maandag 24 juni 2013

DNS Amplification DDoS Attacks, Booter services and who's behind them.

Lately DNS Amplification DDoS Attacks have drawn a lot of attention. Especially since CloudFlare dedicated several blog posts to them (here and here), and the StopHaus movement almost broke the internet with it.

DNS Amplification Attacks
DNS Amplification attacks work by sending a spoofed UDP packet to a recursive DNS resolver. This DNS server in return will answer the received request to the sender of the packet. The sender of this packet is the spoofed address, which makes it the target of the attack. What makes this attack unique is that the UDP packet sent is of small size, and the packet returned by the DNS server is of large size. This way you amplify the network traffic eventually sent to the target hoping that it cannot handle such an amount and stops responding.
One of the benefits of this attack is that it is very hard to trace the origin. In DDoS attacks botnet are often used, but in this attack you can even mask the bots it is coming from.


Statistics
To get some more insight on this kind of DDoS Attack, I decided to collect as many data as possible to get a good collection of statistics. In one month I collected 1,244,584 attacks and extracted their details.
Below are the different records I've witnessed:

isc.org in any +ed 1158923
. in any +e 39651
version.bind ch txt + 405
ripe.net in any +e 125
directedat.asia in any +e 55
. in type256 +e 50
169a41e5.openresolverproject.org in a + 11
www.google.com in a + 10
dnsscan.shadowserver.org in a + 6
nukes.directedat.asia in a +e 6
isc.org in any + 5
amazon.com in a + 5
directedat.asia in a +e 4
isc.org in any +e 4
google.com in a +ed 3
mydnsscan.us in any +e 3
ripe.net in any + 3
. in any + 2
nukes.directedat.asia in any +e 2
ddostheinter.net in a +e 2
ya.ru in a + 2
ddostheinter.net in any +e 2
directedat.asia in a + 2
nasa.gov in any + 2
77bytelee.co.uk in txt +e 1
a1607665836p49394i23167.d2013052812000114314.t6014 1
google.com in a +e 1
ripe.net in any +ed 1
google.com in a + 1
www.ru in a + 1
A list of targetted hosts can be found here.

Who's behind this?
Obviously "isc.org in any +ed" is clearly the most used record, not much creativity there. By sending a very small "dig ANY isc.org @dns-host" you'll get a big response directly going to the target of 3433 bytes:
root@ubuntu:~# dig ANY isc.org @8.8.8.8
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.1-P1 <<>> ANY isc.org @8.8.8.8
;; global options: +cmd
;; Got answer:

;; QUESTION SECTION:
;isc.org.                       IN      ANY
;; ANSWER SECTION:
isc.org.                7200    IN      RRSIG   SPF 5 2 7200 20130719232951 20130619232951 50012 isc.org. Q8n5F9ZucnRaYw762EghVeq9NLLFN4tuAvJZTue/spQJUnRKcM5WuwR4 F8FuEh55EbIs5YxnrG2LbDmEJDOBh0aER+lE6Ts8TdCyZoTVylSf0kmr tmzf0r80Q5xBOdPMfsSARNxWrFDQr03r69IU0Lsp4EbneiM6wIiI7oyJ bz0=
isc.org.                7200    IN      SPF     "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org.                3600    IN      RRSIG   NSEC 5 2 3600 20130719232951 20130619232951 50012 isc.org.
...
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 23 23:56:27 2013
;; MSG SIZE  rcvd: 3433
pastebin: http://pastebin.com/mWQXYNQB

But as we look closer several domains are of more interest, especially the names of these five draw attention:
directedat.asia: http://pastebin.com/wxF2EQq9
nukes.directedat.asia: http://pastebin.com/m6x6RMAU 8235 bytes
ddostheinter.net: -
mydnsscan.us: http://pastebin.com/mSTL4tZG 20714 bytes
dd0s.asia: http://pastebin.com/Jcxrq8wQ 2538 bytes

As can be spotted pretty quickly, the size and content of in particular mydnsscan.us easily highlight malicious purposes.

If we look at the name servers used we'll see the following:
mydnsscan.us
ns1.mydnsscan.us -
ns2.mydnsscan.us 188.122.91.99
ns3.mydnsscan.us 188.122.91.99
ns4.mydnsscan.us -
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226

directedat.asia
ns1.directedat.asia 74.91.18.226
ns2.directedat.asia 74.91.18.226

dd0s.asia
ns1.dd0s.asia 74.91.18.226
ns2.dd0s.asia 74.91.18.226

These 3 domains have one corresponding IP address which links them together.
IP address 188.122.91.99 is of particular interest as it runs an fbi.gov IRC server, w00t w00t!

Turns out the guy behind this operation is 16 year old ------ ----. Here's his facebook[removed], skype: [removed], another skype: [removed], hackforums[removed], leakforums[removed] and last but not least, his YouTube account[removed].
******, as his preferred nickname is, is a great talented guy who's very curious and interested in technology. Sadly at this stage of his life he's focused on making money the wrong way. And that's probably why he runs many booter and stress services, with according to his own records 10Gbps capacity. Some examples are: Galaxy booter, Private booter, Versatile booter, apidown.com, var-dev.com, Dos Boss' DDoS service, Ethernal Booter and many more, according to some of his posts on hackforums he also owns a 4k botnet[removed].

Well ------, as I've done previously with a guy that owned a bitcoin mining botnet, you can contact me and will remove all of your contact details. You sure know how to reach me.

ps. I'm setting up a website which shows ongoing attacks realtime. Anyone willing to voluntarily contribute can contact me. Shoutout to @DnsSmurf who's doing similair things.

dinsdag 15 januari 2013

Russische spionen die via YouTube communiceerden ontmaskerd.

Voor het eerst sinds het einde van de koude oorlog heeft Duitsland publiekelijk twee Russische spionnen ontmaskerd. De twee spionnen, een echtpaar codenamed Pit and Tina, echte namen Andreas and Heidrun Anschlag, ontvingen jaarlijks 100.000 Euro van hun geheime werkgever de SVR, het vroegere KGB. Ondanks onderhandelingen met de Russische regering zal de rechtszaak tegen hen doorgaan, dit omdat Rusland verstek heeft laten gaan tijdens onderhandelingen. Beide zijn in Oktober 2011 gearresteerd. Het rekruteren van Raymond Valentino Poeteray, een medewerker van het Nederlandse Ministerie van Buitenlandse Zaken, wordt beschouwd als hun grootste succes, hij verkocht hen top-secret NAVO documenten.

De woning van de verdachten in Marburg Michelbach.

Raymond Valentino Poeteray


Gehieme boodschappen via YouTube
Het echtpaar gebruikte onderandere YouTube accounts om te communiceren. Beide account zijn nog toegankelijk. De accounts lijken een voorliefde te hebben voor de voetballer Christiano Ronaldo en reageren alleen onder video's die veel bekeken worden en waar heel veel onder gereageerd wordt. Uit de reacties is op het eerste gezicht niet veel interessants op te maken, maar ongetwijfeld zullen de boodschappen ontcijfert moeten worden. Het account cristianofootballer plaatst telkens een lang bericht, het account Alpenkuh1 plaatst echter telkens maar 1 zin. Ondanks dat het echtpaar zich uitgaf als vluchtelingen met een Oostenrijks paspoort, gevlucht uit Zuid Amerika, heeft het account cristianofootballer als land "Rusland" en Alpenkuh1 als land "Duitsland". Dit is opvallend omdat het echtpaar tegen hun omgeving op geen enkele manier hun connectie met Rusland kenbaar maakte.
Wie is er in staat de geheime boodschappen te ontdekken?