DD0S
| 1.16.2010 DD0S
|
|
| 122.166.145.121:26201 | ABTS (Karnataka), |
| 122.166.145.121:26205 | ABTS-KK-dynamic-121.145.166.122.airtelbroadband.in |
| 122.177.210.215:62585 | ABTS-North-Dynamic-215.210.177.122.airtelbroadband.in |
| 153.91.127.62:49462 | CMSU-NET |
| 166.137.138.217:52732 | mobile-166-137-138-217.mycingular.net |
| 174.129.104.29:19365 | AMAZON-EC2-5 |
| 195.148.124.67:44787 | tor-exit.research.netlab.hut.fi |
| 206.53.157.33:34759 | Research in motion |
| 207.46.199.180:34748 | Microsoft |
| 208.74.66.38:56268 | Centauri Comms |
| 212.42.236.140:34414 | torproject.org.all.de |
| 216.129.119.81:40460 | Layer42.Net, Inc |
| 216.24.142.46:36536 | flx1-ppp46.lvdi.net |
| 216.24.142.47:30721 | ViaWest |
| 216.24.142.47:30790 | ViaWest |
| 217.109.117.196:3039 | FR-METALLERIE-VILLEMIN |
| 38.105.83.12:1045 | PSINet, Inc. |
| 58.120.227.83:53110 | skbroadband.com |
| 62.141.58.13:33615 | gpftor3.privacyfoundation.de |
| 64.13.147.189:65129 | Silicon Valley Colocation, Inc. |
| 65.28.107.32:56901 | Road Runner HoldCo LLC |
| 66.249.65.154:56038 | crawl-66-249-65-154.googlebot.com |
| 66.65.83.160:1129 | Road Runner HoldCo LLC |
| 66.90.75.206:33389 | tor-proxy.fejk.se |
| 67.187.160.163:64024 | COMCAST |
| 67.218.99.195:36592 | Layer42.Net, Inc. |
| 68.171.233.136:36907 | 68-171-233-136.rdns.blackberry.net |
| 69.171.160.51:2915 | Cricket Communications Inc |
| 71.163.48.147:52814 | pool-71-163-48-147.washdc.fios.verizon.net |
| 72.13.91.40:50761 | Edgios Inc. |
| 72.134.34.115:3023 | Road Runner HoldCo LLC |
| 72.24.119.58:64443 | CABLE ONE Inc. |
| 75.18.162.20:55596 | adsl-75-18-162-20.dsl.pltn13.sbcglobal.net |
| 76.14.6.39:65380 | Wave Broadband |
| 76.21.215.156:50094 | c-76-21-215-156.hsd1.dc.comcast.net |
| 76.64.53.68:60084 | bas1-toronto48-1279276356.dsl.bell.ca |
| 78.111.32.200:2998 | TELINEA BOSNIA |
| 78.142.140.194:49621 | SIL-UBIT |
| 83.149.199.54:29898 | dvina.ispras.ru |
| 85.114.136.243:36674 | SK-Gaming via gamed.de Gameserver |
| 89.151.116.54:41502 | Asuk Creative Limited |
| 91.121.85.14:52998 | OVH SAS |
| 92.228.132.21:62133 | g228132021.adsl.alicedsl.de |
| 93.182.186.79:56824 | anon-79-186.ipredate.net |
| 97.125.27.9:51773 | 97-125-27-9.eugn.qwest.net |
| 98.90.16.193:61547 | adsl-90-16-193.mob.bellsouth.net |
| 1.17.2010 DD0S
|
|
| 109.196.50.26 | ip-109196050026.syrion.pl |
| 121.162.45.7 | KORNET TOR node |
| 123.243.14.14 | 123-243-14-14.static.tpgi.com.au |
| 125.160.110.139 | 139.subnet125-160-110.speedy.telkom.net.id |
| 137.99.167.41 | d167h41.resnet.uconn.edu |
| 166.90.142.9 | nat.kosmix.com |
| 166.90.142.9 | nat.kosmix.com |
| 174.6.186.66 | SHAWCABLE.NETE.NET |
| 192.251.226.206 | BLUTMAGIE Olaf Selke |
| 193.86.233.2 | anonymizer2.blutmagie.de |
| 201.13.162.63 | 201-13-162-63.dial-up.telesp.net.br |
| 204.8.156.142 | cs-tor.bu.edu |
| 208.187.80.130 | goliath.word-to-the-wise.com |
| 209.44.114.178 | pasquino.netelligent.ca |
| 216.224.124.124 | tor-exit.aof.su |
| 217.114.215.227 | hosted-by-vps-hosting.co.uk |
| 38.103.37.243 | Exploit Prevention Labs |
| 58.65.72.42 | SCSNET-CATV-SEOKYUNG |
| 61.32.46.4 | BORANET-1 Seoul |
| 62.75.185.133 | tor-readme.spamt.net |
| 64.252.57.54 | 64-252-57-54.adsl.snet.net |
| 66.230.230.230 | Neucom Inc. |
| 71.224.152.176 | c-71-224-152-176.hsd1.pa.comcast.net |
| 87.118.104.203 | spftor1.privacyfoundation.de |
| 89.77.30.227 | chello089077030227.chello.pl |
| 91.121.67.117 | isp.futursite.net |
| 96.225.135.36 | pool-96-225-135-36.nrflva.fios.verizon.net
|
