Results 1 to 19 of 19

Thread: DDOS Extortion

  1. #1
    Join Date
    Nov 2015
    Posts
    31

    DDOS Extortion

    Hi WHTers,

    I have seen forum posts about hackers threatening to DDOS your site/network before, but it never happened to us before until yesterday when we received the following mail:
    ======================================================================
    -------- Forwarded Message --------
    Subject: DDOS ATTACK ON YOU
    Date: Mon, 17 Oct 2016 23:51:54 -0000
    From: annasenpai@sigaint.org
    To: xxxx


    IMPORTANT!
    Redirect this e-mail to your CEO/CFO/any kind of such person

    Aloha! My name is Anna-senpai.

    Recently i?ve decided to leave DDoS industry and released the source code
    of my /mirai botnet/
    (google if you aren?t familiar with this) for free to everyone.
    I had my rest and..
    Now I am returning to DDoS insdustry.
    Last months i?ve worked on the code improvement and empowering my new
    botnet with a vulnerabilities in AvTech products.

    So.
    Your network will be DDoS-ed in 96 hours if you will not pay 2 Bitcoins at
    1E97ZxBF5EKPAt56s9wSheUPcRUzp7kwLG address.

    If you will not pay in time, DDoS attack will start, your web-services will
    go down permanently. After that, price to stop will be increased to 5 BTC
    with further increment of 5 BTC for every day of attack.

    NOTE, i?m not joking.

    My attack are extremely powerful now - now average 700-800Gbps, sometimes
    over 1 Tbps per second. It will pass any remote protections, no current
    protection systems can help.

    Once payment is done, send me an e-mail with the number of the wallet from
    you have paid, so I can identify you.

    Make right decision.

    ======================================================================

    I am almost sure that this is an empty threat as shown in articles like this one https://blog.cloudflare.com/empty-dd...da-collective/ but still there is this unsettling filling that it might turn out to be real especially when the 96 hours period is not over yet . We do have a 200Gbit/s ddos protection which I know was able to mitigate 50-70 Gbit attacks in the past with an ease (have not seen any larger attacks yet), but still 1 Tbps per second is way too much. Until recently such type of attacks were not possible. As far as my knowledge goes the biggest attacks for the last 2-3 years reached 350-400 Gbit/s, but with a little bit of googling I did find a rather recent article https://krebsonsecurity.com/2016/10/...ed/#more-36541 detailing a 600+ Gbit/s attack. Most probably this is a copycat and not the real Anna-senpai who was the mastermind behind the mirai botnet.
    According to this forum post https://hackforums.net/showthread.php?tid=5420472 that person did launch a 600Gbit/s attack on Kerbs on Security and a 1Tbit/s DDOS combined attack on OVH.
    What is your take on this? Has anyone of you received this type of mails recently and were your sites attacked? If yes, how big was the attack?

    BTW, I have always wondered if it would be technically possible to host the DNS nameservers on two or more different servers? Example: point the glue record of each nameserver to several different IPs and add the relevant nameserver record for all these IPs in the domain registrar interface?

    Thanks

  2. #2
    Empty threat it's just a scam to scare you in to sending bitcoin

  3. #3
    Join Date
    Jul 2016
    Posts
    183
    I'd speculate that there are still enough IOT devices to use for an attack like this, but I don't think it will easily reach 200G, or even 100 for that matter. Anyway, paying the ransom will not get you anywhere, so don't do it.

  4. #4
    Join Date
    Nov 2015
    Posts
    31
    Quote Originally Posted by xcellweb View Post
    Empty threat it's just a scam to scare you in to sending bitcoin
    Yes, that is what I though, but I just wanted to see if anyone else got these treats, further more it looks like IOT DDOS might become the new thread for hosting providers 1Tbit/s attack is a significant increase from what we have seen so far.

  5. #5
    cloudflare to protect if needed but if they already know your IP your pretty screwed.

    either way loads of things have this email coded in to scare people just google the btc address and you will what the score is

  6. #6
    Join Date
    Nov 2015
    Posts
    31
    Quote Originally Posted by Victor R View Post
    Anyway, paying the ransom will not get you anywhere, so don't do it.
    Oh, I am definitively not paying anything. Paying a ransom to an extortionist is a guarantee that these threats would keep on coming.

