Results 1 to 19 of 19
Thread: DDOS Extortion
-
10-19-2016, 07:47 AM #1Junior Guru Wannabe
- Join Date
- Nov 2015
- Posts
- 31
DDOS Extortion
Hi WHTers,
I have seen forum posts about hackers threatening to DDOS your site/network before, but it never happened to us before until yesterday when we received the following mail:
======================================================================
-------- Forwarded Message --------
Subject: DDOS ATTACK ON YOU
Date: Mon, 17 Oct 2016 23:51:54 -0000
From: annasenpai@sigaint.org
To: xxxx
IMPORTANT!
Redirect this e-mail to your CEO/CFO/any kind of such person
Aloha! My name is Anna-senpai.
Recently i?ve decided to leave DDoS industry and released the source code
of my /mirai botnet/
(google if you aren?t familiar with this) for free to everyone.
I had my rest and..
Now I am returning to DDoS insdustry.
Last months i?ve worked on the code improvement and empowering my new
botnet with a vulnerabilities in AvTech products.
So.
Your network will be DDoS-ed in 96 hours if you will not pay 2 Bitcoins at
1E97ZxBF5EKPAt56s9wSheUPcRUzp7kwLG address.
If you will not pay in time, DDoS attack will start, your web-services will
go down permanently. After that, price to stop will be increased to 5 BTC
with further increment of 5 BTC for every day of attack.
NOTE, i?m not joking.
My attack are extremely powerful now - now average 700-800Gbps, sometimes
over 1 Tbps per second. It will pass any remote protections, no current
protection systems can help.
Once payment is done, send me an e-mail with the number of the wallet from
you have paid, so I can identify you.
Make right decision.
======================================================================
I am almost sure that this is an empty threat as shown in articles like this one https://blog.cloudflare.com/empty-dd...da-collective/ but still there is this unsettling filling that it might turn out to be real especially when the 96 hours period is not over yet . We do have a 200Gbit/s ddos protection which I know was able to mitigate 50-70 Gbit attacks in the past with an ease (have not seen any larger attacks yet), but still 1 Tbps per second is way too much. Until recently such type of attacks were not possible. As far as my knowledge goes the biggest attacks for the last 2-3 years reached 350-400 Gbit/s, but with a little bit of googling I did find a rather recent article https://krebsonsecurity.com/2016/10/...ed/#more-36541 detailing a 600+ Gbit/s attack. Most probably this is a copycat and not the real Anna-senpai who was the mastermind behind the mirai botnet.
According to this forum post https://hackforums.net/showthread.php?tid=5420472 that person did launch a 600Gbit/s attack on Kerbs on Security and a 1Tbit/s DDOS combined attack on OVH.
What is your take on this? Has anyone of you received this type of mails recently and were your sites attacked? If yes, how big was the attack?
BTW, I have always wondered if it would be technically possible to host the DNS nameservers on two or more different servers? Example: point the glue record of each nameserver to several different IPs and add the relevant nameserver record for all these IPs in the domain registrar interface?
Thanks
-
10-19-2016, 08:45 AM #2Newbie
- Join Date
- Feb 2006
- Posts
- 8
Empty threat it's just a scam to scare you in to sending bitcoin
-
10-19-2016, 08:52 AM #3Junior Guru
- Join Date
- Jul 2016
- Posts
- 183
I'd speculate that there are still enough IOT devices to use for an attack like this, but I don't think it will easily reach 200G, or even 100 for that matter. Anyway, paying the ransom will not get you anywhere, so don't do it.
