Archive for January 21st, 2010
DD0S
1.16.2010 DD0S
|
|
122.166.145.121:26201 | ABTS (Karnataka), |
122.166.145.121:26205 | ABTS-KK-dynamic-121.145.166.122.airtelbroadband.in |
122.177.210.215:62585 | ABTS-North-Dynamic-215.210.177.122.airtelbroadband.in |
153.91.127.62:49462 | CMSU-NET |
166.137.138.217:52732 | mobile-166-137-138-217.mycingular.net |
174.129.104.29:19365 | AMAZON-EC2-5 |
195.148.124.67:44787 | tor-exit.research.netlab.hut.fi |
206.53.157.33:34759 | Research in motion |
207.46.199.180:34748 | Microsoft |
208.74.66.38:56268 | Centauri Comms |
212.42.236.140:34414 | torproject.org.all.de |
216.129.119.81:40460 | Layer42.Net, Inc |
216.24.142.46:36536 | flx1-ppp46.lvdi.net |
216.24.142.47:30721 | ViaWest |
216.24.142.47:30790 | ViaWest |
217.109.117.196:3039 | FR-METALLERIE-VILLEMIN |
38.105.83.12:1045 | PSINet, Inc. |
58.120.227.83:53110 | skbroadband.com |
62.141.58.13:33615 | gpftor3.privacyfoundation.de |
64.13.147.189:65129 | Silicon Valley Colocation, Inc. |
65.28.107.32:56901 | Road Runner HoldCo LLC |
66.249.65.154:56038 | crawl-66-249-65-154.googlebot.com |
66.65.83.160:1129 | Road Runner HoldCo LLC |
66.90.75.206:33389 | tor-proxy.fejk.se |
67.187.160.163:64024 | COMCAST |
67.218.99.195:36592 | Layer42.Net, Inc. |
68.171.233.136:36907 | 68-171-233-136.rdns.blackberry.net |
69.171.160.51:2915 | Cricket Communications Inc |
71.163.48.147:52814 | pool-71-163-48-147.washdc.fios.verizon.net |
72.13.91.40:50761 | Edgios Inc. |
72.134.34.115:3023 | Road Runner HoldCo LLC |
72.24.119.58:64443 | CABLE ONE Inc. |
75.18.162.20:55596 | adsl-75-18-162-20.dsl.pltn13.sbcglobal.net |
76.14.6.39:65380 | Wave Broadband |
76.21.215.156:50094 | c-76-21-215-156.hsd1.dc.comcast.net |
76.64.53.68:60084 | bas1-toronto48-1279276356.dsl.bell.ca |
78.111.32.200:2998 | TELINEA BOSNIA |
78.142.140.194:49621 | SIL-UBIT |
83.149.199.54:29898 | dvina.ispras.ru |
85.114.136.243:36674 | SK-Gaming via gamed.de Gameserver |
89.151.116.54:41502 | Asuk Creative Limited |
91.121.85.14:52998 | OVH SAS |
92.228.132.21:62133 | g228132021.adsl.alicedsl.de |
93.182.186.79:56824 | anon-79-186.ipredate.net |
97.125.27.9:51773 | 97-125-27-9.eugn.qwest.net |
98.90.16.193:61547 | adsl-90-16-193.mob.bellsouth.net |
1.17.2010 DD0S
|
|
109.196.50.26 | ip-109196050026.syrion.pl |
121.162.45.7 | KORNET TOR node |
123.243.14.14 | 123-243-14-14.static.tpgi.com.au |
125.160.110.139 | 139.subnet125-160-110.speedy.telkom.net.id |
137.99.167.41 | d167h41.resnet.uconn.edu |
166.90.142.9 | nat.kosmix.com |
166.90.142.9 | nat.kosmix.com |
174.6.186.66 | SHAWCABLE.NETE.NET |
192.251.226.206 | BLUTMAGIE Olaf Selke |
193.86.233.2 | anonymizer2.blutmagie.de |
201.13.162.63 | 201-13-162-63.dial-up.telesp.net.br |
204.8.156.142 | cs-tor.bu.edu |
208.187.80.130 | goliath.word-to-the-wise.com |
209.44.114.178 | pasquino.netelligent.ca |
216.224.124.124 | tor-exit.aof.su |
217.114.215.227 | hosted-by-vps-hosting.co.uk |
38.103.37.243 | Exploit Prevention Labs |
58.65.72.42 | SCSNET-CATV-SEOKYUNG |
61.32.46.4 | BORANET-1 Seoul |
62.75.185.133 | tor-readme.spamt.net |
64.252.57.54 | 64-252-57-54.adsl.snet.net |
66.230.230.230 | Neucom Inc. |
71.224.152.176 | c-71-224-152-176.hsd1.pa.comcast.net |
87.118.104.203 | spftor1.privacyfoundation.de |
89.77.30.227 | chello089077030227.chello.pl |
91.121.67.117 | isp.futursite.net |
96.225.135.36 | pool-96-225-135-36.nrflva.fios.verizon.net
|
Pcaps have been parsed, there is much too much for a full disclosure, besides I don’t want to give out everything. Pcaps and forensics report have been passed to the authorities carrying out the investigation to add to the other data that they have gotten elsewhere.
