Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for January 21st, 2010

DD0S

1.16.2010 DD0S


122.166.145.121:26201 ABTS (Karnataka),
122.166.145.121:26205 ABTS-KK-dynamic-121.145.166.122.airtelbroadband.in
122.177.210.215:62585 ABTS-North-Dynamic-215.210.177.122.airtelbroadband.in
153.91.127.62:49462 CMSU-NET
166.137.138.217:52732 mobile-166-137-138-217.mycingular.net
174.129.104.29:19365 AMAZON-EC2-5
195.148.124.67:44787 tor-exit.research.netlab.hut.fi
206.53.157.33:34759 Research in motion
207.46.199.180:34748 Microsoft
208.74.66.38:56268 Centauri Comms
212.42.236.140:34414 torproject.org.all.de
216.129.119.81:40460 Layer42.Net, Inc
216.24.142.46:36536 flx1-ppp46.lvdi.net
216.24.142.47:30721 ViaWest
216.24.142.47:30790 ViaWest
217.109.117.196:3039 FR-METALLERIE-VILLEMIN
38.105.83.12:1045 PSINet, Inc.
58.120.227.83:53110 skbroadband.com
62.141.58.13:33615 gpftor3.privacyfoundation.de
64.13.147.189:65129 Silicon Valley Colocation, Inc.
65.28.107.32:56901 Road Runner HoldCo LLC
66.249.65.154:56038 crawl-66-249-65-154.googlebot.com
66.65.83.160:1129 Road Runner HoldCo LLC
66.90.75.206:33389 tor-proxy.fejk.se
67.187.160.163:64024 COMCAST
67.218.99.195:36592 Layer42.Net, Inc.
68.171.233.136:36907 68-171-233-136.rdns.blackberry.net
69.171.160.51:2915 Cricket Communications Inc
71.163.48.147:52814 pool-71-163-48-147.washdc.fios.verizon.net
72.13.91.40:50761 Edgios Inc.
72.134.34.115:3023 Road Runner HoldCo LLC
72.24.119.58:64443 CABLE ONE Inc.
75.18.162.20:55596 adsl-75-18-162-20.dsl.pltn13.sbcglobal.net
76.14.6.39:65380 Wave Broadband
76.21.215.156:50094 c-76-21-215-156.hsd1.dc.comcast.net
76.64.53.68:60084 bas1-toronto48-1279276356.dsl.bell.ca
78.111.32.200:2998 TELINEA BOSNIA
78.142.140.194:49621 SIL-UBIT
83.149.199.54:29898 dvina.ispras.ru
85.114.136.243:36674 SK-Gaming via gamed.de Gameserver
89.151.116.54:41502 Asuk Creative Limited
91.121.85.14:52998 OVH SAS
92.228.132.21:62133 g228132021.adsl.alicedsl.de
93.182.186.79:56824 anon-79-186.ipredate.net
97.125.27.9:51773 97-125-27-9.eugn.qwest.net
98.90.16.193:61547 adsl-90-16-193.mob.bellsouth.net
1.17.2010 DD0S


109.196.50.26 ip-109196050026.syrion.pl
121.162.45.7 KORNET TOR node
123.243.14.14 123-243-14-14.static.tpgi.com.au
125.160.110.139 139.subnet125-160-110.speedy.telkom.net.id
137.99.167.41 d167h41.resnet.uconn.edu
166.90.142.9 nat.kosmix.com
166.90.142.9 nat.kosmix.com
174.6.186.66 SHAWCABLE.NETE.NET
192.251.226.206 BLUTMAGIE Olaf Selke
193.86.233.2 anonymizer2.blutmagie.de
201.13.162.63 201-13-162-63.dial-up.telesp.net.br
204.8.156.142 cs-tor.bu.edu
208.187.80.130 goliath.word-to-the-wise.com
209.44.114.178 pasquino.netelligent.ca
216.224.124.124 tor-exit.aof.su
217.114.215.227 hosted-by-vps-hosting.co.uk
38.103.37.243 Exploit Prevention Labs
58.65.72.42 SCSNET-CATV-SEOKYUNG
61.32.46.4 BORANET-1 Seoul
62.75.185.133 tor-readme.spamt.net
64.252.57.54 64-252-57-54.adsl.snet.net
66.230.230.230 Neucom Inc.
71.224.152.176 c-71-224-152-176.hsd1.pa.comcast.net
87.118.104.203 spftor1.privacyfoundation.de
89.77.30.227 chello089077030227.chello.pl
91.121.67.117 isp.futursite.net
96.225.135.36 pool-96-225-135-36.nrflva.fios.verizon.net