-
10-19-2016, 08:55 AM #4Junior Guru Wannabe
- Join Date
- Nov 2015
- Posts
- 31
-
10-19-2016, 08:59 AM #5Newbie
- Join Date
- Feb 2006
- Posts
- 8
cloudflare to protect if needed but if they already know your IP your pretty screwed.
either way loads of things have this email coded in to scare people just google the btc address and you will what the score is
-
10-19-2016, 09:01 AM #6Junior Guru Wannabe
- Join Date
- Nov 2015
- Posts
- 31
-
10-19-2016, 09:13 AM #7Junior Guru Wannabe
- Join Date
- Nov 2015
- Posts
- 31
Almost all of our IPs are DDOS protected, so I think we should be safe from most attacks. Cloudflare is good, but the problem of cloudflare in that it cannot protect your entire DNS (like nameservers, MX records etc....) I mean you can still use cloudflare's nameservers and gmail's MX records to protect your own website, but if you are hosting customers you cannot protect all their DNS records sooner rather than later the attacker will find your IP.
As for the btc address I already googled it, but nothing came up.
-
10-21-2016, 01:04 AM #8Junior Guru Wannabe
- Join Date
- Jul 2015
- Posts
- 75
You should reply that you published his threat here for everyone to see.
If the person decides to still go ahead with this, he'll attract so much attention that he'll likely get arrested.
On the other hand if its a scammer, any other victim that will google his email will find this thread and hopefully wont pay him anything.
Keep us updated.
-
10-21-2016, 03:19 AM #9Web Hosting Master
- Join Date
- Feb 2012
- Location
- Dallas, Texas
- Posts
- 807
You should check out this thread from a couple weeks back.
While it would be nice, chances of these people being arrested or even tracked is fairly unlikely unless someone in their social circle releases their information.
In this example the source is from sigaint.org, a public mail server. All these extortion emails are from a useless sources. eg. spoofed, exploited mail server, etc that wouldn't link back to the attacker.
Another popular case of this is the DD4BC (DDoS 4 Bitcoins) group. Europol didn't catch up with them until after they extorted companies for upward of $100,000.
These smaller copycats are going to fly right under the radar.Swiftnode.net − Performance VPS, Dedicated Servers & Game Servers
12 Global Locations − North America, Europe, Japan, India, and Australia
Always-On DDoS Mitigation (UDP & TCP) − Optimized Routing − 24/7 Support
-
10-21-2016, 03:57 AM #10
Empty threats like these are going to increase if there's any reaction. As others have said, people should not pay these ransoms because it'll just encourage a new industry to exploit. Spammers didn't know they would rake in so much cash by claiming to be Nigerian Princes until they gave it a test run, and because of that it continued. Same thing will happen with these threats. Both cases carry very heavy legal punishments.
He gave you a Bitcoin Wallet and an email, you should hand those over to the authorities to help them create a paper trail. As difficult as it is to catch these wrong doers, it's not impossible.
I don't see why not. ResellerClub does it as well as several other large companies.★ GlowHost ★ → Affordable Managed Web Hosting Since 2002.
۪Cloud Servers- Hot Failover + Clustered Storage
۪Managed Dedicated Servers - Semi-Dedicated Servers
۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat
-
10-21-2016, 06:21 PM #11Newbie
- Join Date
- Oct 2016
- Posts
- 14
This is ridiculous spamming threat. Largest DDoS attack calculated was ~1TBps using over 150,000 IP cameras and it happened earlier this month. Guess who took the attack
-
10-21-2016, 06:35 PM #12
Well, the sensible thing to do is not pay the ransom as that won't solve anything, and probably add to more threats. While I'd love to see these guys in prison, the chances of that are slim.
█ ProlimeHost - Dedicated Server Hosting & KVM SSD VPS
█ Three Datacenter Locations: Los Angeles, Denver & Singapore
█ SuperMicro Hardware | Multiple Bandwidth Providers | 24/7 On-site Engineers
-
10-22-2016, 02:08 PM #13Knowledge is all
- Join Date
- Jul 2005
- Location
- here, there, where?
- Posts
- 4,097
It appears to be technically possible to do multiple IPs per nameserver but the registrar has to support it in their interface or via a support ticket. A quick search didn't find many registrars having that in in knowledgebases but did find https://www.dynadot.com/community/he...NS-multiple-IP . (have not used dynadot, so do not know their services right off).
