Quantcast

Spy-jacking the Booters 6: Types of DDoS Used

Lance James provides further specifics about the investigation of booter services out there, in particular focusing on the 8 types of DDoS being leveraged.

Diversity of booter clients

Diversity of booter clients

Moving on, I started doing database analysis to get a birds-eye view, diverse activity and stuff. We wanted to look at how many people are on this thing and in what areas they are (see right-hand image). This just gives us an idea of the diversity and the involvement of this service.

Data analyzed

Data analyzed

I also have general goodies that are actually important. You have server IP addresses, you have CPU that’s being used, attack capabilities, and we have the passwords. I’m going to warn you that the next part with passwords (see image below) could be offensive to some.
MySQL data

MySQL data

I like to learn what’s going on from behind the scenes here. And then we get into following the money. To me, from the forensic view, the closer I get to the adversary is actually where the money is. As much as we bring up PayPal, they do a pretty good job at validating who is on these accounts and stuff. I actually happen to work a lot with the PayPal investigations teams in the background; they won’t necessarily share details with me, but if you notify them they will take action.

PayPal data can reveal a lot

PayPal data can reveal a lot

But what’s kind of neat about these booters is, because they use PayPal, we actually see little things like their email address that you’re paying the money to (see left-hand image). In most cases, you’re going to assume that that’s not a stolen email.
Domain owner

Domain owner

But this one is even better, because the actual domain name is the last name of the actual person involved here, so I’m putting it in a higher probability that it’s probably not a hacked Gmail account or anything like that. And the domain name belongs to a guy that looks like this (see right-hand image).

The guy’s Google+ profile

The guy’s Google+ profile

And then we looked into this guy because we did the Whois and we got the information. He’s actually doing a great job of separating himself from the booter service. But what I did find, really coincidentally, is the only thing he’s got on his Google+ site is CloudFlare promotional type of stuff (see right-hand image). Also, what was interesting is that the real person works in InfoSec at a major financial institution, so there is an internal investigation being in progress. And also, when I went through the code, some of the payment process code was in French.

Institutions targeted

Institutions targeted

As I was looking into this, I realized that some of the big targets that have been on the news (see right-hand image) were Whitehouse.gov, CIA.gov, Barackobama.com DDoS’es, the FBI.gov; I’m sure I’ve seen a couple of the NSA IPs in there. I saw a lot of big financial institutions in there. There were actually 631 distinct targets in there, some of the personnel obviously. But you get to really map their activity, so I’ve been working on putting together the timeline of this.

I also wanted to get into the actual DDoS TTP’s. There was some leaked source code on Hack Forums as well. When Brian started giving me information on other booter services out there, I started looking at AsylumStresser and a few others. They had funny little vulnerabilities laying around, and I’m not surprised that they’re getting hacked. They also use the same backend code for the weaponization, and I can guarantee that kiddies didn’t write this stuff, it’s probably been around for a while. What’s great about that for us is when you think about it from a holistic perspective you can sit there and write remediation capabilities off the analysis and cover the entire gamut based on the tool.

8 types of DDoS used

8 types of DDoS used

So, basically, we did some analysis, and here are 8 types of DDoS (see left-hand image). We have the ‘amp.c’, which is a UDP Amplification attack using chargen, basically Port 19. We have ‘arme.c’, which is an Apache Remote Memory Exhaustion; that’s a pretty popular one that has been around for a while. You also have what’s called ‘essyn.c’, which is a standard SYN flooder. We have ‘lag.c’, which is basically same as ‘amp’ but with slight timing differences. We have ‘scloud.c’, which is Skype DDoS based on ‘amp’, so it’s the same code as ‘amp’, only it has a Skype IP resolver using SpeedResolve.com. There’s also ‘slow.c’, the Slowloris attack which ‘RSnake’ invented; that’s one of the popular attacks as well. And then we have the ‘rudy.c’, which is basically ‘R-U-Dead-Yet’ – it’s a long form field submission type of attack. And also we have ‘ghp.c’, which is GET/HEAD/POST Flooder; you saw a few of those when Brian was showing his stuff.

Countermeasures

Countermeasures

So, we were going through the code and we categorized it (see right-hand image). The ‘amp’, lag and the scloud – you can basically use standard UDP volumetric countermeasures to take care of those. If you have a Prolexic or even standard firewalls, you can handle that in most cases. The ‘arme’ – the Apache Killer Snort Signature will work for that, but you can also do some stuff with range and the bytes. To handle ‘essyn’, you can employ standard countermeasures for SYN. The Slowloris – there are some regex rules on this specific one, where it’s like ‘x’- and then there are 7 random lowercase letters, and then ‘: 1’. ‘rudy’ – on this tool that’s a regex on the default settings which these kids aren’t changing, there’s this thing sitting on these European ISPs just ready to go. Pretty much this whole thing, these booter kits – you can just unzip, install, go. The username equals ‘ZZZZ…’. For the GET/HEAD/POST one, the rule would be to use HTTP authentication or look for missing ‘Accept*’ headers.

Prevalent booter services

Prevalent booter services

We have a new set of lists here (see left-hand image). I checked all of these that are protected behind CloudFlare, so they go with the whole competitive space here. So we have the iDDoS Stresser, Onion Stresser, Quantum Stresser – this Star Wars list could keep going, I think, right from the beginning.

Mobile compatible booter

Mobile compatible booter

Then I was looking at what’s going on next, and I saw this today (see right-hand image), it was kind of awesome. You’re getting mobile devices fully compatible, HTML5 stuff basically. You don’t really have to go get an app for that, you can be compatible.

I did want to give some thanks out, obviously, to law enforcement, some FBI involvement. Daniel Clemens over there from PacketNinjas has provided a lot of assistance in this. Allison Nixon – she’s been awesome. I want to thank Arbor Networks because they also were involved in some of the analysis stuff I did. Jamie@CloudFlare – she’s actually been cool, so as much as we might seem like we’re coming off CloudFlare for this or that, I’ve had some good luck with CloudFlare in some of the areas, and it’s just going to take coordinative initiative to take all of this stuff down, but they were definitely helpful when I’ve asked. Thanks to my Company for allowing me to do this crazy stuff that they are going “Wow!” Thanks to Mr. Krebs over here just taking the heat for all of this, and you guys here, Prolexic as well, and Black Hat, and anybody I missed.
 

Read previous: Spy-jacking the Booters 5: Tracking the Fraudsters Down

Read next: Spy-jacking the Booters 7: Fascinating Q&A

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: