[Tier1 ISP]: Vulnerable to a new DDoS amplification attack

Mike Hammett nanog at ics-il.net
Thu Dec 22 14:27:44 UTC 2016


Skepticism is of course warranted with such bold claims and little public information to back it up. 




----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

----- Original Message -----

From: "Alexander Lyamin" <la at qrator.net> 
To: "Mike Hammett" <nanog at ics-il.net> 
Cc: "j j santanna" <j.j.santanna at utwente.nl>, "NANOG list" <nanog at nanog.org> 
Sent: Thursday, December 22, 2016 7:53:46 AM 
Subject: Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack 


I just reviewed our data at http://radar.qrator.net provided network list. 


I am highly skeptical. 
<tapping my feet neurotically> 


On Thu, Dec 22, 2016 at 4:51 PM, Mike Hammett < nanog at ics-il.net > wrote: 


Let's wait and see if his stated message of being here to discuss technical matters of the vulnerability with the aforementioned carriers bears anything out. If not, don the torches. 




----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

----- Original Message ----- 

From: "j j santanna" < j.j.santanna at utwente.nl > 
To: jean at ddostest.me 
Cc: nanog at nanog.org 
Sent: Thursday, December 22, 2016 5:01:23 AM 
Subject: Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack 



I am saying! 

As far as I understand you are offering DDoS attacks as a paid service, right? Some people would say that you offer DDoS for hire. What is the difference between your service and a Booter service. Only a “validation" that your client is “stress testing” him/herself does not make you legal. Sorry man but you can NOT claim yourself as a legal/moral acceptable stress tester if you misuse devices on the Internet, such as amplifiers, webshell, and botnets. 

Although you don’t consider yourself a Booter, you are one of them! 

I leave up to you the definition of stupid. 

Cheers, 

Jair Santanna 
jairsantanna.com < http://jairsantanna.com > 



On 22 Dec 2016, at 11:45, Jean | ddostest.me < http://ddostest.me > < jean at ddostest.me <mailto: jean at ddostest.me >> wrote: 

I admit that I have a lot of guts. 

Not sure who said that I am a booter or that I operate a booter. I fight booter since more than 5 years and who would be stupid enough to put his full name with full address to a respected network operators list? Definitely not me. 

I want to help and fix things and I am not the kind of person to break things. 


Jean 

On 16-12-22 03:46 AM, j.j.santanna at utwente.nl <mailto: j.j.santanna at utwente.nl > wrote: 
Hi Jean, 

You are either naive or have a lot of guts to offer a Booter service in one of the most respected network operators list. Man, as long as you use amplifiers (third party services) or botnets your “service” is illegal & immoral. In case you use your own infrastructure or rent a legal (cloud) infrastructure to provide your "service" it will not pay your costs. Not at least by the price that you offer your service: 0, 13, 100 bucks. Even if you have a legal/moral acceptable attack infrastructure, if you throw those big attacks that you advertise will possibly take down many others third-parties on the way. 

Sometimes you folks say that (mis)use amplifiers for “testing” purpose is not a problem because those services are open and publicly available on the Internet. Come on… if I leave my car open with the key inside it doesn’t give you the right to use my car to throw into a third party company. And if you do, it is YOUR CRIME, not mine. 

I don’t need to explain why using botnets is illegal and immoral, right? 

Man, it is up to you decide between cyber crime and cyber security ( https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/cyber-crime-vs-cyber-security-what-will-you-choose ). Now, we are also looking to you on http://booterblacklist.com < http://booterblacklist.com/ >. Thanks! 

Cheers, 

Jair Santanna 




On 22 Dec 2016, at 07:51, Alexander Lyamin < la at qrator.net <mailto: la at qrator.net ><mailto: la at qrator.net >> wrote: 

I am just trying to grasp what is similarity between networks on the list 
and why it doesn't include, say NTT or Cogent. 



On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me < http://ddostest.me/ >< http://ddostest.me/ > via NANOG < 
nanog at nanog.org <mailto: nanog at nanog.org ><mailto: nanog at nanog.org >> wrote: 

Hello all, I'm a first time poster here and hope to follow all rules. 

I found a new way to amplify traffic that would generate really high 
volume of traffic.+10Tbps 

** There is no need for spoofing ** so any device in the world could 
initiate a really big attack or be part of an attack. 

We talk about an amplification factor x100+. This mean that a single 
computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS. 
Imagine what a botnet could do? 

The list of affected business is huge and I would like to privately 
disclose the details to the Tier1 ISP as they are highly vulnerable. 

XO Comm 
PSINET 
Level 3 
Qwest 
Windstream Comm 
Eearthlink 
MCI Comm/Verizon Buss 
Comcast Cable Comm 
AT&T 
Sprint 

I know it's Christmas time and there is no rush in disclosing this but, it 
could be a nice opportunity to meditate and shed some lights on this new 
DDoS threat. We could start the real work in January. 


If you are curious and you operate/manage one of the network mentioned 
above, please write to me at tornaddos at ddostest.me <mailto: tornaddos at ddostest.me ><mailto: tornaddos at ddostest.me > from your job email to 
confirm the identity. I will then forward you the DDoS details. 

Best regards 

Jean St-Laurent 
ddostest.me < http://ddostest.me/ >< http://ddostest.me/ > 
365 boul. Sir-Wilfrid-Laurier #202 
Beloeil, QC J3G 4T2 




-- 

Alexander Lyamin 

CEO | Qrator < http://qrator.net/ >* Labs* 

office: 8-800-3333-LAB (522) 

mob: +7-916-9086122 

skype: melanor9 

mailto: la at qrator.net <mailto: la at qrator.net ><mailto: la at qrator.net > 








-- 







Alexander Lyamin 
CEO | Qrator Labs 
office: 8-800-3333-LAB (522) 
mob: +7-916-9086122 
skype: melanor9 
mailto: la at qrator.net 




More information about the NANOG mailing list