Re: Ransom DDoS attack - need help!

FWIW the exact same thing (identical initial ransom email) happened to us two weeks ago. The "2 day" message was received on December 3rd. The group claiming responsibility has yet to follow through. The messages came from a various bitmessage.ch addresses. On Wed, Dec 9, 2015 at 10:21 PM, Joe

Re: Ransom DDoS attack - need help!

On December 10, 2015 at 08:20 col...@gt86car.org.uk (Colin Johnston) wrote: > fingerprint shows China and Russia related as expected > Why do the abuse teams in China and Russia ignore basic abuse reports, why > peer/setup connections to companies where abuse is ignored. I wonder how much of

Re: Ransom DDoS attack - need help!

These are the three e-mail addresses they have contacted me on so far. armada.collect...@bk.ru melvin.webst...@gmail.com luciennemcglyn...@gmail.com -- Thank You, Joe Morgan - Owner Joe's Datacenter, LLC http://joesdatacenter.com 816-726-7615

Re: Ransom DDoS attack - need help!

fingerprint shows China and Russia related as expected Why do the abuse teams in China and Russia ignore basic abuse reports, why peer/setup connections to companies where abuse is ignored. Colin > On 8 Dec 2015, at 07:24, Joe Morgan wrote: > > We received a similar

Re: Ransom DDoS attack - need help!

hi On 12/10/15 at 11:07am, Joe Morgan wrote: > These are the three e-mail addresses they have contacted me on so far. > armada.collect...@bk.ru > melvin.webst...@gmail.com > luciennemcglyn...@gmail.com Ian> messages came from a various bitmessage.ch addresses # i wonder if they all have the

Re: Ransom DDoS attack - need help!

Last year when this happened to several large providers, it was a cluster all around the same time, and it turned out that it was the same org hitting all of them. This quickly came to light as we (ISIPP) started coordinating with the targets, because the attacker was using the same gmail

Re: Ransom DDoS attack - need help!

hi jean-f On 12/08/15 at 11:46pm, Jean-Francois Mezei wrote: > Since the OP mentioned a "ransom" demand (aka: extortion), should law > enforcement be contacted in such cases ? simply saying "these bozo's are attempting to extort $100 from me" with their email demands probably will not get the

Re: Ransom DDoS attack - need help!

I believe that is what he meant, yeah. Figurative opening of the bank account - showing them that you're willing to pay makes you a target for future payments as well. On Thu, 03 Dec 2015, Daniel Corbe wrote: > > > On Dec 3, 2015, at 10:26 AM, Nick Hilliard wrote: > > > > On

Re: Ransom DDoS attack - need help!

We received a similar ransom e-mail yesterday followed by a UDP flood attack. Here is a sample of the attack traffic we received as well as a copy of the ransom e-mail. Thought this might be useful to others who have been targeted as well. I will have to talk with our upstream providers to get a

Re: Ransom DDoS attack - need help!

hi joe On 12/08/15 at 01:24am, Joe Morgan wrote: > We received a similar ransom e-mail yesterday :-) dont pay real $$$ ... pretend that it was paid and watch for them to come get the ransom ... never give your real banking info ask them, where do you send the "$xx,000" mastercard gift card

Re: Ransom DDoS attack - need help!

> > > On 10 December 2015 at 01:48, alvin nanog > wrote: > >> what app do yu have that talks to port 1900 ? >> > > UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are > also from a reflection attack. > > Sorry I was made aware that UDP 1900

Re: Ransom DDoS attack - need help!

On 8 Dec 2015, at 14:24, Joe Morgan wrote: At the point in time we blackholed our ip we were seeing 20+Gbps. These two presos discuss extortion DDoS and UDP reflection/amplification attacks, specifically - it isn't necessary to resort to D/RTBH to deal with these attacks:

Re: Ransom DDoS attack - need help!

On 10 December 2015 at 01:48, alvin nanog wrote: > what app do yu have that talks to port 1900 ? > UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are also from a reflection attack. We filter UDP 1900 at our border. Not to protect our

Re: Ransom DDoS attack - need help!

Just an update for those following. We have custom in house software that watches the traffic flows from our edge routers and automatically blackholes any ip getting targeted. The blackhole gets sent upstream which is what we did to maintain the network for our customers during the first attack.

Re: Ransom DDoS attack - need help!

On 10 Dec 2015, at 13:21, Joe Morgan wrote: We have custom in house software that watches the traffic flows from our edge routers and automatically blackholes any ip getting targeted. Suggest you take a look at the presos I posted earlier and look into S/RTBH, flowspec, some limited QoS, and

Re: Ransom DDoS attack - need help!

Side question: Since the OP mentioned a "ransom" demand (aka: extortion), should law enforcement be contacted in such cases ? Is there any experience doing this ? Are they any help ? In North america, would that mean FBI in USA and RCMP in Canada, or local police force which then escalates to

Re: Ransom DDoS attack - need help!

On 9 Dec 2015, at 11:46, Jean-Francois Mezei wrote: Since the OP mentioned a "ransom" demand (aka: extortion), should law enforcement be contacted in such cases ? Yes. Is there any experience doing this ? Yes. Are they any help ? Operationally, no. Investigatively, possibly. In

Re: Ransom DDoS attack - need help!

Sorry this is so late, I get NANOG in Digest Mode... > I would really appreciate help in a few areas (primarily with certain > provider contacts/intros) so we can execute our strategy (which I can't > reveal here for obvious reasons). If you email me off-list with a > name/email that you've

Re: Ransom DDoS attack - need help!

hi ya roland On 12/04/15 at 11:09am, Roland Dobbins wrote: > On 4 Dec 2015, at 9:34, alvin nanog wrote: > >all that tcpdump jibberish > > Is entirely unnecessary, as well as being completely impractical on a > network of any size. up to a point, probing around at the packet level is

Re: Ransom DDoS attack - need help!

On 4 Dec 2015, at 9:34, alvin nanog wrote: all that tcpdump jibberish Is entirely unnecessary, as well as being completely impractical on a network of any size. Reasonable network access policies for the entities under attack plus flow telemetry collection/analysis, S/RTBH, and/or

Ransom DDoS attack - need help!

All, I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me. A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've

Re: Ransom DDoS attack - need help!

Sounds like lizardSquad may be at it again On Dec 3, 2015 8:53 AM, "halp us" wrote: > All, > > I've been a NANOG member for many years but I'm emailing from an anonymous > account to reduce the chance of the attackers finding me. > > A company that shall remain

Re: Ransom DDoS attack - need help!

On Thu, 3 Dec 2015 03:15:04 -0500 halp us wrote: > I would really appreciate help in a few areas (primarily with certain > provider contacts/intros) so we can execute our strategy (which I > can't reveal here for obvious reasons). If you email me off-list with > a

Re: Ransom DDoS attack - need help!

On Thu, Dec 3, 2015 at 3:15 AM, halp us wrote: > A company that shall remain anonymous has received a ransom DDoS note from > a very well known group that has been in the news lately. Recently they've > threatened to carry out a major DDoS attack if they are not paid

Re: Ransom DDoS attack - need help!

> On Dec 3, 2015, at 10:26 AM, Nick Hilliard wrote: > > On 03/12/2015 08:15, halp us wrote: >> a very well known group that has been in the news lately. Recently they've >> threatened to carry out a major DDoS attack if they are not paid by a >> deadline which is approaching.

Re: Ransom DDoS attack - need help!

On 03/12/2015 08:15, halp us wrote: > a very well known group that has been in the news lately. Recently they've > threatened to carry out a major DDoS attack if they are not paid by a > deadline which is approaching. They've performed an attack of a smaller > magnitude to prove that they're

RE: Ransom DDoS attack - need help!

-boun...@nanog.org] On Behalf Of halp us Sent: Thursday, December 03, 2015 2:15 AM To: nanog@nanog.org Subject: [EXTERNAL]Ransom DDoS attack - need help! All, I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me

Re: Ransom DDoS attack - need help!

None of those names you just mentioned have made the international news. On Dec 3, 2015 8:59 AM, "Chris Baker" wrote: > Can you provide some additional details? Is it someone claiming > association with a known group like DD4BC or the Armada Collective or > unbranded? > > Cheers,

Re: Ransom DDoS attack - need help!

On 3 Dec 2015, at 22:26, Nick Hilliard wrote: > If you believe that someone who issues a ransom threat will stop if you pay > them off, you're smoking crack. +1 These attacks aren't rocket-science to defend against. OP, ping me 1:1. --- Roland Dobbins

Re: Ransom DDoS attack - need help!

On 3 Dec 2015, at 15:15, halp us wrote: Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps. They lie. The largest attacks we've seen from these threat actors are in the ~60gb/sec range - which is nothing to

Re: Ransom DDoS attack - need help!

On 3 Dec 2015, at 22:04, Josh Reynolds wrote: > None of those names you just mentioned have made the international news. Of course they have. --- Roland Dobbins

Re: Ransom DDoS attack - need help!

Can you provide some additional details? Is it someone claiming association with a known group like DD4BC or the Armada Collective or unbranded? Cheers, CBaker On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds wrote: > Sounds like lizardSquad may be at it again > On Dec 3,

Re: Ransom DDoS attack - need help!

OSINT has a plethora of detail available: http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130 http://www.ibtimes.co.uk/armada-collective-who-are-hackers-extorting-bitcoin-ransoms-what-can-we-do-1528253

Re: Ransom DDoS attack - need help!

The last I spoke with NTT they said the largest they ever saw was > 300GB and most of the time they don't follow through. They threaten 100 networks and hope that x% will pay them off 'just in case' On Thu, Dec 3, 2015 at 10:20 AM, Roland Dobbins wrote: > On 3 Dec 2015, at

Re: Ransom DDoS attack - need help!

Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should be able to mitigate some to much of the damage caused by filled pipes by blocking incomming UDP trafic at your ISP level. This is the Armada Collective, based on the description. We just went through a round with

Re: Ransom DDoS attack - need help!

On 4 Dec 2015, at 2:38, Dovid Bender wrote: > The last I spoke with NTT they said the largest they ever saw was > 300GB That wasn't DD4BC or Armada Collective. --- Roland Dobbins

Re: Ransom DDoS attack - need help!

Hi! This is my first mail to the list. Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should be able to mitigate some to much of the damage caused by filled pipes by blocking incomming UDP trafic at your ISP level. //Robban > * On Thu, Dec 03, 2015 at 03:15:04AM

Re: Ransom DDoS attack - need help!

F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos protection. Don't pay up, use ddos protection. Clay On Thu, Dec 3, 2015 at 3:11 PM, Roland Dobbins wrote: > On 4 Dec 2015, at 2:38, Dovid Bender wrote: > > > The last I spoke with NTT they said the

Re: Ransom DDoS attack - need help!

Hi, > F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos > protection. Don't pay up, use ddos protection. you know how many ponder whether AV companies write some of the viruses ;-) alan

Re: Ransom DDoS attack - need help!

hi "need help" On 12/03/15 at 03:15am, halp us wrote: > A company that shall remain anonymous has received a ransom DDoS note from > a very well known group that has been in the news lately. use an email reader that allows you to see all the received email headers to see which STMP routers

Re: Ransom DDoS attack - need help!

-online-after-crippling-ddos-attack/ Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone Original message From: Roland Dobbins <rdobb...@arbor.net> Date: 12/3/2015 3:10 PM (GMT-05:00) To: NANOG <nanog@nanog.org> Subject: Re: Ransom DDoS attack - need help! O

Re: Ransom DDoS attack - need help!

On Dec 3, 2015, at 5:00 PM, alvin nanog wrote: > run tcpdump and/or etherreal to capture the DDoS attacks Of course! If we had only thought of this sooner! :-) --lyndon signature.asc Description: Message signed with OpenPGP using GPGMail

Re: Ransom DDoS attack - need help!

hi lyndon On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote: > On Dec 3, 2015, at 5:00 PM, alvin nanog > wrote: > > run tcpdump and/or etherreal to capture the DDoS attacks > > Of course! If we had only thought of this sooner! > :-) yupperz.. the problem is,