[nsp-sec] Reported amplification and reflection attacks on .es TeamSpeak servers

John Kristoff jtk at cymru.com
Mon Jul 6 13:07:07 EDT 2015 

[ Apologies if you see this message multiple times - jtk ]

The DRG (Dragon Research Group) received the following email and I know
some others did as well.  This is not something we can help with
directly and I'm not sure we would even if we could, but I thought it
worth forwarding here for others to see, comment or follow up if
worthwhile.

From: "webmaster elhacker.net" <webmaster at elhacker.net>
To: dragon at dragonresearchgroup.org
Subject: [dragon] About large DrDDoS Attacks
Date: Mon, 6 Jul 2015 12:31:59 +0200

To whom it may concern,

I'm from Barcelona (Spain), and I'm the webmaster of elhacker.NET and I
have a TeamSpeak 3  server with NPL licence, and i've talked to another
owners of TS servers of spanish languague, and all of them are recieving
DDoS attacks like me. Always using same way, DrDDoS like NTP, Chargen and
SSDP (UPNP) attacks.

I know the person who is doing DDoS attacks to TeamSpeak Servers. And I
have personal info about him, his real name, facebook account, etc.

The attacks can generate 221k pps (packets per second) and  647Mb/s input
traffic.

It's obvious if you see the Ranking of TS3 servers:

http://www.gametracker.com/search/ts3/

In top 10 are 7 servers hosted at HosTeam.pl (Ip range 178.217.0.0) Too
much coincidence.

Look at this;:
http://forum.teamspeak.com/showthread.php/100725-Hosteam-pl-Unban-IP-pool-178-217-0-0-178-217-255-255-or-DDOS

The ISP provider HosTeam.pl is menacing TeamSpeak owners!!

HosTeam is menacing TeamSpeak.com and even that is a Licensed Hosting
Provider?

And this in Polish:
http://translate.google.es/translate?hl=es&sl=pl&tl=en&u=http%3A%2F%2Fwww.mpcforum.pl%2Ftopic%2F1321218-oficjalny-server-teamspeakcom-pod-ciaglym-atakiem-ddos%2F


Please can you help to report a DDoS-for-hire service (a.k.a. “booters” or
“stressers”)?

My Team Speak Server is recieving large DrDoS Reflected attacks using NTP,
Chargen, and SSDP (upnp) since 6 months using this:

http://nuclearstress.xyz/
http://nuclearstress.eu/
http://ddos.army/stresser/login.php

The domains are behind CloudFlare.

Proof image:
http://i.imgur.com/wvIcazK.jpg

The attacks using SSDP can generate  693MB/s and 269k pps (packets per
second). I have proofs of that, network graphics, logs and everything is
logged. I've reported months ago to network owners and national CERTs also
the ip's involved in the attack, but nothing changed.

Proof:
http://nuclearstress.xyz/stresser/tos.php
"Anonn.pl - Terms Of Service"

This person named Anonn.PL is doing DDoS attacks to TS3 Servers. And I have
personal info about him, his real name, facebook account, real photos, etc.

Seems Anonn.PL is friend from HosTeam.pl because is promoting his services

I've research and found more information about this person named "AnonnPL"
aka "Mateusz Syryjczyk" from Poland, He's obvious doing the DDoS attacks, i
have proofs. He's posting his methods attacks in www.hackforums.net and he
is also the webmaster of  TeamSpeakCrack.com selling cracked licenses from
TeamSpeak) and offering ddos-for-hire like NuclearStress.eu.

I have tons of  attack logs, graphics, but all this info is well stored and
reported few months ago to the Spanish CERT and ShadowServers that are
helping me to reporting all the IP's involved in the attack.

Also i've found this important info in pastebin:
http://pastebin.com/6K9SMQnj

Search for "banda xmateo" in pastebin for more information.

Seems Klaudia Szczepańska is the confident, leaking information:
https://www.facebook.com/klaudia.szczepanska.5249

But Klaudia and Mateusz are friends in Facebook, so I don't understand at
all....

Anonn.PL is Mateusz Syryjczyk
https://www.facebook.com/Mateo.xMateo

But this is a real proof
Mateusz Syryjczyk <https://www.facebook.com/Mateo.xMateo?fref=nf>
14 de diciembre de 2014
<https://www.facebook.com/Mateo.xMateo/posts/493000847507346> ·

Zapraszam do Kupna .
Link to site: http://anonn.pl/

Total power: 150Gb+

Method:
SSDP
SSDPPL
UDP
CHARGEN
NTP
SNMP
XSYN
SYN-ACK
SYN-RST
TCP-ACK
#################

Thank you in advance.

Can you help me?

Best regards from Spain.

More information about the nsp-security mailing list