[Tier1 ISP]: Vulnerable to a new DDoS amplification attack

Mike Hammett nanog at ics-il.net
Thu Dec 22 13:51:25 UTC 2016

Let's wait and see if his stated message of being here to discuss technical matters of the vulnerability with the aforementioned carriers bears anything out. If not, don the torches. 

Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

----- Original Message -----

From: "j j santanna" <j.j.santanna at utwente.nl> 
To: jean at ddostest.me 
Cc: nanog at nanog.org 
Sent: Thursday, December 22, 2016 5:01:23 AM 
Subject: Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack 

I am saying! 

As far as I understand you are offering DDoS attacks as a paid service, right? Some people would say that you offer DDoS for hire. What is the difference between your service and a Booter service. Only a “validation" that your client is “stress testing” him/herself does not make you legal. Sorry man but you can NOT claim yourself as a legal/moral acceptable stress tester if you misuse devices on the Internet, such as amplifiers, webshell, and botnets. 

Although you don’t consider yourself a Booter, you are one of them! 

I leave up to you the definition of stupid. 


Jair Santanna 

On 22 Dec 2016, at 11:45, Jean | ddostest.me<http://ddostest.me> <jean at ddostest.me<mailto:jean at ddostest.me>> wrote: 

I admit that I have a lot of guts. 

Not sure who said that I am a booter or that I operate a booter. I fight booter since more than 5 years and who would be stupid enough to put his full name with full address to a respected network operators list? Definitely not me. 

I want to help and fix things and I am not the kind of person to break things. 


On 16-12-22 03:46 AM, j.j.santanna at utwente.nl<mailto:j.j.santanna at utwente.nl> wrote: 
Hi Jean, 

You are either naive or have a lot of guts to offer a Booter service in one of the most respected network operators list. Man, as long as you use amplifiers (third party services) or botnets your “service” is illegal & immoral. In case you use your own infrastructure or rent a legal (cloud) infrastructure to provide your "service" it will not pay your costs. Not at least by the price that you offer your service: 0, 13, 100 bucks. Even if you have a legal/moral acceptable attack infrastructure, if you throw those big attacks that you advertise will possibly take down many others third-parties on the way. 

Sometimes you folks say that (mis)use amplifiers for “testing” purpose is not a problem because those services are open and publicly available on the Internet. Come on… if I leave my car open with the key inside it doesn’t give you the right to use my car to throw into a third party company. And if you do, it is YOUR CRIME, not mine. 

I don’t need to explain why using botnets is illegal and immoral, right? 

Man, it is up to you decide between cyber crime and cyber security (https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/cyber-crime-vs-cyber-security-what-will-you-choose). Now, we are also looking to you on http://booterblacklist.com<http://booterblacklist.com/>. Thanks! 


Jair Santanna 

On 22 Dec 2016, at 07:51, Alexander Lyamin <la at qrator.net<mailto:la at qrator.net><mailto:la at qrator.net>> wrote: 

I am just trying to grasp what is similarity between networks on the list 
and why it doesn't include, say NTT or Cogent. 

On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me<http://ddostest.me/><http://ddostest.me/> via NANOG < 
nanog at nanog.org<mailto:nanog at nanog.org><mailto:nanog at nanog.org>> wrote: 

Hello all, I'm a first time poster here and hope to follow all rules. 

I found a new way to amplify traffic that would generate really high 
volume of traffic.+10Tbps 

** There is no need for spoofing ** so any device in the world could 
initiate a really big attack or be part of an attack. 

We talk about an amplification factor x100+. This mean that a single 
computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS. 
Imagine what a botnet could do? 

The list of affected business is huge and I would like to privately 
disclose the details to the Tier1 ISP as they are highly vulnerable. 

XO Comm 
Level 3 
Windstream Comm 
MCI Comm/Verizon Buss 
Comcast Cable Comm 

I know it's Christmas time and there is no rush in disclosing this but, it 
could be a nice opportunity to meditate and shed some lights on this new 
DDoS threat. We could start the real work in January. 

If you are curious and you operate/manage one of the network mentioned 
above, please write to me at tornaddos at ddostest.me<mailto:tornaddos at ddostest.me><mailto:tornaddos at ddostest.me> from your job email to 
confirm the identity. I will then forward you the DDoS details. 

Best regards 

Jean St-Laurent 
365 boul. Sir-Wilfrid-Laurier #202 
Beloeil, QC J3G 4T2 


Alexander Lyamin 

CEO | Qrator <http://qrator.net/>* Labs* 

office: 8-800-3333-LAB (522) 

mob: +7-916-9086122 

skype: melanor9 

mailto: la at qrator.net<mailto:la at qrator.net><mailto:la at qrator.net> 

More information about the NANOG mailing list