[186320] in North American Network Operators' Group
Re: Ransom DDoS attack - need help!
daemon@ATHENA.MIT.EDU (Colin Johnston)
Thu Dec 10 03:20:41 2015
X-Original-To: nanog@nanog.org
From: Colin Johnston <colinj@gt86car.org.uk>
In-Reply-To: <CAKDS_tnZysQSQfoQve3X78FB5cO8HgD=jfFWBt1wz=ySrsxbsw@mail.gmail.com>
Date: Thu, 10 Dec 2015 08:20:35 +0000
To: Joe Morgan <joe@joesdatacenter.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
fingerprint shows China and Russia related as expected
Why do the abuse teams in China and Russia ignore basic abuse reports, =
why peer/setup connections to companies where abuse is ignored.
Colin
> On 8 Dec 2015, at 07:24, Joe Morgan <joe@joesdatacenter.com> wrote:
>=20
> We received a similar ransom e-mail yesterday followed by a UDP flood
> attack. Here is a sample of the attack traffic we received as well as =
a
> copy of the ransom e-mail. Thought this might be useful to others who =
have
> been targeted as well. I will have to talk with our upstream providers =
to
> get a definitive on the size of the attacks. At the point in time we
> blackholed our ip we were seeing 20+Gbps.
>=20
> *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web =
server IP
> during the ddos event:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Top 10 flows by packets per pecond for dst IP: 96.43.134.147
> Duration Proto Src IP Addr Src Pt Dst Pt Packets pps =
bps
> 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 =
G
> 0.002 UDP 120.199.113.49 1900 54177 2048 1.0 M 2.8 G
> 0.002 UDP 27.208.164.227 1900 54177 2048 1.0 M 2.7 G
> 0.002 UDP 60.209.31.218 1900 16632 2048 1.0 M 3.0 =
G
> 0.002 UDP 27.220.71.238 1900 22456 2048 1.0 M 3.0 =
G
> 0.002 UDP 120.236.121.9 1900 62005 2048 1.0 M 2.5 =
G
> 0.002 UDP 104.137.222.90 1900 14944 2048 1.0 M 3.7 G
> 0.002 UDP 121.27.133.72 1900 44417 2048 1.0 M 3.0 =
G
> 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G
> 0.002 UDP 120.197.56.134 1900 30672 2048 1.0 M 2.7 G
>=20
> Top 10 flows by flows per second for dst IP: 96.43.134.147
> Duration Proto Src IP Addr Src Pt Dst Pt Packets pps =
bps
> 248.847 UDP 41.214.2.249 123 47207 8.6 M 34594 133.4 =
M
> 248.886 UDP 91.208.136.126 123 63775 6.7 M 26813 103.4 =
M
> 150.893 UDP 85.118.98.253 123 47207 5.1 M 33843 =
130.5 M
> 151.053 UDP 80.179.166.7 123 63775 5.0 M 33292 128.4 =
M
> 151.230 UDP 69.31.105.142 123 47207 4.9 M 32657 =
125.9 M
> 150.436 UDP 182.190.0.17 123 45291 4.8 M 32128 123.9 =
M
> 248.832 UDP 95.128.184.10 123 63775 4.7 M 19020 73.3 =
M
> 150.573 UDP 188.162.13.4 123 42571 4.6 M 30514 117.7 =
M
> 150.261 UDP 205.128.68.5 123 45291 4.2 M 27777 107.1 =
M
> 149.962 UDP 205.128.68.5 123 42571 4.1 M 27443 105.8 =
M
>=20
> Top 10 flows by bits per second for dst IP: 96.43.134.147
> Duration Proto Src IP Addr Src Pt Dst Pt Packets pps =
bps
> 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G
> 0.003 UDP 190.184.144.74 53 18340 2048 682666 8.3 G
> 0.003 UDP 190.109.218.69 53 63492 2048 682666 8.3 G
> 0.004 UDP 103.251.48.245 53 43701 2048 512000 6.2 G
> 0.004 UDP 46.149.191.239 53 58439 2048 512000 6.2 G
> 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 =
G
> 0.006 UDP 37.72.70.85 53 63909 2048 341333 4.1 G
> 0.006 UDP 138.204.178.169 53 2162 2048 341333 4.1 G
> 0.006 UDP 200.31.97.107 53 33765 2048 341333 4.1 G
> 0.006 UDP 110.164.58.82 53 61397 2048 341333 4.1 G
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> Copy of the e-mail headers:
>=20
> Delivered-To: joe@joesdatacenter.com
> Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
> Mon, 7 Dec 2015 15:32:22 -0800 (PST)
> X-Received: by 10.25.88.208 with SMTP id =
m199mr28948lfb.157.1449531142088;
> Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Return-Path: <armada.collective@bk.ru>
> Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11])
> by mx.google.com with ESMTPS id =
7si214394lfk.103.2015.12.07.15.32.21
> for <joe@joesdatacenter.com>
> (version=3DTLS1_2 cipher=3DECDHE-RSA-AES128-GCM-SHA256 =
bits=3D128/128);
> Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Received-SPF: pass (google.com: domain of armada.collective@bk.ru
> designates 217.69.141.11 as permitted sender) client-ip=3D217.69.141.11;=
> Authentication-Results: mx.google.com;
> spf=3Dpass (google.com: domain of armada.collective@bk.ru
> designates 217.69.141.11 as permitted sender)
> smtp.mailfrom=3Darmada.collective@bk.ru;
> dkim=3Dpass header.i=3D@bk.ru;
> dmarc=3Dpass (p=3DNONE dis=3DNONE) header.from=3Dbk.ru
> DKIM-Signature: v=3D1; a=3Drsa-sha256; q=3Ddns/txt; c=3Drelaxed/relaxed;=
> d=3Dbk.ru; s=3Dmail;
> =
h=3DContent-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From;
> bh=3D1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=3D;
> =
b=3DDKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY=
8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9na=
xuDpF+fD1UqPKCqSs2jgu5071Dw=3D;
> Received: from [95.191.131.93] (ident=3Dmail)
> by f369.i.mail.ru with local (envelope-from =
<armada.collective@bk.ru>)
> id 1a65GX-0008H5-DO
> for joe@joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300
> Received: from [95.191.131.93] by e.mail.ru with HTTP;
> Tue, 08 Dec 2015 02:32:21 +0300
> From: =3D?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=3D?=3D =
<armada.collective@bk.ru>
> To: joe@joesdatacenter.com
> Subject: =3D?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?=3D
> MIME-Version: 1.0
> X-Mailer: Mail.Ru Mailer 1.0
> X-Originating-IP: [95.191.131.93]
> Date: Tue, 08 Dec 2015 02:32:21 +0300
> Reply-To: =3D?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=3D?=3D =
<armada.collective@bk.ru>
> X-Priority: 3 (Normal)
> Message-ID: <1449531141.2696669@f369.i.mail.ru>
> Content-Type: multipart/alternative;
> boundary=3D"--ALT--7N12aTwEB8hvVlFgA0NbUaD4Daicjipu1449531141"
> X-Mras: Ok
> X-Spam: undefined
>=20
> Copy of the e-mail:
> From: Armada Collective <armada.collective@bk.ru>
> Subject: Ransom request: DDoS Attack
>=20
> Message Body:
> FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE
> DECISION!
>=20
>=20
> We are Armada Collective.
>=20
> If you haven heard for us, use Google. Recently, we have launched some =
of
> the largest DDoS attacks in history.
> Check this out, for example:
> https://twitter.com/optucker/status/665470164411023360 (and it was =
measured
> while we were DDoS-ing 3 other sites at the same time)
> And this: https://twitter.com/optucker/status/666501788607098880
>=20
> We will start DDoS-ing your network if you don't pay 20 Bitcoins @
> 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday.
>=20
>=20
> Right now we will start small 30 minutes UDP attack on your site IP:
> 96.43.134.147 It will not be hard, just to prove that we are for real
> Armada Collective.
>=20
> If you don't pay by Wednesday, massive attack will start, price to =
stop
> will increase to 40 BTC and will go up 2 BTC for every hour of attack =
and
> attack will last for as long as you don't pay.
>=20
> In addition, we will be contacting affected customers to explain why =
they
> are down and recommend them to move to OVH. We will do the same on =
social
> networks.
>=20
> Our attacks are extremely powerful - peaks over 1 Tbps per second.
>=20
> Prevent it all with just 20 BTC @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe
>=20
>=20
> Do not reply, we will not read. Pay and we will know its you. AND YOU =
WILL
> NEVER AGAIN HEAR FROM US!
>=20
> And nobody will ever know you cooperated.
>=20
> --=20
> Thank You,
> Joe Morgan - Owner
> Joe's Datacenter, LLC
> http://joesdatacenter.com
> 816-726-7615