Pcaps have been parsed, there is much too much for a full disclosure, besides I don’t want to give out everything. Pcaps and forensics report have been passed to the authorities carrying out the investigation to add to the other data that they have gotten elsewhere.
The basics of the attack as of his last hit on me are these:
- Using TOR nodes as well as perhaps a proxy, but most likely just tor sessions. If he were sneaky like though, he would be proxying to a box that then has poisoned TOR nodes at their disposal
- Other compromised or complicit machines are also being used (admins will be being contacted by authorities) I am sure there are thousands of these botnet machines that the C&C can use. The irony is that trying to stamp out the compromised C&C boxes is kinda like trying to DoS all the Jihadi websites out there. For every one you take down, there are 5 more mirrors out there for content to be broadcast from
- Much of the traffic was being sent from the EU focusing in the DE region, but there was also some Korea in there
- 30 minutes at a time.. Either paying for increments of time to a botherd, or, the TOR nodes throttle out as this is something they do to try and prevent this type of misuse
- He’s using a combination of syn/fin TCP callouts to flood the system with junk and hose the webserver.
- In the last attack he was using what looked like canned scan scripts to flood the server with junk calls for different protocols/ports etc
- He seems to have been using a C&C system that would call up a java script to check if the DDoS was in fact working. Now, if the script was working with the home IP address of the box initiating, then perhaps the GET’s like the FIOS address were actually his box looking for a file. Or maybe it was someone working with him… Or.. Them.
- The FIOS address made a DIRECT call out to my webserver looking for a WMV file. That file has only been linked to my WordPress blog from some time back. This access coincided with the timing of the attack to be used as a method of seeing how the server was responding. By looking at the download bar one could tell just how horked the system was. As well, the download initiation would also engage much of the servers bandwith making the attack work even faster. Would he be that foolish to actually make this mistake? He is rather full of himself so, yeah, he seemed to think that I was some IT auditor without skills so maybe he just got lax. Maybe he is just a stupid kid with impulse issues…
Once the investigators do their thing, the nodes that they can reach will be closed. The TOR server admins will be told about the events, and if they are keeping any logging at all, they likely will help out. However, the TOR is really meant to not have any logging. Kinda like ANONINE the proxy he has been using.
Also while looking about I noticed that mypetjawa, seems to have redacted their post about j35t3r taking down Ahmadinejad’s site. Maybe its just an internal server error 500 as I see when I search their site directly, but its in their archive if you Google it. I am sure that DD0S-ing that site pretty much makes j35t3r no friends on either side of the political situation there.
… And me? My site? Still up.
Well, it’s no biggie if its down here and there. But, the opportunity to capture all the packet traffic, as well as get that .ru hotmail account from his direct correspondence is helping the boys do their thing. Of late though he has laid off with only the occasional twitter taunt to get me to respond.
Weak attempts at best.. And such bravado talking about how he has bested me. Well, it’s not really me he has to worry about. He will do himself and his pals in quite nicely on his own I think.
It’s mostly out of my hands now… Oh and deleting Twitters won’t be helping either.. Google cache is a wonderful thing.
Hope you look good in orange j35t3r, cuz I think that is the color that they will be giving you.
Cheers,
CoB
Krypt3ia 
Dammit Scot, what am I gonna do? You got me, and now you have passed on your fantastic sleuth-work on to the darling feds, I am surely totally screwed right?
Well done Scot, you managed to (somehow) check your own log files, shit, that’s so clever of you. Why did I not think you might do that in advance?
Oh, cease fire. I did. PS if your next tactic is about the time of day I am active, therefore you can determine my whereabouts, you are being made to look a fool on that count too. But I am sure you need a straw to grasp judging from your latest effort. you really need to stop trying to save your face, it makes you look massively silly. Also I am also in direct contact with Government depts. maybe even some you have never even heard of.
They deem you and your jihad training material irrelevant (xxxx) and they regard me as even less of a priority, so why don’t you quit your sad little campaign, and quit follwing me round the press articles, you look so stupid. Especially when people come back here to see what the story is. But then I suppose thats what you want – hits. On a wordpress blog. get a life. Nobody cares about you or me.
you do your stuff, and I will do mine. If you continue to try and exploit my name for your own blog traffic benefits, you will feel me. For now I am happy to let you make yourself look like a fool. You do it so well.
So Scot, – I propose a truce, so I can get on with the task at hand, I am wasting far too much time replying to you, and you being the infosec guru that you are, I am sure your time would be spent far better not doing natty little jpgs of nodes, and examinig your logs, and googling for posts referencing me so you can have your say.
You sir, are boring, and I am bored, this is the last time your blog gets any more airtime from me.
You have nothing to say, and you say it too damn loud.
Good morning to you.
J
x
j35t3r
2010/01/21 at 23:14
Magnanimous….
crabbyolbastard
2010/01/22 at 04:48
Interesting Gambit you’re playing…
Touched a bit of a nerve there huh? As I read your reply the psychological term “Transference” comes to mind. You see, I was not seeking any attention and you came to me. So, your whole contention that I am using you for word press traffic is ludicrous.
Honestly, if I had absolutely no merit to any of my findings or arguments, then surely you could just ignore me correct? Instead, you come at me with threats that your “handlers” and you will take care of me if I don’t lay off with my clueless meanderings. So, your spastic response tells me a few things.
First off, I get under your skin. Which, I rather enjoy. I have played you rather well here. You are easy to goad into response and obviously gotten a rise out of you. This usually is a symptom of poor impulse control. Your actions now tell me that either you have realized there is nothing more you can do, or, you in fact got a slap from your betters and were told to lay off. Either way, I win.
Second, some or all of the things I have said have some merit if not are dead on.
Third, IF, and that is a BIG IF you are indeed a condoned asset for a government/DoD entity, you are not a “covered” one. This means that you are on your own when you get burned. You may be the “Tip of the Spear” in some machination to create a “patriot hacker” movement, but, your actions bespeak a personality that will eventually make some large mistakes. When that happens, and you become a liability, then your masters will leave you high and dry.
Fourth, if you are indeed not working for any GOV/MIL entity, then you just opened the door to pissing them off and looking for you just out of spite. So, keep on going the way you are and see.
Lastly, much of my mind is leaning toward the idea that you are just full of shit. You speak of all these things to make you look important, but in the scheme of things you are very much the opposite and you know it. So you put out more and more energy to make yourself important.
In the end, you will be a footnote, nothing more.
crabbyolbastard
2010/01/22 at 16:01
[…] my little incident with j35t3r I have been paying more attention again to the IDS. In the last few days alone the system has seen […]
Sensing A Pattern « Crabbyolbastard Ruminates
2010/01/24 at 01:52
[…] since they aren’t the ones who are likely going to run to the authorities. The ones that are talking are making their own assumptions and are mostly conjecture. So, it’s likely we won’t […]
innismir.net — A man’s got to know his limitations. Dirty Harry, th3j35t3r, ethics, and InfoSec
2010/02/03 at 17:33