Ransom DDoS attack - need help!

All,

I've been a NANOG member for many years but I'm emailing from an anonymous
account to reduce the chance of the attackers finding me.

A company that shall remain anonymous has received a ransom DDoS note from
a very well known group that has been in the news lately. Recently they've
threatened to carry out a major DDoS attack if they are not paid by a
deadline which is approaching. They've performed an attack of a smaller
magnitude to prove that they're serious.

Based on certain details that I can't reveal here, we believe the magnitude
of the upcoming attack may be in the several hundred Gbps.

I would really appreciate help in a few areas (primarily with certain
provider contacts/intros) so we can execute our strategy (which I can't
reveal here for obvious reasons). If you email me off-list with a
name/email that you've previously used on-list, I will reply from my real
email.

Alternatively, if you can post your experiences on-list with large scale
high profile ransom DDoS attacks, I'd really appreciate it!

Thanks

Sounds like lizardSquad may be at it again

Can you provide some additional details? Is it someone claiming association
with a known group like DD4BC or the Armada Collective or unbranded?

Cheers,
CBaker

None of those names you just mentioned have made the international news.

OSINT has a plethora of detail available:

http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130
http://www.ibtimes.co.uk/armada-collective-who-are-hackers-extorting-bitcoin-ransoms-what-can-we-do-1528253
http://www.bloomberg.com/news/articles/2015-09-09/bitcoin-ddos-ransom-demands-raise-dd4bc-profile

Hi!
This is my first mail to the list.
Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should be able to mitigate
some to much of the damage caused by filled pipes by blocking incomming UDP trafic at your ISP level.

//Robban

Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps.

They lie. The largest attacks we've seen from these threat actors are in the ~60gb/sec range - which is nothing to shake a stick at, mind.

Many times, they don't follow through. But you're right to be prepared.

See these two presos:

<https://app.box.com/s/2kpbqfdl1ko3qhfhe4y8ekd1rvj24vfd>

<https://app.box.com/s/r7an1moswtc7ce58f8gg>

I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons).

All this super-secret squirrel stuff doesn't help, it's actually a hindrance. The short answer is 'upstream ACLs'.

Nevertheless, contact me 1:1 and I'll work to hook you up with the right folks.

bear in mind that if you pay a ransom like this:

1. you're opening up a bank account for them to dip into whenever they feel
they need more money.

2. you're perpetuating the problem of ddos-or-ransom by turning it into a
viable business.

If you believe that someone who issues a ransom threat will stop if you pay
them off, you're smoking crack.

Nick

+1

These attacks aren't rocket-science to defend against.

OP, ping me 1:1.

Most of these types of service ransom deals are conducted via bitcoin. So I don’t see how this could be the case unless you mean to say that appeasing your attackers is a bad idea because they might just be emboldened enough to try and extort you again whenever the piggy bank is beginning to run dry.

Talk to your upstream provider. They may already have mitigation in place (e.g. Arbor devices). If not, then if you know much about this anticipated attack (and you seem to have some details) they can certainly implement ACLs and other moderating tools. Regardless, contact the FBI or similar LEA and get them involved: extortion and threats for now, and if they follow through then you have civil and very possibly criminal proceedings to look forward to.

I also highly recommend you contact EFF. Start at eff.org

--patrick darden

I would really appreciate help in a few areas (primarily with certain
provider contacts/intros) so we can execute our strategy (which I
can't reveal here for obvious reasons). If you email me off-list with
a name/email that you've previously used on-list, I will reply from
my real email.

Hello,

Sorry for your troubles. I'm happy to try to put you in touch with
people we know or specific providers that may be particularly important
for you, given the path attack traffic may follow to you. Generally,
however, you need to be working with your upstream providers or peers.
Those are your best friends that are best able to mitigate traffic from
reaching you or to help trace back where it is coming from.

We also operate a free community service called UTRS, which is
essentially just a community remote triggered black hole (RTBH)
service. Depending on the attack and where it is coming from, it may
be of some help. It is another tool in the tool box that is relatively
easy to get going. Technical details and sign up form here:

  <https://www.cymru.com/jtk/misc/utrs.html>
  <http://www.team-cymru.org/UTRS/>

In case an attack does come, you must be able to provide some profile
of the attack traffic for others to help. A sample of the attack
traffic (e.g. a pcap, flow data, logs), including any characteristics
that might help others help you mitigate is important. This includes
source network, IP address(es) (but they may be spoofed), protocol,
port, packet size, payload, etc... anything that may uniquely identify
the traffic. Keep track of the time an attack starts and let people
know what time zone you're working in, or convert to UTC (preferred).

