Share Embed Donate

Short Description

CloudFront DDoS Writeup...


The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

Advertisement  Subscribe to RSS  Follow me on Twitter  Join me on Facebook

Krebs on Security In-depth security news and investigation

About the Author Blog Advertising 14 Feb 14

The New Normal: 200-400 Gbps DDoS Attacks Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet — a nearly 200 Gpbs assault leveraging a simple attack method that industry experts say is becoming alarmingly common.

At issue is a seemingly harmless feature built into many Internet servers known as the Network Time Protocol (NTP), which is used to sync the date and time between machines on a network. The problem isn’t with NTP itself, per se, but with certain outdated or hard-coded implementations of it that attackers can use to turn a relatively negligible attack into something much, much bigger. Symantec‘s writeup on this threat from December 2013 explains the problem succinctly: Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic. Matthew Prince, the CEO of Cloudflare — a company that helps Web sites stay online in the face of huge DDoS attacks — blogged Thursday about a nearly 400 Gbps attack that recently hit one of the company’s customers and leveraged NTP amplification. Prince said that while Cloudflare “generally [was] able to mitigate the attack, it was large enough that it caused network congestion in parts of Europe.” “Monday’s DDoS proved these attacks aren’t just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/

Page 1 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

running on 1,298 different networks,” Prince wrote. “On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare’s network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.” NO TIME LIKE THE PRESENT Prince suggests a number of solutions for cleaning up the problem that permits attackers to seize control over so many ill-configured NTP servers, and this is sound advice. But what that post does not mention is the reality that a great many of today’s DDoS attacks are being launched or coordinated by the same individuals who are running DDoS-for-hire services (a.k.a “booters”) which are hiding behind Cloudflare’s own free cloud protection services. As I noted in a talk I gave last summer with Lance James at the Black Hat security conference in Las Vegas, a funny thing happens when you decide to operate a DDoS-for-hire Web service: Your service becomes the target of attacks from competing DDoS-for-hire services. Hence, a majority of these services have chosen to avail themselves of Cloudflare’s free content distribution service, which generally does a pretty good job of negating this occupational hazard for the proprietors of DDoS services.

Lance James, Yours Truly, and Matthew Prince. Mr. Prince took strong exception to my remarks at Black Hat, which observed that this industry probably would destroy itself without Cloudflare’s protection, and furthermore that some might perceive a credibility issue with a company that sells DDoS protection services providing safe haven to an entire cottage industry of DDoS-for-hire services. Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI. He said the company has a stated policy of not singling out one type of content over another, citing a fear of sliding down a slippery slope of censorship. In a phone interview today, Prince emphasized that he has seen no indication that actual malicious packets are being sent out of Cloudflare’s network from the dozens of booter service Web sites that are using the service. Rather, he said, those booter services are simply the marketing end of these operations. “The very nature of what we are trying to build is a system by which any content can be online and we can make denial-of-service attacks a thing of the past. But that means that some controversial content will end up on our network. We have an attack of over 100 Gbps almost every hour of every day. If I really thought it would solve the problem, and if our network was actually being used in these attacks, that’s a no-brainer. But I can’t get behind the idea that we should deny service to a marketing site just so that it can be attacked by these other sites, and that this will will somehow make the problem go away. I don’t think that’s right, and it starts us down a slippery slope.” As a journalist, I’m obviously extremely supportive of free speech rights. But it seems to me that most of these DDoS-for-hire services are — by definition — all about stifling speech. Worse yet, over the past few months the individuals behind these offerings have begun to latch onto NTP attacks, said Allison Nixon, a researcher for NTT Com Security who spoke about DDoS protection bypass techniques at last year’s Black Hat. “There is a growing awareness of NTP based attacks in the criminal underground in the past several months,” Nixon said. “I believe it’s because nobody realized just how many vulnerable servers are out there until recently. “The technical problem of NTP amplification has been known for a long time. Now that more and more attack lists are being traded around, the availability of DDoS services with NTP attack functionality is on the rise.” (S)KIDS JUST WANNA HAVE FUN The shocking thing about these DDoS-for-hire services is that — as I’ve reported in several previous stories — a majority of them are run by young http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/

