When the Hackers Hack Back - SANS Internet Storm Center

When the Hackers Hack Back
Richard, one of our readers, sent us a very interesting note today. He was investigating a network in Germany that was known to be a source of evil, and decided to launch an nmap scan as an exploratory measure. We do not advocate scanning somebody else's network, even you find that the other network is irritating and disfunctional. Better to work with that network's upstream ISP to see if they can assist in taming the out of control network owners. Here are Richard's comments. Do not try this from your own corporate network The results may be hazardous to your job. On the evening of October 7th, I Nmapped a /24 out of Germany that was a known source of malware and general nefarious activities. I saw the usual ports open 22, 53, 80 on most of the machines I scanned. After the scan had stopped I closed the command prompt and began to read some late night email. I just happened to glance at my router and saw the receive lights were almost solid green. I opened my web browser and try to get out to the public network and could not, I suspected something was happening and it was. The machines I had scanned were launching as DDoS against my IP address and had basically shut me off from the rest of the world. I turned the interface down and went to bed thinking it might clear up after a while. I checked at 3:00 am, and 5:30 am and the attack was still on. I logged into my router to look at some logs and could see that the machines were still pumping junk down the wire so I called my upstream and they were of no help at all. It took two hours on the phone before I realized that they were not going to be able to help me so here is what I did: Thinking that whoever wrote the [attack] script was bright enough to include resource conservation into their code I figured if I remove all physical connection to the ISP at my house, the script would eventually sense that there no longer was a live host at the other end and it would stop. I wish I had tried this first instead of wasting my time on the phone with my useless ISP. It worked and we were back up after about ten minutes of being uncabled. Just to make sure I was correct I went through a second run of this and the exact same thing happened. From this I have learned two things, have a good relationship with your upstrreams and be careful what you do late at night. UPDATE 1 Reader Neal sent us some technical tips on how he gets around the problem Richard pointed out above. After I scan something, or if I suspect I gave out my IP address to someone hostile (email, IRC, etc.), then I immediately change my address BEFORE they have a chance to scan back. There are a couple of different ways to change your IP address... Modem: hang up and call back. If your ISP has a phone pool, then you're hopefully on a new address. (Then again, hopefully you're not scanning some /24 from a modem...) Cable modem: I love this -- the networked DHCP address is actually NOT tied to your account. Your cable modem has a MAC address and non-routable DHCP address that is tied to your account. All you need to do is change your routable network address: 1. Login to your external firewall (you do have an external firewall, like a Linksys or Dlink, right?). Change the WAN MAC address. However, do NOT commit the change yet! If you reset it now, then you will be unable to connect to your cable modem... 2. Login to your cable modem and click on the reboot/restart button. This causes it to forget the firewall's MAC address. 3. While the cable modem is shutting down/rebooting, commit the new WAN MAC address to your firewall. When the cable modem comes up, it will learn the new WAN MAC address from your firewall. This new MAC address will be assigned a new, routable IP address from the cable modem ISP. You now have a totally new external IP address. Total offline time should be around 15 seconds. (I've got it scripted!) DSL modem: I don't have one, but I'm told it is a similar approach to cable modems or telephone modems (depending on your ISP). If you have a T1 or T3 or static IP address? You're screwed. I recommend playing from a cable modem or DSL where you can change your address. Marcus H. Sachs Director, SANS Internet Storm Center	Marcus 301 Posts ISC Handler Oct 10th 2008
Thread locked Subscribe	Oct 10th 2008 1 decade ago
Just to add a bit to this story, I did look to the /24's upstream and it reallyt seemed as if this were a crooked operation all the way up to the provider. It is just a criminal enterprise that is well insulated as many of these operations are, so when I looked upstream I was reminded of being up a creek. It just amazes me how well protected these operations are. Take a look at the Atrivo/Intercage operation that just lost it's only remaining connection to the world. Amazing!	Richard 4 Posts
Quote	Oct 10th 2008 1 decade ago
Many of us guys, once in our lives, have to molest a nest of stinging creatures (and run).	Anonymous
Quote	Oct 10th 2008 1 decade ago

Richard, one of our readers, sent us a very interesting note today. He was investigating a network in Germany that was known to be a source of evil, and decided to launch an nmap scan as an exploratory measure. We do not advocate scanning somebody else's network, even you find that the other network is irritating and disfunctional. Better to work with that network's upstream ISP to see if they can assist in taming the out of control network owners.

