Lance James provides further specifics about the investigation of booter services out there, in particular focusing on the 8 types of DDoS being leveraged.Moving on, I started doing database analysis to get a birds-eye view, diverse activity and stuff. We wanted to look at how many people are on this thing and in what areas they are (see right-hand image). This just gives us an idea of the diversity and the involvement of this service. I also have general goodies that are actually important. You have server IP addresses, you have CPU that’s being used, attack capabilities, and we have the passwords. I’m going to warn you that the next part with passwords (see image below) could be offensive to some. I like to learn what’s going on from behind the scenes here. And then we get into following the money. To me, from the forensic view, the closer I get to the adversary is actually where the money is. As much as we bring up PayPal, they do a pretty good job at validating who is on these accounts and stuff. I actually happen to work a lot with the PayPal investigations teams in the background; they won’t necessarily share details with me, but if you notify them they will take action. But what’s kind of neat about these booters is, because they use PayPal, we actually see little things like their email address that you’re paying the money to (see left-hand image). In most cases, you’re going to assume that that’s not a stolen email. But this one is even better, because the actual domain name is the last name of the actual person involved here, so I’m putting it in a higher probability that it’s probably not a hacked Gmail account or anything like that. And the domain name belongs to a guy that looks like this (see right-hand image). And then we looked into this guy because we did the Whois and we got the information. He’s actually doing a great job of separating himself from the booter service. But what I did find, really coincidentally, is the only thing he’s got on his Google+ site is CloudFlare promotional type of stuff (see right-hand image). Also, what was interesting is that the real person works in InfoSec at a major financial institution, so there is an internal investigation being in progress. And also, when I went through the code, some of the payment process code was in French. As I was looking into this, I realized that some of the big targets that have been on the news (see right-hand image) were Whitehouse.gov, CIA.gov, Barackobama.com DDoS’es, the FBI.gov; I’m sure I’ve seen a couple of the NSA IPs in there. I saw a lot of big financial institutions in there. There were actually 631 distinct targets in there, some of the personnel obviously. But you get to really map their activity, so I’ve been working on putting together the timeline of this.
I also wanted to get into the actual DDoS TTP’s. There was some leaked source code on Hack Forums as well. When Brian started giving me information on other booter services out there, I started looking at AsylumStresser and a few others. They had funny little vulnerabilities laying around, and I’m not surprised that they’re getting hacked. They also use the same backend code for the weaponization, and I can guarantee that kiddies didn’t write this stuff, it’s probably been around for a while. What’s great about that for us is when you think about it from a holistic perspective you can sit there and write remediation capabilities off the analysis and cover the entire gamut based on the tool.So, basically, we did some analysis, and here are 8 types of DDoS (see left-hand image). We have the ‘amp.c’, which is a UDP Amplification attack using chargen, basically Port 19. We have ‘arme.c’, which is an Apache Remote Memory Exhaustion; that’s a pretty popular one that has been around for a while. You also have what’s called ‘essyn.c’, which is a standard SYN flooder. We have ‘lag.c’, which is basically same as ‘amp’ but with slight timing differences. We have ‘scloud.c’, which is Skype DDoS based on ‘amp’, so it’s the same code as ‘amp’, only it has a Skype IP resolver using SpeedResolve.com. There’s also ‘slow.c’, the Slowloris attack which ‘RSnake’ invented; that’s one of the popular attacks as well. And then we have the ‘rudy.c’, which is basically ‘R-U-Dead-Yet’ – it’s a long form field submission type of attack. And also we have ‘ghp.c’, which is GET/HEAD/POST Flooder; you saw a few of those when Brian was showing his stuff. So, we were going through the code and we categorized it (see right-hand image). The ‘amp’, lag and the scloud – you can basically use standard UDP volumetric countermeasures to take care of those. If you have a Prolexic or even standard firewalls, you can handle that in most cases. The ‘arme’ – the Apache Killer Snort Signature will work for that, but you can also do some stuff with range and the bytes. To handle ‘essyn’, you can employ standard countermeasures for SYN. The Slowloris – there are some regex rules on this specific one, where it’s like ‘x’- and then there are 7 random lowercase letters, and then ‘: 1’. ‘rudy’ – on this tool that’s a regex on the default settings which these kids aren’t changing, there’s this thing sitting on these European ISPs just ready to go. Pretty much this whole thing, these booter kits – you can just unzip, install, go. The username equals ‘ZZZZ…’. For the GET/HEAD/POST one, the rule would be to use HTTP authentication or look for missing ‘Accept*’ headers. We have a new set of lists here (see left-hand image). I checked all of these that are protected behind CloudFlare, so they go with the whole competitive space here. So we have the iDDoS Stresser, Onion Stresser, Quantum Stresser – this Star Wars list could keep going, I think, right from the beginning. Then I was looking at what’s going on next, and I saw this today (see right-hand image), it was kind of awesome. You’re getting mobile devices fully compatible, HTML5 stuff basically. You don’t really have to go get an app for that, you can be compatible.
I did want to give some thanks out, obviously, to law enforcement, some FBI involvement. Daniel Clemens over there from PacketNinjas has provided a lot of assistance in this. Allison Nixon – she’s been awesome. I want to thank Arbor Networks because they also were involved in some of the analysis stuff I did. Jamie@CloudFlare – she’s actually been cool, so as much as we might seem like we’re coming off CloudFlare for this or that, I’ve had some good luck with CloudFlare in some of the areas, and it’s just going to take coordinative initiative to take all of this stuff down, but they were definitely helpful when I’ve asked. Thanks to my Company for allowing me to do this crazy stuff that they are going “Wow!” Thanks to Mr. Krebs over here just taking the heat for all of this, and you guys here, Prolexic as well, and Black Hat, and anybody I missed.
Read previous: Spy-jacking the Booters 5: Tracking the Fraudsters Down
Read next: Spy-jacking the Booters 7: Fascinating Q&A