[nsp-sec] RFE ddos details
Jose Nazario
jose at arbor.net
Tue Apr 29 08:41:21 EDT 2008
as seen on nsp-sec-d, one of the sister sites of radio free europe was hit
by a ddos attack. the botnet behind it is a machbot botnet; see the list
archives for a paper from william s describing how machbot works.
machbot is a russian-language HTTP ddos botnet. there is very little
publicly available about it, i need to change that one of these days.
the URL in this case is:
http://httpdoc.info/cgi-bin/get.cgi?data=
teh argument to 'data' is base64 encoded and looks like this:
'ver=5&uid=%d&conn=&os=XP&socks=&ip=%s' % (BOT_ID, MYIP)
'socks' can contain a port number. the uid is a random number for the
bot's install; the argument MYIP is the bot's internal (ie if behind NAT)
IP.
attacks came in on saturday apr 26:
Timestamp 2008-04-26 03:05:22
Timestamp 2008-04-26 07:05:22
Timestamp 2008-04-26 11:26:20
C&C IP 66.29.71.16
C&C Hostname httpdoc.info
C&C Port 80
C&C ASN 8001
C&C CC US
commands looked like this when base64 decoded, and svaboda.org is the
actual target:
FREQ 900000
DDOS 2 1800000 www.svaboda.org 80 20
DDOS 0 78000000 www.charter97.org /ru/search/ 0 %3Fstext=%EB%F3%EA%E0%F8%E5%ED%EA%EE 80 10
DDOS 2 78000000 www.charter97.org 80 10
DDOS 2 1800000 www.svaboda.org 80 20
DDOS 2 48000000 www.compromat.net 80 20
DDOS 0 42000000 www.legis-group.ru /index.php 0 fhgfhfg 80 10
the botnet is quiet right now.
i've been tracking this botnet - and several other machbot nets - for some
time now, many BIG thanks to several people here for info, new C&Cs and
the like.
hope this helps.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list