Page 2 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

kids who apparently can think of no better way to prove how cool and “leet” they are than by wantonly knocking Web sites offline and by launching hugely disruptive assaults. Case in point: My site appears to have been attacked this week by a 15-year-old boy from Illinois who calls himself “Mr. Booter Master” online. Prolexic Technologies, the company that has been protecting KrebsOnSecurity from DDoS attacks for the past 18 months, said the attack that hit my site this week clocked in just shy of 200 Gbps. A year or two ago, a 200 Gbps attack would have been close to the largest attack on record, but the general upswing in attack volume over the past year makes the biggest attacks timeline look a bit like a hockey stick, according to a blog post on NTP attacks posted today by Arbor Networks. Arbor’s writeup speaks volumes about the motivations and maturity of the individuals behind a majority of these NTP attacks.

Source: Arbor Networks The NTP attack on my site was short-lived — only about 10 minutes in duration, according to Prolexic. That suggested the attack was little more than a proof-of-concept, a demonstration. Indeed, shortly after the attack subsided, I heard from a trusted source who closely monitors hacker activity in the cybercrime underground. The source wanted to know if my site had recently been the subject of a denial-of-service attack. I said yes and asked what he knew about it. The source shared some information showing that someone using the nickname “Rasbora” had very recently posted several indicators in a private forum in a bid to prove that he had just launched a large attack against my site.

Rasbora’s posts on Hackforums. Apparently, Rasbora did this so that he could prove his greatness to the administrators of Darkode, a closely guarded cybercrime forum that has been profiled at length in this blog. Rasbora was anxious to show what he could contribute to the Darkode community, and his application for membership there hinged in part on whether he could be successful in taking down my site (incidentally, this is not the first time Darkode administrators have used my site as a test target for vetting prospective members who apply based on the strength of some professed DDoS prowess). Rasbora, like other young American kids involved in DDoS-for-hire services, hasn’t done a great job of separating his online self from his real life persona, and it wasn’t long before I was speaking to Rasbora’s dad. His father seemed genuinely alarmed — albeit otherwise clueless — to learn about his son’s alleged activities. Rasbora himself agreed to speak to me, but denied that he was responsible for any attack on my site. He did, however, admit to using the nickname Rasbora — and eventually — to being consumed with various projects related to DDoS activities. Rasbora maintains a healthy presence on Hackforums[dot]net, a relatively open forum that is full of young kids engaged in selling hacking services and malicious code of one kind or another. Throughout 2013, he ran a DDoS-for-hire service hidden behind Cloudflare called “Flashstresser.net,” but that service is currently unreachable. These days, Rasbora seems to be taking projects mostly by private contract.


Page 3 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

Some of Rasbora’s posts prior to our phone call. Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality” lists of servers that can be used to launch amplification attacks online. Despite his insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts on Hackforums might conclude that he was actively involved in DDoS attacks for hire. “I don’t see what a wall of text can really tell you about what someone does in real life though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This reply came in response to my reading him several posts that he’d made on Hackforums not 24 hours earlier that strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline, PM me.” Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges.

Tags: Allison Nixon, Arbor Networks, CloudFlare, Darkode, Hackforums, Lance James, Matthew Prince, network time protocol, NTP, NTT Com Security, Prolexic Technologies, Rasbora, Symantec This entry was posted on Friday, February 14th, 2014 at 7:13 pm and is filed under A Little Sunshine, The Coming Storm. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

20 comments 1.

Ralph Daugherty February 14, 2014 at 7:33 pm “Who knows, maybe his dad will ground him and take away his Internet privileges.” You can betcha after that phonecall that his dad is seriously considering it, if he hasn’t already. He messed with the wrong target, so to speak. Reply


Cake February 14, 2014 at 7:40 pm Yo krebs I updated the domain as it’s mine. Wanna talk to me? Come on Leak.sx, I’m Cake. Lol, next time search more. Reply


Stratocaster February 14, 2014 at 8:17 pm After Comcast and Time Warner Cable merge, the DDOS attacks won’t happen as fast and will cost a lot more…. Reply BV1 February 14, 2014 at 8:58 pm


Page 4 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

HA! Reply 4.

