And DDoS extortion campaigns continue to be reported. Two weeks ago, Johannes Ullrich published a diary [1] about a fake DDoS pretending to be sent from Anonymous, threatening the targeted company with a massive attack if they weren’t paid in Bitcoins. Yesterday we were reported of a similar extortion campaign although, this time, followed by a real DDoS test as promised by the sender. The threat message seems to be a copy cat of an old campaign reported last year in a blog post by CloudFlare [2]. It was signed by the same Armada Collective group, as seen below (text was partialy anonymized): FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! Although the targeted company has actually received the DDoS test attack, there are some considerations on the way it was carried out which raise questions about the veracity of the campaign. By analyzing the DDoS test traffic, it was clear that it was sent through reflective attack using open NTP services over the Internet and not from a botnet like Mirai, as stated on the message. All the packets came from UDP/123 port (NTP service). Regardless of the campaign reliability, it’s worth one's while to take some time and review your company’s anti-DDoS strategies. On most scenarios, a pre-established agreement with your ISP to filter out volumetric attacks can avoid unpleasant surprises and high costs during emergencies. If you already have the agreement, it would be interesting to put it to test and check if the response time is suitable to your business requirements. Until now, we are unaware of any case of DDoS being launched after those e-mail threatening messages and there are no reasons to pay – even though there is no guarantee that the extortion will stop. If you received similar e-mails, please forward it to us. References:[1] https://isc.sans.edu/forums/diary/Fake+DDoS+Extortions+Continue+Please+Forward+Us+Any+Threats+You+Have+Received/22550/ -- |
Renato 84 Posts ISC Handler Jul 7th 2017 |
Thread locked Subscribe |
Jul 7th 2017 4 years ago |
I have been the recipient of a myriad of ddos attacks in the last month, and the saddest part of all of these reflection attacks is that the servers are still configured for this kind of nonsense. you think in some kind of update to the systems that all of these attacks could be mitigated.
|
jACKtheRipper 67 Posts |
Quote |
Jul 7th 2017 4 years ago |
Depending on the service being used on reflection attacks, the solution to this problem does not depend on the device itself - like many DNS servers, especially those using DNS SEC, that are being used to reflect and amplify DDoS attacks. The major part of this problem is due to the IP spoofing possibility allowed by many Internet providers (ISPs). There is a document called BCP 38 (tools.ietf.org/html/…), published back in 2000, that specifies how ISPs could individually cooperate by configuring its routers to defeat DDoS amplification attacks over the Internet
|
Renato 84 Posts ISC Handler |
Quote |
Jul 7th 2017 4 years ago |
Right the IP spoofing is the root of all of these issues, and you are totally right that the upstream filters from the various carriers could help prevent this, but what could help more is if there were a trusted list of IP addresses of non local dns,ntp,etc servers at the end points. For instance my isp serves symmetrical gigabit FiOS to many customers so it is equipped to swallow dns or ntp traffic that is from non trusted IPs. This may be out of left field but if each end point could re route ntp,DNS,etc requests to the local service from the ISP and discard all other incoming traffic on those services the end user would never get the unwanted traffic. IDK but something needs to happen to prevent this malicious traffic and it needs to be with the assumption that this traffic will be there regardless of any and all other measures.
|
jACKtheRipper 67 Posts |
Quote |
Jul 8th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!