[nsp-sec] bitcoinbountyhunter extortion DDoS attack -> cars.com (74.199.98.141) AS3356, AS6461

Fri Apr 24 09:46:59 EDT 2015

It is all udp:1900 reflection OR icmp errors ...

(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: Smith, Donald
Sent: Thursday, April 23, 2015 4:16 PM
To: 宫一鸣; baldwinl at mynetwatchman.com; nsp-security at puck.nether.net
Subject: RE: [nsp-sec] bitcoinbountyhunter extortion DDoS attack -> cars.com (74.199.98.141) AS3356, AS6461

LOL I have something like dislexia for numbers.

I looked at your "correction" for more than a minute before I saw the 119 vs 199 correction.

Running now.

(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: 宫一鸣 [gongyiming at 360.cn]
Sent: Wednesday, April 22, 2015 12:29 AM
To: baldwinl at mynetwatchman.com; nsp-security at puck.nether.net; Smith, Donald
Subject: RE: [nsp-sec] bitcoinbountyhunter extortion DDoS attack -> cars.com (74.199.98.141) AS3356, AS6461

try 74.119.98.141

Sent from my phone

-----Original Message-----
From: Smith, Donald [Donald.Smith at CenturyLink.com]
Received: 星期二, 21 4 月 2015, 4:48PM
To: Lawrence Baldwin [baldwinl at mynetwatchman.com]; nsp-security at puck.nether.net [nsp-security at puck.nether.net]
Subject: Re: [nsp-sec] bitcoinbountyhunter extortion DDoS attack -> cars.com (74.199.98.141) AS3356, AS6461

----------- nsp-security Confidential --------

FYI I did a netflow report for that IP and saw nothing.

(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Lawrence Baldwin [baldwinl at mynetwatchman.com]
Sent: Tuesday, April 21, 2015 3:44 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] bitcoinbountyhunter extortion DDoS attack -> cars.com (74.199.98.141) AS3356, AS6461

----------- nsp-security Confidential --------

This attack is ongoing as of 3:35 Central and is ongoing at the
moment..related to BCBH extortion activity.

Victim is already in contact with Nocs from Level 3 and Abovenet, but
if anyone here can help ensure that DDoS mitigation teams are engaged
I'd appreciate it.  I can be reached via mobile: 404-933-9511

Attack is UDP..I don't have payload, but from what I understand it's
NTP/DNS amplification activity.

Also, anyone working cases involving this crew I'm looking to do an LE
referral on it.

--
Lawrence Baldwin
Chief Forensics Officer
myNetWatchman.com
Atlanta, GA
+1.678.624.0924

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.