Doktor McNasty February 14, 2014 at 8:46 pm Ok so I’ve been involved with computers since the mid-nineties and at this point am running an IT department. I’m by no means ‘leet’ but I get by and can usually solve problems and even automate things here and there. What boggles my mind is how does someone who has been alive for less time than I have been learning and working with computers learn enough about how the fundamental structure of the internet works to be able to pull these kinds of things off? Disclaimer: yes I’m jealous – but that doesn’t quite explain it. He can’t have even been studying for those 15 years as he needed a few years to learn how to just READ didn’t he? Maybe his parents are grounding him to a corner with technical manuals and a computer when he acts up? How does this all play out, do you suppose? Reply Cake February 14, 2014 at 8:50 pm Yea about that, I had to even learn how to use “cd”.. He’s still coming back to me each fucking time, so no he’s not able to pull off without others help. And for the parent side, Krebs broke some laws of Privacy and such by calling them and they did not care. Anyways, he’s a skid. Reply BrianKrebs February 14, 2014 at 8:55 pm Watch your mouth. And I broke privacy laws? How do you figure? The kid’s dad explicitly gave me permission to interview him. And what’s more, I don’t even name the little turkey, so it’s hardly an invasion of privacy. Reply scott February 14, 2014 at 9:06 pm Calling people must apparently be an invasion of privacy or something Reply Rofl February 14, 2014 at 9:00 pm Jesus you’re arrogant, you undoubtedly obtained the scripts from someone else yourself. Reply Cake February 14, 2014 at 9:02 pm Can’t deny and can’t accept as I wrote a couple things myself. And I never even said anything about scripts. Reply


Robert Scroggins February 14, 2014 at 8:58 pm I suppose it plays out by the kid eventually getting a law degree and then going into politics where he winds up in Congress! Regards, Reply


Page 5 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security


15/2/14 3:22 pm

Annie C. Bai February 14, 2014 at 9:22 pm I was wondering (worried) when I couldn’t get onto your site on Tuesday, but since you were only down for 10 minutes, maybe that was just my broke-down iPhone 4. Good to hear you are on the case as usual. What a tangled web the free Internet is… Reply


Ken Carter February 14, 2014 at 9:28 pm Great post, but I think your analysis of DDoS-for-hire sites attacking one another, is static and therefore incomplete. Granted, at least initially, DDoS-for-hire sites might start to attack one another if kicked out from behind security networks. However, in the longer run, attacking each other is ultimately unprofitable, just as the Sopranos and Corleones don’t go on whacking one another forever. The weaker ones will get knocked out, but sooner or later they will achieve some truce, divvy up the territories, and start on more profitable criminal ventures. “You get North Jersey and I get every thing south of Mulberry Street.” At the end, you would be left with a Nash Equilibrium and a Darwinian outcome comprised of the most ruthless sites. Full disclosure: I work for CloudFlare. Reply


JCitizen February 14, 2014 at 9:38 pm And yet I can’t remember ever have trouble getting to your site! Maybe this is why others posting here complain of lag time before their posts show up? Otherwise PFTT! – they be a figment of the imagination – go away figment! ]:) Reply


AllHailLordKreben February 14, 2014 at 10:38 pm Kerb, you better watch out. These pro hackers might want more of you. Reply


TheOreganoRouter.onion February 14, 2014 at 10:52 pm I would get law enforcement involved , then charge him as a juvenile , to teach this young kid a good lesson in not trying to take down internet security websites. Reply


iMatrix February 14, 2014 at 11:04 pm Don’t blame rasbora. Looking on his activity he ain’t launching a dos on a website like yours. The only place of him brag about his activity is leak.sx and he does good reviews on stressers. P.S – DOS Attack servers are now costly and rare, its hard to find one so he can’t gather 200Gbps DOS server. The only one capable of doing this is cyberbunker. Reply


CloudflareCustomer February 14, 2014 at 11:23 pm Cloudflare saying that they’re not seeing any outbound activity is totally disingenuous, but technically true. Since they only handle requested traffic, not all outbound traffic, they only see connections that are initiated from outside. The root server could be sending out traffic and they’re be none the wiser. It’s even better if there’s more than one connection on the server. Reply


Lysergic Acid Diethylamide February 14, 2014 at 11:39 pm From wikipedia: “A rasbora is a member of a group of small minnow-type fish” … appropriate handle for a 15-year-old boy.


Page 6 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

Reply 14.

