Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: DDoS Extortion E-mail: Yet Another Bluff? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DDoS Extortion E-mail: Yet Another Bluff?

And DDoS extortion campaigns continue to be reported. Two weeks ago, Johannes Ullrich published a diary [1] about a fake DDoS pretending to be sent from Anonymous, threatening the targeted company with a massive attack if they weren’t paid in Bitcoins. Yesterday we were reported of a similar extortion campaign although, this time, followed by a real DDoS test as promised by the sender.

The threat message seems to be a copy cat of an old campaign reported last year in a blog post by CloudFlare [2]. It was signed by the same Armada Collective group, as seen below (text was partialy anonymized): 

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
 
In past, we launched one of the largest attacks in Switzerland's history. Use Google.
All network of [victim’s name] will be DDoS-ed starting [date]. if you don't pay 10 Bitcoins @ [bit coin address]

When we say all, we mean all - users will not be able to use any of your services.

Right now we will start 15 minutes attack on one of your IPs ([victim’s IP address]). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by [date], attack will start, price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.
  If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.
Our attacks are extremely powerful - our Mirai botnet can reach over 1 Tbps per second. So, no protection will help.
Prevent it all with just 10 BTC @ [bit coin address]
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Although the targeted company has actually received the DDoS test attack, there are some considerations on the way it was carried out which raise questions about the veracity of the campaign. By analyzing the DDoS test traffic, it was clear that it was sent through reflective attack using open NTP services over the Internet and not from a botnet like Mirai, as stated on the message. All the packets came from UDP/123 port (NTP service).

Regardless of the campaign reliability, it’s worth one's while to take some time and review your company’s anti-DDoS strategies. On most scenarios, a pre-established agreement with your ISP to filter out volumetric attacks can avoid unpleasant surprises and high costs during emergencies. If you already have the agreement, it would be interesting to put it to test and check if the response time is suitable to your business requirements.

Until now, we are unaware of any case of DDoS being launched after those e-mail threatening messages and there are no reasons to pay – even though there is no guarantee that the extortion will stop. 

If you received similar e-mails, please forward it to us.

References:[1] https://isc.sans.edu/forums/diary/Fake+DDoS+Extortions+Continue+Please+Forward+Us+Any+Threats+You+Have+Received/22550/
[2] https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/

--
Renato Marinho
Morphus Labs | LinkedIn | Twitter

Renato

9 Posts
ISC Handler
I have been the recipient of a myriad of ddos attacks in the last month, and the saddest part of all of these reflection attacks is that the servers are still configured for this kind of nonsense. you think in some kind of update to the systems that all of these attacks could be mitigated.
jACKtheRipper

35 Posts Posts
Depending on the service being used on reflection attacks, the solution to this problem does not depend on the device itself - like many DNS servers, especially those using DNS SEC, that are being used to reflect and amplify DDoS attacks. The major part of this problem is due to the IP spoofing possibility allowed by many Internet providers (ISPs). There is a document called BCP 38 (tools.ietf.org/html/…), published back in 2000, that specifies how ISPs could individually cooperate by configuring its routers to defeat DDoS amplification attacks over the Internet
Renato

9 Posts Posts
ISC Handler
Right the IP spoofing is the root of all of these issues, and you are totally right that the upstream filters from the various carriers could help prevent this, but what could help more is if there were a trusted list of IP addresses of non local dns,ntp,etc servers at the end points. For instance my isp serves symmetrical gigabit FiOS to many customers so it is equipped to swallow dns or ntp traffic that is from non trusted IPs. This may be out of left field but if each end point could re route ntp,DNS,etc requests to the local service from the ISP and discard all other incoming traffic on those services the end user would never get the unwanted traffic. IDK but something needs to happen to prevent this malicious traffic and it needs to be with the assumption that this traffic will be there regardless of any and all other measures.
jACKtheRipper

35 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!