  7. #7
    Join Date
    Nov 2015
    Posts
    31
    Quote Originally Posted by xcellweb View Post
    cloudflare to protect if needed but if they already know your IP your pretty screwed.

    either way loads of things have this email coded in to scare people just google the btc address and you will what the score is
    Almost all of our IPs are DDOS protected, so I think we should be safe from most attacks. Cloudflare is good, but the problem of cloudflare in that it cannot protect your entire DNS (like nameservers, MX records etc....) I mean you can still use cloudflare's nameservers and gmail's MX records to protect your own website, but if you are hosting customers you cannot protect all their DNS records sooner rather than later the attacker will find your IP.

    As for the btc address I already googled it, but nothing came up.

  8. #8
    Join Date
    Jul 2015
    Posts
    75
    You should reply that you published his threat here for everyone to see.

    If the person decides to still go ahead with this, he'll attract so much attention that he'll likely get arrested.

    On the other hand if its a scammer, any other victim that will google his email will find this thread and hopefully wont pay him anything.

    Keep us updated.

  9. #9
    Join Date
    Feb 2012
    Location
    Dallas, Texas
    Posts
    807
    Quote Originally Posted by Victor R View Post
    I'd speculate that there are still enough IOT devices to use for an attack like this, but I don't think it will easily reach 200G, or even 100 for that matter. Anyway, paying the ransom will not get you anywhere, so don't do it.
    You should check out this thread from a couple weeks back.

    Quote Originally Posted by stefeman View Post
    You should reply that you published his threat here for everyone to see.

    If the person decides to still go ahead with this, he'll attract so much attention that he'll likely get arrested.

    On the other hand if its a scammer, any other victim that will google his email will find this thread and hopefully wont pay him anything.

    Keep us updated.
    While it would be nice, chances of these people being arrested or even tracked is fairly unlikely unless someone in their social circle releases their information.

    In this example the source is from sigaint.org, a public mail server. All these extortion emails are from a useless sources. eg. spoofed, exploited mail server, etc that wouldn't link back to the attacker.

    Another popular case of this is the DD4BC (DDoS 4 Bitcoins) group. Europol didn't catch up with them until after they extorted companies for upward of $100,000.

    These smaller copycats are going to fly right under the radar.
    Swiftnode.net − Performance VPS, Dedicated Servers & Game Servers
    12 Global Locations − North America, Europe, Japan, India, and Australia
    Always-On DDoS Mitigation (UDP & TCP) − Optimized Routing − 24/7 Support

  10. #10
    Join Date
    Aug 2010
    Location
    United States of America
    Posts
    519
    Empty threats like these are going to increase if there's any reaction. As others have said, people should not pay these ransoms because it'll just encourage a new industry to exploit. Spammers didn't know they would rake in so much cash by claiming to be Nigerian Princes until they gave it a test run, and because of that it continued. Same thing will happen with these threats. Both cases carry very heavy legal punishments.

    He gave you a Bitcoin Wallet and an email, you should hand those over to the authorities to help them create a paper trail. As difficult as it is to catch these wrong doers, it's not impossible.

    Quote Originally Posted by preslav View Post
    BTW, I have always wondered if it would be technically possible to host the DNS nameservers on two or more different servers? Example: point the glue record of each nameserver to several different IPs and add the relevant nameserver record for all these IPs in the domain registrar interface?

    Thanks
    I don't see why not. ResellerClub does it as well as several other large companies.
    GlowHost → Affordable Managed Web Hosting Since 2002.
    ۪Cloud Servers- Hot Failover + Clustered Storage
    ¬Managed Dedicated Servers - Semi-Dedicated Servers
    ۪Shared & Reseller packages - 20 Min Ticket Response - 24/7/365 Phone & Live Chat

  11. #11
    This is ridiculous spamming threat. Largest DDoS attack calculated was ~1TBps using over 150,000 IP cameras and it happened earlier this month. Guess who took the attack

  12. #12
    Join Date
    Mar 2009
    Location
    Here Today - Gone to Maui
    Posts
    9,962
    Well, the sensible thing to do is not pay the ransom as that won't solve anything, and probably add to more threats. While I'd love to see these guys in prison, the chances of that are slim.
    ProlimeHost - Dedicated Server Hosting & KVM SSD VPS
    Three Datacenter Locations: Los Angeles, Denver & Singapore
    SuperMicro Hardware | Multiple Bandwidth Providers | 24/7 On-site Engineers

  13. #13
    Join Date
    Jul 2005
    Location
    here, there, where?
    Posts
    4,097
    Quote Originally Posted by preslav View Post
    BTW, I have always wondered if it would be technically possible to host the DNS nameservers on two or more different servers? Example: point the glue record of each nameserver to several different IPs and add the relevant nameserver record for all these IPs in the domain registrar interface?
    It appears to be technically possible to do multiple IPs per nameserver but the registrar has to support it in their interface or via a support ticket. A quick search didn't find many registrars having that in in knowledgebases but did find https://www.dynadot.com/community/he...NS-multiple-IP . (have not used dynadot, so do not know their services right off).