And then again yesterday pointed at Dyn.-Steven | Cooini, LLC
"It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle
-
10-23-2016, 01:59 AM #14Junior Guru
- Join Date
- Jan 2003
- Location
- Budapest, Hungary
- Posts
- 231
The letter is probably hoax.
I already wrote it somewhere else. Unless carriers start implementing flowspec this will get ugly...
I mean we had an offer of 10gbps for $2000-$5000 per month, yet no flowspec?
Flowspec is a perfect solution to this problem because you can control the rate remotely.
7 years the technology has been out there, yet we are bragging about 100gbps connections whereas there is only one Tier 1 provider I know of which offers flowspec - Level 3.
How did that happen? Is it that lucrative to transit 1tbps ddoses once a month instead of blocking them? Yes apparently it is.
Question to colleagues, how many of you expanded their connectivity beyond the actual reasonable need (say burstable) of your network just to protect yourselves from possible 5-6gbps DDoS's which happen at least once a week?
Guess who gets our business, the 2gbps with flowspec or 10gbps without?Last edited by ServerAstra - Andrew; 10-23-2016 at 02:03 AM.
██ ServerAstra.com website / e-mail: info @ serverastra.com
██ HU/EU Co-Location / Managed and Unmanaged Cloud & Dedicated servers in Hungary with unmetered connections
-
10-23-2016, 06:16 AM #15Web Hosting Guru
- Join Date
- Apr 2010
- Location
- Italy
- Posts
- 334
keep in mind that level 3 offer flowspec but only as part of his DDoS Mitigation package. They are already one of the most expensive carrier, if you add this service, there are not lot of companies that can afford
SeFlow.Net - Custom Dedicated Servers now with NVMe Disks
SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. Stay Up And Running. No Matter What.
-
10-24-2016, 06:12 PM #16Web Hosting Master
- Join Date
- Mar 2013
- Posts
- 1,328
-
10-24-2016, 07:18 PM #17Newbie
- Join Date
- Jun 2014
- Posts
- 19
-
10-25-2016, 11:38 PM #18Aspiring Evangelist
- Join Date
- Nov 2014
- Posts
- 391
Yeah, have seen such threat email while working with US based hosting company and the attack was up to 50-70 Gbit but the network guys smoothly prevented it but the volume mentioned in the received email made me to think that its empty threat
www.24x7serversolutions.com - Provides 24x7 Server Management & Services
Server Security | Custom Bash Scripts | Proactive server monitoring | Hack Investigation | Migration Experts
Contact : sales@24x7serversolutions.com Skype : serversolutions24x7
-
10-26-2016, 08:20 AM #19Junior Guru Wannabe
- Join Date
- Nov 2015
- Posts
- 31
The 96 hours threat period passed and our servers were not attacked, so yeah, now it is confirmed that it was an empty threat. Ironically someone indeed launched a 1Tbit + attack at approximately that time (Last Friday DDOS attack that took lots of famous internet sites), but it was luckily not at my IPs.
Thank you all for your support!
Similar Threads
-
DDoS extortion investigation. Russia Business Network?
By ddosguru in forum Colocation, Data Centers, IP Space and NetworksReplies: 36Last Post: 04-20-2008, 05:09 AM -
DDoS Extortion
By TXsys in forum Hosting Security and TechnologyReplies: 5Last Post: 11-17-2003, 05:33 AM -
DonHosts taken down by DDoS
By Essential in forum Reseller HostingReplies: 0Last Post: 01-30-2002, 06:27 PM -
DDos Attack
By clocker1996 in forum Hosting Security and TechnologyReplies: 1Last Post: 12-22-2001, 01:15 PM -
Ddos
By Craig in forum Web Hosting LoungeReplies: 5Last Post: 06-01-2001, 12:51 PM