[nsp-sec] ddos against 1and1

Jon Lewis jlewis at lewis.org
Sun Mar 3 15:48:20 EST 2013 

Atlantic.net terminated a cloud customer a few days ago.  In the process, 
I found an attack tool on one of his cloud servers that utilized a large 
list of open (mostly socks) proxies to synflood a target web server on 
port 80.  .bash_history said he'd used it on a few other sites.  History 
also showed that he'd downloaded the tool/proxy list from a Digital Ocean 
cloud server that was no longer operational.  After his account was 
suspended for non-payment (he'd given us a credit card that auth'd on 
signup, but failed when we tried running a charge some days later), he 
engaged support in online chat.  He was very upset that we wouldn't 
reactivate/let him back into his cloud servers and threatened to DoS us. 
Immediately after the threat, http://atlantic.net was hit with a hundred 
mbit/s of tcp/80 syns.  Not enough to impact the network...but enough to 
upset the target server.  Could be coincidence.  Could be the same 
tool/person hitting 1and1.

Given the way the tool I saw works, I'd say it would take multiple 
instances running on multiple cloud servers to generate the magnitude of 
your attack.

Has 1and1 terminated services to any Israeli hackers recently?

On Sun, 3 Mar 2013, Buraglio, Nicholas D wrote:

> ----------- nsp-security Confidential --------
>
> This looks suspiciously like the one we saw yesterday.  Ill tap our guy who was decoding it and see if the window size matches.
>
> --
> nb
>
> On Mar 3, 2013, at 1:04 PM, "Dirk Stander" <dst+nsp-sec at glaskugel.org> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> 1&1 is currently suffering a ddos attack against various portal sites.
>> It's a SYN flood, most probably spoofed, targeting the following IPs:
>>
>> www.1and1.com TCP/80 (74.208.4.60),
>> admin.1and1.com TCP/443 (74.208.4.5) and
>> www.1and1.fr TCP/80 (212.227.216.63)
>>
>> some packets:
>>
>> 14:49:47.291177 IP 202.102.60.209.31488 > 74.208.4.60.80: Flags [S], seq 3271755367, win 17473, options [mss 1460], length 0
>>        0x0000:  4500 002c 119b 4000 6d06 a5ed ca66 3cd1  E..,.. at .m....f<.
>>        0x0010:  4ad0 043c 7b00 0050 c303 0667 0000 0000  J..<{..P...g....
>>        0x0020:  6002 4441 b8e6 0000 0204 05b4 0000       `.DA..........
>> 14:49:47.291177 IP 210.83.251.230.7729 > 74.208.4.60.80: Flags [S], seq 4229991952, win 17473, options [mss 1460], length 0
>>        0x0000:  4500 002c 2d38 4000 6e06 c24d d253 fbe6  E..,-8 at .n..M.S..
>>        0x0010:  4ad0 043c 1e31 0050 fc20 8e10 0000 0000  J..<.1.P........
>>        0x0020:  6002 4441 8dec 0000 0204 05b4 0000       `.DA..........
>> 14:49:47.291178 IP 218.108.200.138.19477 > 74.208.4.60.80: Flags [S], seq 2466540794, win 17473, options [mss 1460], length 0
>>        0x0000:  4500 002c 2d4f 4000 6e06 ed79 da6c c88a  E..,-O at .n..y.l..
>>        0x0010:  4ad0 043c 4c15 0050 9304 6cfa 0000 0000  J..<L..P..l.....
>>        0x0020:  6002 4441 157e 0000 0204 05b4 0000       `.DA.~........
>> 14:49:47.291179 IP 210.73.93.102.38701 > 74.208.4.60.80: Flags [S], seq 2035612187, win 17473, options [mss 1460], length 0
>>        0x0000:  4500 002c 429a 4000 7206 4776 d249 5d66  E..,B. at .r.Gv.I]f
>>        0x0010:  4ad0 043c 972d 0050 7954 fa1b 0000 0000  J..<.-.PyT......
>>        0x0020:  6002 4441 ca3b 0000 0204 05b4 0000       `.DA.;........
>>
>> (the window size of 17473 seems to be a constant pattern)
>>
>> The attack started today 2013-03-03, at 4:55 UTC with about 1.0Gbit/s (1.50M P/s)
>> against each target, with a peak at 8:30 UTC with 6.20Gbit/s (10.80M P/s).
>> The attack is ongoing and has an aggregated bandwith of about 20Gbit/s.
>>
>> A good amount of the traffic enters 1&1:s backbone in Amsterdam coming from
>> Level3.
>>
>> Does anyone recognise this attack pattern or has any intel about the botnet
>> used?
>>
>>        Thanks, Dirk Stander
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
                              |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the nsp-security mailing list