ddos-200-400-gbps

(1)

Subscribe to RSS Follow me on Twitter Join me on Facebook

Krebs on Security

In-depth security news and investigation

About the Author Blog Advertising

14 Feb 14

The New Normal: 200-400 Gbps DDoS Attacks

Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet — a nearly 200 Gpbs assault leveraging a simple attack method that industry experts say is becoming alarmingly common.

At issue is a seemingly harmless feature built into many Internet servers known as the Network Time Protocol (NTP), which is used to sync the date and time between machines on a network. The problem isn’t with NTP itself, per se, but with certain outdated or hard-coded implementations of it that attackers can use to turn a relatively negligible attack into something much, much bigger. Symantec‘s writeup on this threat from December 2013 explains the problem succinctly:

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic.

Matthew Prince, the CEO of Cloudflare — a company that helps Web sites stay online in the face of huge DDoS attacks — blogged Thursday about a nearly 400 Gbps attack that recently hit one of the company’s customers and leveraged NTP amplification. Prince said that while Cloudflare “generally [was] able to mitigate the attack, it was large enough that it caused network congestion in parts of Europe.”

(2)

running on 1,298 different networks,” Prince wrote. “On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare’s network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.” NO TIME LIKE THE PRESENT

Prince suggests a number of solutions for cleaning up the problem that permits attackers to seize control over so many ill-configured NTP servers, and this is sound advice. But what that post does not mention is the reality that a great many of today’s DDoS attacks are being launched or coordinated by the same individuals who are running DDoS-for-hire services (a.k.a “booters”) which are hiding behind Cloudflare’s own free cloud protection services.

As I noted in a talk I gave last summer with Lance James at the Black Hat security conference in Las Vegas, a funny thing happens when you decide to operate a DDoS-for-hire Web service: Your service becomes the target of attacks from competing DDoS-for-hire services. Hence, a majority of these services have chosen to avail themselves of Cloudflare’s free content distribution service, which generally does a pretty good job of negating this occupational hazard for the proprietors of DDoS services.

Lance James, Yours Truly, and Matthew Prince.

Mr. Prince took strong exception to my remarks at Black Hat, which observed that this industry probably would destroy itself without Cloudflare’s protection, and furthermore that some might perceive a credibility issue with a company that sells DDoS protection services providing safe haven to an entire cottage industry of DDoS-for-hire services.

Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI.

He said the company has a stated policy of not singling out one type of content over another, citing a fear of sliding down a slippery slope of censorship.

In a phone interview today, Prince emphasized that he has seen no indication that actual malicious packets are being sent out of Cloudflare’s network from the dozens of booter service Web sites that are using the service. Rather, he said, those booter services are simply the marketing end of these operations.

“The very nature of what we are trying to build is a system by which any content can be online and we can make denial-of-service attacks a thing of the past. But that means that some controversial content will end up on our network. We have an attack of over 100 Gbps almost every hour of every day. If I really thought it would solve the problem, and if our network was actually being used in these attacks, that’s a no-brainer. But I can’t get behind the idea that we should deny service to a marketing site just so that it can be attacked by these other sites, and that this will will somehow make the problem go away. I don’t think that’s right, and it starts us down a slippery slope.”

As a journalist, I’m obviously extremely supportive of free speech rights. But it seems to me that most of these DDoS-for-hire services are — by definition — all about stifling speech. Worse yet, over the past few months the individuals behind these offerings have begun to latch onto NTP attacks, said Allison Nixon, a researcher for NTT Com Security who spoke about DDoS protection bypass techniques at last year’s Black Hat. “There is a growing awareness of NTP based attacks in the criminal underground in the past several months,” Nixon said. “I believe it’s because nobody realized just how many vulnerable servers are out there until recently. “The technical problem of NTP amplification has been known for a long time. Now that more and more attack lists are being traded around, the availability of DDoS services with NTP attack functionality is on the rise.”

(S)KIDS JUST WANNA HAVE FUN

(3)

kids who apparently can think of no better way to prove how cool and “leet” they are than by wantonly knocking Web sites offline and by launching hugely disruptive assaults. Case in point: My site appears to have been attacked this week by a 15-year-old boy from Illinois who calls himself “Mr. Booter Master” online.

Prolexic Technologies, the company that has been protecting KrebsOnSecurity from DDoS attacks for the past 18 months, said the attack that hit my site this week clocked in just shy of 200 Gbps. A year or two ago, a 200 Gbps attack would have been close to the largest attack on record, but the general upswing in attack volume over the past year makes the biggest attacks timeline look a bit like a hockey stick, according to a blog post on NTP attacks posted today by Arbor Networks. Arbor’s writeup speaks volumes about the motivations and maturity of the individuals behind a majority of these NTP attacks.

Source: Arbor Networks

The NTP attack on my site was short-lived — only about 10 minutes in duration, according to Prolexic. That suggested the attack was little more than a proof-of-concept, a demonstration.

