Ransom DDoS attack - need help!

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Thu Dec 10 00:48:19 UTC 2015

hi joe

On 12/08/15 at 01:24am, Joe Morgan wrote:
> We received a similar ransom e-mail yesterday 


dont pay real $$$ ... pretend that it was paid and watch for
them to come get the ransom ... never give your real banking info

ask them, where do you send the "$xx,000" mastercard gift card
by fedex/ups/dhl ... law enforcement might get lucky with real 
physical addresses ... once in a while, there are dumb criminals
that show up on tv news

> followed by a UDP flood attack. 

*pout* or not  ... their demo shows they've got the zombie botnet
capable of sending 20+Gbps .... law enforcement and ISP security dept 
"should be interested" to trace them down ... but it takes
tons of (their) resources to take the next steps: who is it and
where are the attackers

*pout* ... udp ddos floods are "expensive" to solve ...

unfortunately, you cannot mitigate any incoming UDP-ddos attacks at your
server/router.... udp mitigation has to be done by"
- somehow, you need to find out who they are etc and legally seize their botnet
- your upstream ISP/peer whom doesn't send it to you
- or you setup and 2nd pipe at a geographically different colo ( cheaper )
- or you first send your udp traffic thru a ( expensive ) ddos scrubber

the idea of "limit" the udp traffic is basically useless, since
udp packets already came down the wire ... 

you should at least not reply to any udp ddos packet 
- don't send "host not available", etc etc

> Here is a sample of the attack traffic we received as well as a
> copy of the ransom e-mail. Thought this might be useful to others who have
> been targeted as well. I will have to talk with our upstream providers to
> get a definitive on the size of the attacks. At the point in time we
> blackholed our ip we were seeing 20+Gbps.
> *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
> during the ddos event:

since it is a webserver they're playing with ... there's "dozen" things you
can do to mitigate the UDP flood attacks
- web server should only be running apache ...
  remove ntpd, bind, etc, etc, etc aka, remove the risks of udp amplification
- make sure required things like ntpd/sshd etc are using local non-routable ip#
- long common sense list of stuff to do ... including the 4 points listed above

everybody would want the timezone so they can check their "bandwidth" monitor
to see if 20Gbps hurts them too

> Top 10 flows by packets per pecond for dst IP:
>   Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
>      0.001 UDP  1900  22456    2048    2.0 M    5.8 G
>      0.002 UDP  1900  54177    2048    1.0 M    2.8 G
>      0.002 UDP  1900  54177    2048    1.0 M    2.7 G

what app do yu have that talks to port 1900 ?

these are probably spoof'd src address .... but you will never know
until you look up these ip# to see if there is any common link to it
like it all belonging to the same zombie net

for all ListofZombiehosts
 - whois
 - traceroute

- udp is primarily used for ntp, dns, nfs, x11, snmp, etc
  if the service is not used, turn off the ntp/bind/nfsd/X11/snmpd daemons

> Top 10 flows by flows per second for dst IP:
>   Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
>    248.847 UDP    123  47207    8.6 M    34594  133.4 M
>    248.886 UDP    123  63775    6.7 M    26813  103.4 M
>    150.893 UDP    123  47207    5.1 M    33843  130.5 M

they like to play with ntpd ... make sure your NTPd sw is patched

> Top 10 flows by bits per second for dst IP:
>   Duration Proto      Src IP Addr Src Pt Dst Pt  Packets      pps      bps
>      0.002 UDP    53  5575    2048    1.0 M  12.4 G
>      0.003 UDP    53  18340    2048  682666    8.3 G
>      0.003 UDP    53  63492    2048  682666    8.3 G

they like to play with DNS ... make sure your bind sw is patched and
properly configured ( not open resolver, etc )

> ================================================
> Copy of the e-mail headers:
> Delivered-To: joe at joesdatacenter.com
> Received: by with SMTP id b81csp1190623ivb;
>         Mon, 7 Dec 2015 15:32:22 -0800 (PST)

i assume this ip# is your own local lan ?

> X-Received: by with SMTP id m199mr28948lfb.157.1449531142088;
>         Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Return-Path: <armada.collective at bk.ru>

something tangible to trace/monitor

good luck trying to get bk.ru and their ISP to help resolve the ransom issue

	traceroute bk.ru
	traceroute mail.ru



politely rattle the security cages of the NOC for each of the ISPs that
is listed in traceroute and especially the IP# owner

> Received: from f369.i.mail.ru (f369.i.mail.ru. [])
>         by mx.google.com with ESMTPS id 7si214394lfk.103.2015.
>         for <joe at joesdatacenter.com>

> Received: from [] (ident=mail)
> 	by f369.i.mail.ru with local (envelope-from <armada.collective at bk.ru>)
> Received: from [] by e.mail.ru with HTTP;
> 	Tue, 08 Dec 2015 02:32:21 +0300
> From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>

> X-Mailer: Mail.Ru Mailer 1.0

looks like they are using webmail ??

> X-Originating-IP: []

mail.ru knows exactly who is/was using their ip# at 02:32:21 +0300

> Date: Tue, 08 Dec 2015 02:32:21 +0300
> Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective at bk.ru>

> If you haven heard for us, use Google. Recently, we have launched some of
> the largest DDoS attacks in history.
> Check this out, for example:
> https://twitter.com/optucker/status/665470164411023360 (and it was measured
> while we were DDoS-ing 3 other sites at the same time)
> And this: https://twitter.com/optucker/status/666501788607098880
> We will start DDoS-ing your network if you don't pay 20 Bitcoins @
> 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday.

orders of magnitude cheaper than tracking down who it is that sent
the email and chasing down their botnet

everybody in the world, should not be using any of the products/services
whom also support bitcoin or any other anonymous payment methods

> Right now we will start small 30 minutes UDP attack on your site IP:
> It will not be hard, just to prove that we are for real
> Armada Collective.

tough group .... the FBI, interpol and especially the russian law 
enforcement group should be interested to get hold of them ... 
it will be expensive in time to track them down while they collect
enough $$$ from lots of folks that dont want to deal with the 
primary issue of ransoms

> If you don't pay by Wednesday, massive attack will start, price to stop
> will increase to 40 BTC and will go up 2 BTC for every hour of attack and
> attack will last for as long as you don't pay.
> In addition, we will be contacting affected customers to explain why they
> are down and recommend them to move to OVH. We will do the same on social
> networks.


> Our attacks are extremely powerful - peaks over 1 Tbps per second.

that should be big enough of an issues that all ISPs between them
and you would want to stop it too

it's gonna be expensive in time and staff to play cat-n-mouse with them

> Do not reply, we will not read. Pay and we will know its you. AND YOU WILL


magic pixie dust
# DDoS-Mitigator.net

More information about the NANOG mailing list