boul. Sir-Wilfrid-Laurier #202
> Beloeil, QC J3G 4T2
>
>
>
>
> --
>
> Alexander Lyamin
>
> CEO | Qrator <http://qrator.net/>* Labs*
>
> office: 8-800-3333-LAB (522)
>
> mob: +7-916-9086122
>
> skype: melanor9
>
> mailto: la at qrator.net<mailto:la at qrator.net><mailto:la at qrator.net>
>
>
>

-- 

Alexander Lyamin

CEO | Qrator <http://qrator.net/>* Labs*

office: 8-800-3333-LAB (522)

mob: +7-916-9086122

skype: melanor9

mailto:  la at qrator.net