Rob February 15, 2014 at 1:58 am I’m not a fan of CloudFlare. I had a problem accessing one of their client’s sites but the only way to contact CloudFlare is is to sign-on as a new client. I did that (it was free and only took a minute) and then filled out a “Tech. Support Ticket”, but when I tried to submit the ticket, the web-form was SO broken I had to give up and just remove the original site from my bookmarks. I’m one of those people who thinks the inventors of the so-called Cloud were probably smart, while their clients definitely aren’t. But there don’t seem to be many of us who think this. Or maybe most of us can only speak Russian. Who knows? I imagine Russians laugh pretty hard about the cloud. Maybe THEY invented it. Maybe Mr. Kaspersky invented it. They invented Tetris, after all, and won the space race despite/while being a communist country: 1st space ship, 1st animal, 1st man, 1st woman in space. As for the moon, they just used telescopes. Brilliant! Reply

Leave a comment Name (required) Email (required) Website

Comment Submit Comment

Notify me of followup comments via e-mail


Recent Posts The New Normal: 200-400 Gbps DDoS Attacks Email Attack on Vendor Set Up Breach at Target Security Updates for Shockwave, Windows Florida Targets High-Dollar Bitcoin Exchangers Target Hackers Broke in Via HVAC Company

Subscribe by email Your email: http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/

Page 7 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

Enter email address... Subscribe


Made possible by Prolocation

Prolocation: For all your hosting needs. Fast. Reliable. Powerful.

Support KrebsOnSecurity!

Support KrebsOnSecurity!

SANS 2014

Use "Krebs5_SANS" for 5% off any class

Categories A Little Sunshine All About Skimmers Breadcrumbs Data Breaches How to Break Into Security Latest Warnings Other Pharma Wars Security Tools Target: Small Businesses The Coming Storm Time to Patch Web Fraud 2.0

All About ATM Skimmers


Page 8 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

Click image for my skimmer series.

Archives February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/

Page 9 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

The Value of a Hacked PC

Badguy uses for your PC

Tags 0day adobe adobe flash player adobe reader apple atm skimmer chrome chronopay cyberheist f-secure Facebook fbi firefox flash Glavmed gmail

google Google Chrome Igor Gusev internet explorer java Liberty Reserve Mac mastercard mcafee microsoft money mules opera Oracle patch tuesday pavel vrublevsky RSA Rx-Promotion safari secunia Spamit spyeye Symantec twitter Visa webmoney windows zero day zeus ZeuS Trojan

Tools for a Safer PC

Tools for a Safer PC

Blogroll Arbor Networks Blog Bleeping Computer CERIAS / Spaf Contagio Malware Dump Cyber Crime & Doing Time Cyveillance Blog DHS Daily Report DSL Reports ESET Threat Blog F-Secure Blog FireEye Malware Intel Lab Fortinet Blog Fox-IT International GFI Labs Google Online Security Blog Graham Cluley, Sophos Imperva Blog Kaspersky Blog Malcovery Security Malware Domain List Forum Malware Don't Need Coffee Microsoft Malware Protection Center Red Tape Chronicles http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/

Page 10 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

SANS Internet Storm Center Schneier on Security SecureWorks Securing the Human Securosis StopBadware Symantec Response Blog TaoSecurity TrendMicro Blog Unmask Parasites Blog US CERT Websense Wilders Security Forums Wired.com's Threat Level Xylitol

The Pharma Wars

Spammers Duke it Out

Badguy Uses for Your Email

Your email account may be worth far more than you imagine.

eBanking Best Practices

eBanking Best Practices for Businesses

Most Popular Posts http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/

Page 11 of 12

The New Normal: 200-400 Gbps DDoS Attacks — Krebs on Security

15/2/14 3:22 pm

Sources: Target Investigating Data Breach (620) Cards Stolen in Target Breach Flood Underground Markets (445) Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) Following the Money, ePassporte Edition (353) U.S. Government Seizes LibertyReserve.com (315) Who's Selling Credit Cards from Target? (269) Would You Have Spotted the Fraud? (257) Target Hackers Broke in Via HVAC Company (252) Firefox Zero-Day Used in Child Porn Hunt? (218) VISA Blocks ePassporte (207)

Category: Web Fraud 2.0

Innovations from the Underground © 2014 Krebs on Security.  Powered by WordPress.  Privacy Policy


Page 12 of 12

View more...


Copyright ©2017 KUPDF Inc.