Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: BlackEnergy DDoS - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BlackEnergy DDoS

Shadowserver has published their take on a recent series of DDoS attacks The control domains, victim industries, countries affected, and command communications are all listed in the article. Not a complete analysis of the BlackEnergy bot, and bots are not a new phenomenon, but server to remind that DDoS for hire is still around, botnets are still around, and that their impact can be devastating.

Adrien de Beaupré Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Sep 14th 2010
Is anything done by CERT or any related orgs/communities/authorities to fight it?

Are we just trying to research new malware developments and document their victims?

PS: I've personally reported the DDoS to CanCERT few weeks ago and received no response or help on the topic...
Control domains are .ru, though at least one of the names resolves to a Moldova netblock. Neither of which is surprising in the least.

At home I use the list of China and Korea netblocks maintained at to blackhole those pits of spam, phish, and malware. Does anyone know of an accurate, up-to-date list of netblocks for Russia, or for all of the former S.U.? I'm not so concerned about DDoS topics at home (though I wouldn't want my systems recruited for such an attack), but there's plenty of other badness lurking where there's little or no content we'd want or even be able to read.

It's not a perfect defense, I know, and it sure wouldn't fly at work. But many are the times there is an article here about the latest malware, and I find it's hosted in China and know it's nothing I have to worry about my family stumbling into. Though I hate the idea of chopping the i'net into disconnected pieces, Johnny can't read "#%=+@" anyway.

Know of any ex-su netblock lists?

50 Posts
@Ken: For rejection of spam (well, all emails) from certain countries, you can use the country-based RBL from (

24 Posts

Sign Up for Free or Log In to start participating in the conversation!