Pcaps have been parsed, there is much too much for a full disclosure, besides I don’t want to give out everything. Pcaps and forensics report have been passed to the authorities carrying out the investigation to add to the other data that they have gotten elsewhere.

The basics of the attack as of his last hit on me are these:

  • Using TOR nodes as well as perhaps a proxy, but most likely just tor sessions. If he were sneaky like though, he would be proxying to a box that then has poisoned TOR nodes at their disposal
  • Other compromised or complicit machines are also being used (admins will be being contacted by authorities) I am sure there are thousands of these botnet machines that the C&C can use. The irony is that trying to stamp out the compromised C&C boxes is kinda like trying to DoS all the Jihadi websites out there. For every one you take down, there are 5 more mirrors out there for content to be broadcast from
  • Much of the traffic was being sent from the EU focusing in the DE region, but there was also some Korea in there
  • 30 minutes at a time.. Either paying for increments of time to a botherd, or, the TOR nodes throttle out as this is something they do to try and prevent this type of misuse
  • He’s using a combination of syn/fin TCP callouts to flood the system with junk and hose the webserver.
  • In the last attack he was using what looked like canned scan scripts to flood the server with junk calls for different protocols/ports etc
  • He seems to have been using a C&C system that would call up a java script to check if the DDoS was in fact working. Now, if the script was working with the home IP address of the box initiating, then perhaps the GET’s like the FIOS address were actually his box looking for a file. Or maybe it was someone working with him… Or.. Them.
  • The FIOS address made a DIRECT call out to my webserver looking for a WMV file. That file has only been linked to my WordPress blog from some time back. This access coincided with the timing of the attack to be used as a method of seeing how the server was responding. By looking at the download bar one could tell just how horked the system was. As well, the download initiation would also engage much of the servers bandwith making the attack work even faster. Would he be that foolish to actually make this mistake? He is rather full of himself so, yeah, he seemed to think that I was some IT auditor without skills so maybe he just got lax. Maybe he is just a stupid kid with impulse issues…

Once the investigators do their thing, the nodes that they can reach will be closed. The TOR server admins will be told about the events, and if they are keeping any logging at all, they likely will help out. However, the TOR is really meant to not have any logging. Kinda like ANONINE the proxy he has been using.

Also while looking about I noticed that mypetjawa, seems to have redacted their post about j35t3r taking down Ahmadinejad’s site. Maybe its just an internal server error 500 as I see when I search their site directly, but its in their archive if you Google it. I am sure that DD0S-ing that site pretty much makes j35t3r no friends on either side of the political situation there.

… And me? My site? Still up.

Well, it’s no biggie if its down here and there. But, the opportunity to capture all the packet traffic, as well as get that .ru hotmail account from his direct correspondence is helping the boys do their thing. Of late though he has laid off with only the occasional twitter taunt to get me to respond.

Weak attempts at best.. And such bravado talking about how he has bested me. Well, it’s not really me he has to worry about. He will do himself and his pals in quite nicely on his own I think.

It’s mostly out of my hands now… Oh and deleting Twitters won’t be helping either.. Google cache is a wonderful thing.

Hope you look good in orange j35t3r, cuz I think that is the color that they will be giving you.

Cheers,

CoB

Written by Krypt3ia

2010/01/21 at 03:19