The basics of the attack as of his last hit on me are these:
- Using TOR nodes as well as perhaps a proxy, but most likely just tor sessions. If he were sneaky like though, he would be proxying to a box that then has poisoned TOR nodes at their disposal
- Other compromised or complicit machines are also being used (admins will be being contacted by authorities) I am sure there are thousands of these botnet machines that the C&C can use. The irony is that trying to stamp out the compromised C&C boxes is kinda like trying to DoS all the Jihadi websites out there. For every one you take down, there are 5 more mirrors out there for content to be broadcast from
- Much of the traffic was being sent from the EU focusing in the DE region, but there was also some Korea in there
- 30 minutes at a time.. Either paying for increments of time to a botherd, or, the TOR nodes throttle out as this is something they do to try and prevent this type of misuse
- He’s using a combination of syn/fin TCP callouts to flood the system with junk and hose the webserver.
- In the last attack he was using what looked like canned scan scripts to flood the server with junk calls for different protocols/ports etc
- He seems to have been using a C&C system that would call up a java script to check if the DDoS was in fact working. Now, if the script was working with the home IP address of the box initiating, then perhaps the GET’s like the FIOS address were actually his box looking for a file. Or maybe it was someone working with him… Or.. Them.
- The FIOS address made a DIRECT call out to my webserver looking for a WMV file. That file has only been linked to my WordPress blog from some time back. This access coincided with the timing of the attack to be used as a method of seeing how the server was responding. By looking at the download bar one could tell just how horked the system was. As well, the download initiation would also engage much of the servers bandwith making the attack work even faster. Would he be that foolish to actually make this mistake? He is rather full of himself so, yeah, he seemed to think that I was some IT auditor without skills so maybe he just got lax. Maybe he is just a stupid kid with impulse issues…
Once the investigators do their thing, the nodes that they can reach will be closed. The TOR server admins will be told about the events, and if they are keeping any logging at all, they likely will help out. However, the TOR is really meant to not have any logging. Kinda like ANONINE the proxy he has been using.
Also while looking about I noticed that mypetjawa, seems to have redacted their post about j35t3r taking down Ahmadinejad’s site. Maybe its just an internal server error 500 as I see when I search their site directly, but its in their archive if you Google it. I am sure that DD0S-ing that site pretty much makes j35t3r no friends on either side of the political situation there.
… And me? My site? Still up.
Well, it’s no biggie if its down here and there. But, the opportunity to capture all the packet traffic, as well as get that .ru hotmail account from his direct correspondence is helping the boys do their thing. Of late though he has laid off with only the occasional twitter taunt to get me to respond.
Weak attempts at best.. And such bravado talking about how he has bested me. Well, it’s not really me he has to worry about. He will do himself and his pals in quite nicely on his own I think.
It’s mostly out of my hands now… Oh and deleting Twitters won’t be helping either.. Google cache is a wonderful thing.
Hope you look good in orange j35t3r, cuz I think that is the color that they will be giving you.
Cheers,
CoB