Indeed, shortly after the attack subsided, I heard from a trusted source who closely monitors hacker activity in the cybercrime underground. The source wanted to know if my site had recently been the subject of a denial-of-service attack. I said yes and asked what he knew about it. The source shared some information showing that someone using the nickname “Rasbora” had very recently posted several indicators in a private forum in a bid to prove that he had just launched a large attack against my site.

Rasbora’s posts on Hackforums.

Apparently, Rasbora did this so that he could prove his greatness to the administrators of Darkode, a closely guarded cybercrime forum that has been profiled at length in this blog. Rasbora was anxious to show what he could contribute to the Darkode community, and his application for membership there hinged in part on whether he could be successful in taking down my site (incidentally, this is not the first time Darkode administrators have used my site as a test target for vetting prospective members who apply based on the strength of some professed DDoS prowess).

Rasbora, like other youngAmerican kidsinvolved in DDoS-for-hire services, hasn’t done a great job of separating his online self from his real life persona, and it wasn’t long before I was speaking to Rasbora’s dad. His father seemed genuinely alarmed — albeit otherwise clueless — to learn about his son’s alleged activities. Rasbora himself agreed to speak to me, but denied that he was responsible for any attack on my site. He did, however, admit to using the nickname Rasbora — and eventually — to being consumed with various projects related to DDoS activities.

Rasbora maintains a healthy presence on Hackforums[dot]net, a relatively open forum that is full of young kids engaged in selling hacking services and malicious code of one kind or another. Throughout 2013, he ran a DDoS-for-hire service hidden behind Cloudflare called “Flashstresser.net,” but that service is currently unreachable. These days, Rasbora seems to be taking projects mostly by private contract.

(4)

Some of Rasbora’s posts prior to our phone call.

Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality” lists of servers that can be used to launch amplification attacks online. Despite his insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts on Hackforums might conclude that he was actively involved in DDoS attacks for hire.

“I don’t see what a wall of text can really tell you about what someone does in real life though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This reply came in response to my reading him several posts that he’d made on Hackforums not 24 hours earlier that strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline, PM me.”

Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges.

Tags: Allison Nixon, Arbor Networks, CloudFlare, Darkode, Hackforums, Lance James, Matthew Prince, network time protocol, NTP, NTT Com Security, Prolexic Technologies, Rasbora, Symantec

This entry was posted on Friday, February 14th, 2014 at 7:13 pm and is filed under A Little Sunshine, The Coming Storm. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

20 comments

1. Ralph Daugherty

February 14, 2014 at 7:33 pm

“Who knows, maybe his dad will ground him and take away his Internet privileges.”

You can betcha after that phonecall that his dad is seriously considering it, if he hasn’t already. He messed with the wrong target, so to speak.

Reply

2. Cake

Yo krebs I updated the domain as it’s mine. Wanna talk to me?

Come on Leak.sx, I’m Cake. Lol, next time search more.

Reply

3. Stratocaster

After Comcast and Time Warner Cable merge, the DDOS attacks won’t happen as fast and will cost a lot more….

Reply

BV1

(5)

HA!

Reply

4. Doktor McNasty

Ok so I’ve been involved with computers since the mid-nineties and at this point am running an IT department. I’m by no means ‘leet’ but I get by and can usually solve problems and even automate things here and there. What boggles my mind is how does someone who has been alive for less time than I have been learning and working with computers learn enough about how the fundamental structure of the internet works to be able to pull these kinds of things off? Disclaimer: yes I’m jealous – but that doesn’t quite explain it. He can’t have even been studying for those 15 years as he needed a few years to learn how to just READ didn’t he?

Maybe his parents are grounding him to a corner with technical manuals and a computer when he acts up? How does this all play out, do you suppose?

Reply

Cake

Yea about that, I had to even learn how to use “cd”..

He’s still coming back to me each fucking time, so no he’s not able to pull off without others help. And for the parent side, Krebs broke some laws of Privacy and such by calling them and they did not care. Anyways, he’s a skid.

Reply

BrianKrebs

Watch your mouth. And I broke privacy laws? How do you figure? The kid’s dad explicitly gave me permission to interview him. And what’s more, I don’t even name the little turkey, so it’s hardly an invasion of privacy.

Reply

scott

Calling people must apparently be an invasion of privacy or something

Reply

Rofl

Jesus you’re arrogant, you undoubtedly obtained the scripts from someone else yourself.

Reply

Cake

Can’t deny and can’t accept as I wrote a couple things myself. And I never even said anything about scripts.

Reply

5. Robert Scroggins

I suppose it plays out by the kid eventually getting a law degree and then going into politics where he winds up in Congress! Regards,

(6)

6. Annie C. Bai

I was wondering (worried) when I couldn’t get onto your site on Tuesday, but since you were only down for 10 minutes, maybe that was just my broke-down iPhone 4. Good to hear you are on the case as usual. What a tangled web the free Internet is…

Reply

7. Ken Carter

Great post, but I think your analysis of DDoS-for-hire sites attacking one another, is static and therefore incomplete. Granted, at least initially, DDoS-for-hire sites might start to attack one another if kicked out from behind security networks. However, in the longer run, attacking each other is ultimately unprofitable, just as the Sopranos and Corleones don’t go on whacking one another forever. The weaker ones will get knocked out, but sooner or later they will achieve some truce, divvy up the territories, and start on more profitable criminal ventures. “You get North Jersey and I get every thing south of Mulberry Street.” At the end, you would be left with a Nash Equilibrium and a Darwinian outcome comprised of the most ruthless sites. Full disclosure: I work for CloudFlare.

