[nsp-sec] bitcoinbountyhunter extortion DDoS attack -> cars.com (74.199.98.141) AS3356, AS6461

[Smith, Donald]

FYI I did a netflow report for that IP and saw nothing.







(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Lawrence Baldwin [baldwinl at mynetwatchman.com]
Sent: Tuesday, April 21, 2015 3:44 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] bitcoinbountyhunter extortion DDoS attack -> cars.com (74.199.98.141) AS3356, AS6461

----------- nsp-security Confidential --------

This attack is ongoing as of 3:35 Central and is ongoing at the
moment..related to BCBH extortion activity.

Victim is already in contact with Nocs from Level 3 and Abovenet, but
if anyone here can help ensure that DDoS mitigation teams are engaged
I'd appreciate it.  I can be reached via mobile: 404-933-9511

Attack is UDP..I don't have payload, but from what I understand it's
NTP/DNS amplification activity.

Also, anyone working cases involving this crew I'm looking to do an LE
referral on it.

--
Lawrence Baldwin
Chief Forensics Officer
myNetWatchman.com
Atlanta, GA
+1.678.624.0924


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.