FWIW the exact same thing (identical initial ransom email) happened to us
two weeks ago. The "2 day" message was received on December 3rd. The
group claiming responsibility has yet to follow through.
The messages came from a various bitmessage.ch addresses.
On Wed, Dec 9, 2015 at 10:21 PM, Joe
On December 10, 2015 at 08:20 col...@gt86car.org.uk (Colin Johnston) wrote:
> fingerprint shows China and Russia related as expected
> Why do the abuse teams in China and Russia ignore basic abuse reports, why
> peer/setup connections to companies where abuse is ignored.
I wonder how much of
These are the three e-mail addresses they have contacted me on so far.
armada.collect...@bk.ru
melvin.webst...@gmail.com
luciennemcglyn...@gmail.com
--
Thank You,
Joe Morgan - Owner
Joe's Datacenter, LLC
http://joesdatacenter.com
816-726-7615
fingerprint shows China and Russia related as expected
Why do the abuse teams in China and Russia ignore basic abuse reports, why
peer/setup connections to companies where abuse is ignored.
Colin
> On 8 Dec 2015, at 07:24, Joe Morgan wrote:
>
> We received a similar
hi
On 12/10/15 at 11:07am, Joe Morgan wrote:
> These are the three e-mail addresses they have contacted me on so far.
> armada.collect...@bk.ru
> melvin.webst...@gmail.com
> luciennemcglyn...@gmail.com
Ian> messages came from a various bitmessage.ch addresses
# i wonder if they all have the
Last year when this happened to several large providers, it was a cluster all
around the same time, and it turned out that it was the same org hitting all of
them. This quickly came to light as we (ISIPP) started coordinating with the
targets, because the attacker was using the same gmail
hi jean-f
On 12/08/15 at 11:46pm, Jean-Francois Mezei wrote:
> Since the OP mentioned a "ransom" demand (aka: extortion), should law
> enforcement be contacted in such cases ?
simply saying "these bozo's are attempting to extort $100 from me"
with their email demands probably will not get the
I believe that is what he meant, yeah. Figurative opening of the bank
account - showing them that you're willing to pay makes you a target
for future payments as well.
On Thu, 03 Dec 2015, Daniel Corbe wrote:
>
> > On Dec 3, 2015, at 10:26 AM, Nick Hilliard wrote:
> >
> > On
We received a similar ransom e-mail yesterday followed by a UDP flood
attack. Here is a sample of the attack traffic we received as well as a
copy of the ransom e-mail. Thought this might be useful to others who have
been targeted as well. I will have to talk with our upstream providers to
get a
hi joe
On 12/08/15 at 01:24am, Joe Morgan wrote:
> We received a similar ransom e-mail yesterday
:-)
dont pay real $$$ ... pretend that it was paid and watch for
them to come get the ransom ... never give your real banking info
ask them, where do you send the "$xx,000" mastercard gift card
>
>
> On 10 December 2015 at 01:48, alvin nanog > wrote:
>
>> what app do yu have that talks to port 1900 ?
>>
>
> UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are
> also from a reflection attack.
>
>
Sorry I was made aware that UDP 1900
On 8 Dec 2015, at 14:24, Joe Morgan wrote:
At the point in time we blackholed our ip we were seeing 20+Gbps.
These two presos discuss extortion DDoS and UDP reflection/amplification
attacks, specifically - it isn't necessary to resort to D/RTBH to deal
with these attacks:
On 10 December 2015 at 01:48, alvin nanog
wrote:
> what app do yu have that talks to port 1900 ?
>
UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are
also from a reflection attack.
We filter UDP 1900 at our border. Not to protect our
Just an update for those following. We have custom in house software that
watches the traffic flows from our edge routers and automatically
blackholes any ip getting targeted. The blackhole gets sent upstream which
is what we did to maintain the network for our customers during the first
attack.
On 10 Dec 2015, at 13:21, Joe Morgan wrote:
We have custom in house software that watches the traffic flows from
our edge routers and automatically blackholes any ip getting targeted.
Suggest you take a look at the presos I posted earlier and look into
S/RTBH, flowspec, some limited QoS, and
Side question:
Since the OP mentioned a "ransom" demand (aka: extortion), should law
enforcement be contacted in such cases ? Is there any experience doing
this ? Are they any help ?
In North america, would that mean FBI in USA and RCMP in Canada, or
local police force which then escalates to
On 9 Dec 2015, at 11:46, Jean-Francois Mezei wrote:
Since the OP mentioned a "ransom" demand (aka: extortion), should law
enforcement be contacted in such cases ?
Yes.
Is there any experience doing this ?
Yes.
Are they any help ?
Operationally, no. Investigatively, possibly.
In
Sorry this is so late, I get NANOG in Digest Mode...
> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I can't
> reveal here for obvious reasons). If you email me off-list with a
> name/email that you've
hi ya roland
On 12/04/15 at 11:09am, Roland Dobbins wrote:
> On 4 Dec 2015, at 9:34, alvin nanog wrote:
> >all that tcpdump jibberish
>
> Is entirely unnecessary, as well as being completely impractical on a
> network of any size.
up to a point, probing around at the packet level is
On 4 Dec 2015, at 9:34, alvin nanog wrote:
all that tcpdump jibberish
Is entirely unnecessary, as well as being completely impractical on a
network of any size.