Reply

8. JCitizen

And yet I can’t remember ever have trouble getting to your site! Maybe this is why others posting here complain of lag time before their posts show up? Otherwise PFTT! – they be a figment of the imagination – go away figment! ]:)

Reply

9. AllHailLordKreben

Kerb, you better watch out. These pro hackers might want more of you.

Reply

10. TheOreganoRouter.onion

I would get law enforcement involved , then charge him as a juvenile , to teach this young kid a good lesson in not trying to take down internet security websites.

Reply

11. iMatrix

Don’t blame rasbora. Looking on his activity he ain’t launching a dos on a website like yours. The only place of him brag about his activity is leak.sx and he does good reviews on stressers.

P.S – DOS Attack servers are now costly and rare, its hard to find one so he can’t gather 200Gbps DOS server. The only one capable of doing this is cyberbunker.

Reply

12. CloudflareCustomer

Cloudflare saying that they’re not seeing any outbound activity is totally disingenuous, but technically true. Since they only handle requested traffic, not all outbound traffic, they only see connections that are initiated from outside. The root server could be sending out traffic and they’re be none the wiser. It’s even better if there’s more than one connection on the server.

Reply

13. Lysergic Acid Diethylamide

From wikipedia: “A rasbora is a member of a group of small minnow-type fish”

(7)

Reply

14. Rob

February 15, 2014 at 1:58 am

I’m not a fan of CloudFlare. I had a problem accessing one of their client’s sites but the only way to contact CloudFlare is is to sign-on as a new client. I did that (it was free and only took a minute) and then filled out a “Tech. Support Ticket”, but when I tried to submit the ticket, the web-form was SO broken I had to give up and just remove the original site from my bookmarks.

I’m one of those people who thinks the inventors of the so-called Cloud were probably smart, while their clients definitely aren’t. But there don’t seem to be many of us who think this. Or maybe most of us can only speak Russian. Who knows? I imagine Russians laugh pretty hard about the cloud. Maybe THEY invented it. Maybe Mr. Kaspersky invented it. They invented Tetris, after all, and won the space race despite/while being a communist country: 1st space ship, 1st animal, 1st man, 1st woman in space. As for the moon, they just used telescopes. Brilliant! Reply

Subscribe by email

Your email:

(8)

Enter email address...

Subscribe Unsubscribe

Made possible by Prolocation

Prolocation: For all your hosting needs. Fast. Reliable. Powerful.

Support KrebsOnSecurity!

SANS 2014

Use "Krebs5_SANS" for 5% off any class

The Value of a Hacked PC

Badguy uses for your PC

0day

adobe

adobe flash player adobe reader

apple

atm skimmer chrome chronopaycyberheistf-secure Facebook

fbi

firefoxflashGlavmed gmail

google

Google ChromeIgor Gusev

internet explorer

java

Liberty ReserveMac mastercard mcafee

microsoft

money mules

opera

Oraclepatch tuesdaypavel vrublevskyRSARx-PromotionsafarisecuniaSpamitspyeyeSymantec twitter Visa

webmoney

windows

zero day

zeus

ZeuS Trojan

Tools for a Safer PC

The Pharma Wars

Spammers Duke it Out

Badguy Uses for Your Email

Your email account may be worth far more than you imagine.

eBanking Best Practices

eBanking Best Practices for Businesses

(12)

Sources: Target Investigating Data Breach (620)

Cards Stolen in Target Breach Flood Underground Markets (445)

Reports: Liberty Reserve Founder Arrested, Site Shuttered (416)

Following the Money, ePassporte Edition (353)

U.S. Government Seizes LibertyReserve.com (315)

Who's Selling Credit Cards from Target? (269)

Would You Have Spotted the Fraud? (257)

Target Hackers Broke in Via HVAC Company (252)

Firefox Zero-Day Used in Child Porn Hunt? (218)

VISA Blocks ePassporte (207)

Category: Web Fraud 2.0

Innovations from the Underground

ddos-200-400-gbps

Krebs on Security

In-depth security news and investigation

The New Normal: 200-400 Gbps DDoS Attacks

20 comments

Leave a comment

Recent Posts

Subscribe by email

Made possible by Prolocation

Support KrebsOnSecurity!

Support KrebsOnSecurity!

SANS 2014

Categories

Archives

The Value of a Hacked PC

Tags

0day

adobe

apple

fbi

google

internet explorer

java

microsoft

money mules

webmoney

windows

zeus

Tools for a Safer PC

Blogroll

The Pharma Wars

Badguy Uses for Your Email

eBanking Best Practices

Category: Web Fraud 2.0