Here are Richard's comments. Do not try this from your own corporate network The results may be hazardous to your job.

     On the evening of October 7th, I Nmapped a /24 out of Germany that was a known source of malware and general nefarious activities. I saw the usual ports open 22, 53, 80 on most of the machines I scanned.
    After the scan had stopped I closed the command prompt and began to read some late night email. I just happened to glance at my router and saw the receive lights were almost solid green. I opened my web browser and try to get out to the public network and could not, I suspected something was happening and it was.
     The machines I had scanned were launching as DDoS against my IP address and had basically shut me off from the rest of the world. I turned the interface down and went to bed thinking it might clear up after a while.
    I checked at 3:00 am, and 5:30 am and the attack was still on.
    I logged into my router to look at some logs and could see that the machines were still pumping junk down the wire so I called my upstream and they were of no help at all. It took two hours on the phone before I realized that they were not going to be able to help me so here is what I did:
    Thinking that whoever wrote the [attack] script was bright enough to include resource conservation into their code I figured if I remove all physical connection to the ISP at my house, the script would eventually sense that there no longer was a live host at the other end and it would stop. I wish I had tried this first instead of wasting my time on the phone with my useless ISP. It worked and we were back up after about ten minutes of being uncabled.
     Just to make sure I was correct I went through a second run of this and the exact same thing happened. From this I have learned two things, have a good relationship with your upstrreams and be careful what you do late at night.

UPDATE 1

Reader Neal sent us some technical tips on how he gets around the problem Richard pointed out above.

After I scan something, or if I suspect I gave out my IP address to someone hostile (email, IRC, etc.), then I immediately change my address BEFORE they have a chance to scan back.

There are a couple of different ways to change your IP address...

Modem: hang up and call back. If your ISP has a phone pool, then you're hopefully on a new address. (Then again, hopefully you're not scanning some /24 from a modem...)

Cable modem: I love this -- the networked DHCP address is actually NOT tied to your account. Your cable modem has a MAC address and non-routable DHCP address that is tied to your account. All you need to do is change your routable network address:

1. Login to your external firewall (you do have an external firewall, like a Linksys or Dlink, right?). Change the WAN MAC address. However, do NOT commit the change yet! If you reset it now, then you will be unable to connect to your cable modem...

2. Login to your cable modem and click on the reboot/restart button. This causes it to forget the firewall's MAC address.

3. While the cable modem is shutting down/rebooting, commit the new WAN MAC address to your firewall.

When the cable modem comes up, it will learn the new WAN MAC address from your firewall. This new MAC address will be assigned a new, routable IP address from the cable modem ISP. You now have a totally new external IP address. Total offline time should be around 15 seconds. (I've got it scripted!)

DSL modem: I don't have one, but I'm told it is a similar approach to cable modems or telephone modems (depending on your ISP).

If you have a T1 or T3 or static IP address? You're screwed. I recommend playing from a cable modem or DSL where you can change your address.

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler

Oct 10th 2008

Just to add a bit to this story, I did look to the /24's upstream and it reallyt seemed as if this were a crooked operation all the way up to the provider. It is just a criminal enterprise that is well insulated as many of these operations are, so when I looked upstream I was reminded of being up a creek. It just amazes me how well protected these operations are. Take a look at the Atrivo/Intercage operation that just lost it's only remaining connection to the world. Amazing!

Richard

4 Posts

Many of us guys, once in our lives, have to molest a nest of stinging creatures (and run).

Anonymous