Reasonable network access policies for the entities under attack plus
flow telemetry collection/analysis, S/RTBH, and/or
All,
I've been a NANOG member for many years but I'm emailing from an anonymous
account to reduce the chance of the attackers finding me.
A company that shall remain anonymous has received a ransom DDoS note from
a very well known group that has been in the news lately. Recently they've
Sounds like lizardSquad may be at it again
On Dec 3, 2015 8:53 AM, "halp us" wrote:
> All,
>
> I've been a NANOG member for many years but I'm emailing from an anonymous
> account to reduce the chance of the attackers finding me.
>
> A company that shall remain
On Thu, 3 Dec 2015 03:15:04 -0500
halp us wrote:
> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I
> can't reveal here for obvious reasons). If you email me off-list with
> a
On Thu, Dec 3, 2015 at 3:15 AM, halp us wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid
> On Dec 3, 2015, at 10:26 AM, Nick Hilliard wrote:
>
> On 03/12/2015 08:15, halp us wrote:
>> a very well known group that has been in the news lately. Recently they've
>> threatened to carry out a major DDoS attack if they are not paid by a
>> deadline which is approaching.
On 03/12/2015 08:15, halp us wrote:
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're
-boun...@nanog.org] On Behalf Of halp us
Sent: Thursday, December 03, 2015 2:15 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Ransom DDoS attack - need help!
All,
I've been a NANOG member for many years but I'm emailing from an anonymous
account to reduce the chance of the attackers finding me
None of those names you just mentioned have made the international news.
On Dec 3, 2015 8:59 AM, "Chris Baker" wrote:
> Can you provide some additional details? Is it someone claiming
> association with a known group like DD4BC or the Armada Collective or
> unbranded?
>
> Cheers,
On 3 Dec 2015, at 22:26, Nick Hilliard wrote:
> If you believe that someone who issues a ransom threat will stop if you pay
> them off, you're smoking crack.
+1
These attacks aren't rocket-science to defend against.
OP, ping me 1:1.
---
Roland Dobbins
On 3 Dec 2015, at 15:15, halp us wrote:
Based on certain details that I can't reveal here, we believe the
magnitude of the upcoming attack may be in the several hundred Gbps.
They lie. The largest attacks we've seen from these threat actors are
in the ~60gb/sec range - which is nothing to
On 3 Dec 2015, at 22:04, Josh Reynolds wrote:
> None of those names you just mentioned have made the international news.
Of course they have.
---
Roland Dobbins
Can you provide some additional details? Is it someone claiming association
with a known group like DD4BC or the Armada Collective or unbranded?
Cheers,
CBaker
On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds wrote:
> Sounds like lizardSquad may be at it again
> On Dec 3,
OSINT has a plethora of detail available:
http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130
http://www.ibtimes.co.uk/armada-collective-who-are-hackers-extorting-bitcoin-ransoms-what-can-we-do-1528253
The last I spoke with NTT they said the largest they ever saw was > 300GB
and most of the time they don't follow through. They threaten 100 networks
and hope that x% will pay them off 'just in case'
On Thu, Dec 3, 2015 at 10:20 AM, Roland Dobbins wrote:
> On 3 Dec 2015, at
Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should
be able to mitigate
some to much of the damage caused by filled pipes by blocking incomming UDP
trafic at your ISP level.
This is the Armada Collective, based on the description. We just went
through a round with
On 4 Dec 2015, at 2:38, Dovid Bender wrote:
> The last I spoke with NTT they said the largest they ever saw was > 300GB
That wasn't DD4BC or Armada Collective.
---
Roland Dobbins
Hi!
This is my first mail to the list.
Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should
be able to mitigate
some to much of the damage caused by filled pipes by blocking incomming UDP
trafic at your ISP level.
//Robban
> * On Thu, Dec 03, 2015 at 03:15:04AM
F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
protection. Don't pay up, use ddos protection.
Clay
On Thu, Dec 3, 2015 at 3:11 PM, Roland Dobbins wrote:
> On 4 Dec 2015, at 2:38, Dovid Bender wrote:
>
> > The last I spoke with NTT they said the
Hi,
> F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
> protection. Don't pay up, use ddos protection.
you know how many ponder whether AV companies write some of the viruses
;-)
alan
hi "need help"
On 12/03/15 at 03:15am, halp us wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately.
use an email reader that allows you to see all the received email headers
to see which STMP routers
-online-after-crippling-ddos-attack/
Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone
Original message
From: Roland Dobbins <rdobb...@arbor.net>
Date: 12/3/2015 3:10 PM (GMT-05:00)
To: NANOG <nanog@nanog.org>
Subject: Re: Ransom DDoS attack - need help!
O
On Dec 3, 2015, at 5:00 PM, alvin nanog wrote:
> run tcpdump and/or etherreal to capture the DDoS attacks
Of course! If we had only thought of this sooner!
:-)
--lyndon
signature.asc
Description: Message signed with OpenPGP using GPGMail
hi lyndon
On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote:
> On Dec 3, 2015, at 5:00 PM, alvin nanog
> wrote:
> > run tcpdump and/or etherreal to capture the DDoS attacks
>
> Of course! If we had only thought of this sooner!
> :-)
yupperz.. the problem is,
43 matches
Mail list logo