    Quote Originally Posted by CloudTeh View Post
    Largest DDoS attack calculated was ~1TBps using over 150,000 IP cameras and it happened earlier this month. Guess who took the attack
    And then again yesterday pointed at Dyn.
    -Steven | Cooini, LLC
    "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle

  14. #14
    Join Date
    Jan 2003
    Location
    Budapest, Hungary
    Posts
    231
    The letter is probably hoax.

    I already wrote it somewhere else. Unless carriers start implementing flowspec this will get ugly...

    I mean we had an offer of 10gbps for $2000-$5000 per month, yet no flowspec?
    Flowspec is a perfect solution to this problem because you can control the rate remotely.
    7 years the technology has been out there, yet we are bragging about 100gbps connections whereas there is only one Tier 1 provider I know of which offers flowspec - Level 3.

    How did that happen? Is it that lucrative to transit 1tbps ddoses once a month instead of blocking them? Yes apparently it is.
    Question to colleagues, how many of you expanded their connectivity beyond the actual reasonable need (say burstable) of your network just to protect yourselves from possible 5-6gbps DDoS's which happen at least once a week?
    Guess who gets our business, the 2gbps with flowspec or 10gbps without?
    Last edited by ServerAstra - Andrew; 10-23-2016 at 02:03 AM.
    ServerAstra.com website / e-mail: info @ serverastra.com
    HU/EU Co-Location / Managed and Unmanaged Cloud & Dedicated servers in Hungary with unmetered connections

  15. #15
    Join Date
    Apr 2010
    Location
    Italy
    Posts
    334
    keep in mind that level 3 offer flowspec but only as part of his DDoS Mitigation package. They are already one of the most expensive carrier, if you add this service, there are not lot of companies that can afford
    SeFlow.Net - Custom Dedicated Servers now with NVMe Disks
    SeFlow Secure Network 20+ IXP connected with Default DDoS Protection. Stay Up And Running. No Matter What.

  16. #16
    Join Date
    Mar 2013
    Posts
    1,328
    It sounds like an empty threat to me too.

    Quote Originally Posted by stefeman View Post
    You should reply that you published his threat here for everyone to see.
    If the person decides to still go ahead with this, he'll attract so much attention that he'll likely get arrested.
    I don't think so.

  17. #17
    Quote Originally Posted by gingir View Post
    It sounds like an empty threat to me too.
    I don't think so.
    I second this! Ignore and carry on as normal - certainly don't attempt to engage or counter threat...

  18. #18
    Join Date
    Nov 2014
    Posts
    391
    Yeah, have seen such threat email while working with US based hosting company and the attack was up to 50-70 Gbit but the network guys smoothly prevented it but the volume mentioned in the received email made me to think that its empty threat
    www.24x7serversolutions.com - Provides 24x7 Server Management & Services
    Server Security | Custom Bash Scripts | Proactive server monitoring | Hack Investigation | Migration Experts
    Contact : sales@24x7serversolutions.com Skype : serversolutions24x7

  19. #19
    Join Date
    Nov 2015
    Posts
    31
    The 96 hours threat period passed and our servers were not attacked, so yeah, now it is confirmed that it was an empty threat. Ironically someone indeed launched a 1Tbit + attack at approximately that time (Last Friday DDOS attack that took lots of famous internet sites), but it was luckily not at my IPs.
    Thank you all for your support!

Similar Threads

  1. DDoS extortion investigation. Russia Business Network?
    By ddosguru in forum Colocation, Data Centers, IP Space and Networks
    Replies: 36
    Last Post: 04-20-2008, 05:09 AM
  2. DDoS Extortion
    By TXsys in forum Hosting Security and Technology
    Replies: 5
    Last Post: 11-17-2003, 05:33 AM
  3. DonHosts taken down by DDoS
    By Essential in forum Reseller Hosting
    Replies: 0
    Last Post: 01-30-2002, 06:27 PM
  4. DDos Attack
    By clocker1996 in forum Hosting Security and Technology
    Replies: 1
    Last Post: 12-22-2001, 01:15 PM
  5. Ddos
    By Craig in forum Web Hosting Lounge
    Replies: 5
    Last Post: 06-01-2001, 12:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •