Archive for the ‘Denial of Service’ Category

Shadowserver Foundation Blog: DDoS for Hire – More cooperation, or new competition?

January 9, 2010

Shadowserver Foundation – Calendar – 2010-01-09

Saturday, 9 January 2010
DDoS for Hire – More cooperation, or new competition?

I’ve always been interested in DDoS attacks, not only for their technical aspects, but also their social, economic, or political aspects. This past summer, several of us were closely watching a DDoS group that was fairly aggressive and diverse in its attack targets. This group, known as the “hack-off” group used the domains ‘” & “” for their command and control. What was particularly interesting about ‘hack-off’ was their attack campaigns on targeted industries and groups. Such industries included:

hack-off DDoS targeted industries

* Online pharmacies
* Porn sites
* Automotive parts suppliers
* Replica Watches
* Online Gambling
* Logo Design companies
* Sporting goods and sportswear
* Healthcare products
* Electronics vendors

Many of the attacks victims were fairly high profile, and law enforcement agencies from at least 5 different countries became involved. Eventually, with the assistance of cert-ru and Affilias, the domains were suspended and by October 2009, the ‘hack-off’ crew was offline.

Recently while looking through some of our data sets, I again noticed aggressive DDoS attacks against targeted industry groups. In this case, four domains are seen being used for command and control:

New DDoS controllers

Over 250 different sites were targeted for DDoS from these controllers since November, 2009. The victim sites were fairly diverse, but were seen predominately in the following industries:

Industries targeted by atatata and friends

* Car buying sites
* Footwear
* Sporting goods
* Jewelry
* Gambling and Lottery
* Watches
* Appliances
* Travel and Tourism

The domains used by these controllers have been run on various hosting providers as described below. has also been seen dropping FakeAv as well as other malware. Another active botnet domain on the same IP as, is, however I haven’t yet seen DDoS related activity from them.

The top IP address prefaced is the currently active IP for that domain. The listing below also shows the nameserver history for each domain.
Domain information

* – AS50033 – GROUP3-AS GROUP 3 LLC.
* – AS15756 -CARAVAN
* – ??


* – AS4837 – CHINA169-Backbone
* – AS9929 – China Netcom Corp.
* – AS9394 – CHINA RAILWAY Internet

Registrar:Directi Internet Solutions

* – AS4837 – CHINA169-Backbone
* – AS9929 – China Netcom Corp.
* – AS9394 – CHINA RAILWAY Internet
* – AS36351 – SoftLayer
* – AS36351 – SoftLayer
* – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: Privacy Protected

* 8/22/09
* 8/29/09
* 9/5/09
* 9/6/09
* 9/7/09
* 9/11/09

* – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich


While DDoS for hire is nothing new, these particular attacks and the activity behind them remain interesting. Are these new criminal groups rising up to compete in the lucrative world of DDoS? Or are we just seeing more cooperation and consolidation of efforts among the usual and familiar players?

We’ll continue to keep an eye on any new attacks from these controllers as well as the providers from where they are hosted.

=>Posted January 09, 2010, at 10:25 AM by Andre’ – Semper_Securus

(Via DDoS for Hire – More cooperation, or new competition?.)

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

January 8, 2010

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

Patriot Hacker Hits Jihad With DDoS Attacks
January 7, 2010 by ADMIN · Comment
By Richard Stiennon, Chief Research Analyst, IT-Harvest
I had an interesting demonstration this evening from a hacker who goes by the handle ‘The Jester’ or in so-called l33t speak, th3j35t3r which is his Twitter ID.
Since January 1, The Jester has been systematically wreaking havoc with several websites he associates with Al Quiada and Jihadists via a Denial of Service attack delivered over the web through a Swedish anonimizer service (
The Jester has been documenting his attacks against,,,,,,,, since the beginning of 2010.
Early today he posted:
Official Presidency Website of …”

Attack on InterNetX’s DNS servers

January 7, 2010

Attack on InterNetX’s DNS servers: “On Wednesday, a DDoS nearly completely took out domain provider InterNetX’s DNS service”

(Via The H Security.)

DNS Problem Linked to DDoS Attacks Gets Worse

November 16, 2009

DNS Problem Linked to DDoS Attacks Gets Worse: “ISPs are distributing consumer modems that could be used in DDoS attacks, researchers say.

Add to digg
Add to Reddit
Add to Slashdot
Email this Article
Add to StumbleUpon

(Via PC World Latest Technology News.)

Pricing Scheme for a DDoS Extortion Attack

November 3, 2009

Pricing Scheme for a DDoS Extortion Attack: “

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the ‘on demand DDoS’ business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today’s cybercrime enterprise ‘vertically integrating‘ in order to occupy as many underground market segments as possible, all of which originally developed thanks to the ‘malicious economies of scale’ (massive SQL injections through search engines’ reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

What if their DDoS for hire business model is experiencing a decline? Would penetration pricing save them? What if they start enforcing a differentiated pricing model for their services through DDoS extortion?

Let’s discuss one of those groups that’s been actively attempting to extort money from Russian web sites since the middle of this summer. From penalty fees, to 30% discount if they want to request DDoS for hire against their competitors, a discount only available if they’ve actually paid the 10,000 rubles monthly extortion fee at the first place – this gang is also including links to the web sites of Russian’s Federal Security Service (FSB) and Russia’s Ministry of the Interior stating ‘in order to make it easy for the victims to contact law enforcement‘.

Sample DDOS extortion letter:
Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us.

The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.

1-st payment (10 000 rubles) Must be made no later than DATE. All subsequent payments (10 000 rubles) Must be committed no later than 31 (30) day of each month starting from August 31. Late payment penalties will be charged 100% for each day of delay.

For example, if you do not have time to make payment on the last day of the month, then 1 day of you will have to pay a fine 100%, for instance 20 000 rubles. If you pay only the 2 nd date of the month, it will be for 30 000 rubles etc. Please pay on time, and then the initial 10 000 rubles offer will not change. Penalty fees apply to your first payment – no later than DATE’

You will also receive several bonuses.
1. 30% discount if you request DDoS attack on your competitors/enemies. Fair market value ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day.
2. If we turn to your competitors / enemies, to make an attack on your site, then we deny them.

Payment must be done on our purse Yandex-money number 41001474323733. Every month the number will be a new purse, be careful. About how to use Yandex-money read on If you want to apply to law enforcement agencies, we will not discourage you. We even give you their contacts:,

It’s also worth pointing out that a huge number of ’boutique vendors’ of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of ‘aggregate-and-forget’ type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.

The future of DDoS extortion attacks, however, looks a bit grey due the numerous monetization models that cybercriminals developed – for instance ransomware, which attempts to scale by extorting significant amounts of money from thousands of infected users in an automated and much more efficient way than the now old-fashioned DDoS extortion model.

Related posts:
Botnet Communication Platforms
Custom DDoS Capabilities Within a Malware
A New DDoS Malware Kit in the Wild
Botnet on Demand Service
The DDoS Attack Against
A Botnet Master’s To-Do List
Custom DDoS Attacks Within Popular Malware Diversifying
Using Market Forces to Disrupt Botnets
Web Based Botnet Command and Control Kit 2.0
DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks
The DDoS Attack Against
Russian Homosexual Sites Under (Commissioned) DDoS Attack

This post has been reproduced from Dancho Danchev’s blog.

(Via Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge.)

Bitbucket’s Amazon DDoS – what went wrong

October 12, 2009

Bitbucket’s Amazon DDoS – what went wrong: “Bitbucket’s Amazon DDoS – what went wrong”

(Via The Register.)