Alternatively, if you can post your experiences on-list with large
scale high profile ransom DDoS attacks, I'd really appreciate it!

You should consider engaging your local federal law enforcement
office. Don't expect miracles, but at least have that ball rolling.
They will probably tell you not to pay, and generally you shouldn't.
Keep a good evidence trail. Be vigilant, but don't panic.

John

Hello,

Are you announcing your IP addresses via BGP or does your ISP manage
routing for you?

If BGP, contract with a DDOS mitigator now. During an attack, you
reroute the /24 containing the attacked destination to the mitigator
and let them scrub the bad traffic for you. I have no idea who to
recommend but I believe there was a recent discussion on nanog about
just that subject.

Make sure your ISP provides you with a small block of its addresses so
that you can anchor the tunnel from the DDOS mitigator no matter which
of your announced address blocks is attacked. And test to make sure
your addresses really do reroute to the mitigator at need: your ISP
can do a number of things to foul up your BGP announcement which you
won't notice until you try to reroute.

If not BGP, this is your ISP's problem. Notify them of the threat so
that they can get ready to mitigate it.

As others have said, don't pay the ransom. Even if the current thieves
honor the bargain, it'll become known that you paid. That paints a
great big target on your back for every other thief out there.

Regards,
Bill Herrin

The last I spoke with NTT they said the largest they ever saw was > 300GB
and most of the time they don't follow through. They threaten 100 networks
and hope that x% will pay them off 'just in case'

Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should be able to mitigate
some to much of the damage caused by filled pipes by blocking incomming UDP trafic at your ISP level.

This is the Armada Collective, based on the description. We just went through a round with them. The hardest they were able to hit us peaked at a little under 80 Gbits/second. Primarily DNS and NTP amplification attacks. They also hit our web servers with a little over 80 million requests over a one hour period, and played some games with TCP to try to mess with the protocol stacks on the servers and network gear.

Cloudflare took care of the web attacks. For DDoS, something like Incapsula will take care of the layer 3 stuff. Not cheap, but very effective.

--lyndon

Of course they have.

That wasn't DD4BC or Armada Collective.

F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
protection. Don't pay up, use ddos protection.

Clay

Hi,

F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
protection. Don't pay up, use ddos protection.

you know how many ponder whether AV companies write some of the viruses....

alan

hi "need help"

A company that shall remain anonymous has received a ransom DDoS note from
a very well known group that has been in the news lately.

use an email reader that allows you to see all the received email headers
to see which STMP routers they came thru to reach your smtp servers

contact each of the ISP that owns those IP# ranges to forewarn them of
your upcoming DDoS attacks .. if you're/we're lucky, the actual DDoS
attacks would pass thru the same ISPs again

Recently they've
threatened to carry out a major DDoS attack if they are not paid by a
deadline which is approaching. They've performed an attack of a smaller
magnitude to prove that they're serious.

cool .. more proof that they can carry out an attacks allows you ( law enforcement
and the ISP ) to track down who they are, where they come from, etc, etc, etc

since you also kinda know what time/date they will be attacking, the ISP and
law enforcement can be watching for the incoming attacks reverse track the
originating and probably cracked routers ... and hopefully, one-in-a-million
chance to find the ddos-extorter's computers

if the extorter is in the same city ( your local bully ) using the same ISP,
finding the extorter should be trivial

you can also catch the extorter by "pretending" to have put up the $$$$
and tell the FBI/interpol/ISPs/PayPal/etc to watch the non-existent account
for incoming connections from the extorter ... and keep telling the
extorter the $$$ is there even if they can't seem to get their $$$

I would really appreciate help in a few areas (primarily with certain
provider contacts/intros) so we can execute our strategy (which I can't
reveal here for obvious reasons).

most folks would like to see that you have done your "homework" too
trying to stop incoming DDoS attacks ... aka, you need to able to provide
them the necessary info for them to help you ...

run tcpdump and/or etherreal to capture the DDoS attacks