ddos-200-400-gbps

15/2/14 3:22 pmThe New Normal: 200-400 Gbps DDoS Attacks Krebs on Security

Page 1 of 12http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/

AdvertisementSubscribe to RSSFollow me on TwitterJoin me on Facebook

Krebs on SecurityIn-depth security news and investigation

About the AuthorBlog Advertising

14Feb 14

The New Normal: 200-400 Gbps DDoS Attacks

Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week,KrebsOnSecurity was hit by easily the most massive and intense such attack yet a nearly 200 Gpbs assault leveraging a simple attack methodthat industry experts say is becoming alarmingly common.

At issue is a seemingly harmless feature built into many Internet servers known as the Network Time Protocol (NTP), which is used to sync thedate and time between machines on a network. The problem isnt with NTP itself, per se, but with certain outdated or hard-coded implementationsof it that attackers can use to turn a relatively negligible attack into something much, much bigger. Symantecs writeup on this threat fromDecember 2013 explains the problem succinctly:

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the targetIP Address. In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version ofNTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a greatreconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even betterbecause a small query can redirect megabytes worth of traffic.

Matthew Prince, the CEO of Cloudflare a company that helps Web sites stay online in the face of huge DDoS attacks blogged Thursdayabout a nearly 400 Gbps attack that recently hit one of the companys customers and leveraged NTP amplification. Prince said that while Cloudflaregenerally [was] able to mitigate the attack, it was large enough that it caused network congestion in parts of Europe.

Mondays DDoS proved these attacks arent just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers



running on 1,298 different networks, Prince wrote. On average, each of these servers sent 87Mbps of traffic to the intended victim onCloudFlares network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP addressspoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.

NO TIME LIKE THE PRESENTPrince suggests a number of solutions for cleaning up the problem that permits attackers to seize control over so many ill-configured NTP servers,and this is sound advice. But what that post does not mention is the reality that a great many of todays DDoS attacks are being launched orcoordinated by the same individuals who are running DDoS-for-hire services (a.k.a booters) which are hiding behind Cloudflares own free cloudprotection services.

As I noted in a talk I gave last summer with Lance James at the Black Hat security conference in Las Vegas, a funny thing happens when youdecide to operate a DDoS-for-hire Web service: Your service becomes the target of attacks from competing DDoS-for-hire services. Hence, amajority of these services have chosen to avail themselves of Cloudflares free content distribution service, which generally does a pretty good jobof negating this occupational hazard for the proprietors of DDoS services.

Lance James, Yours Truly, and MatthewPrince.

Mr. Prince took strong exception to my remarks at Black Hat, which observed that this industry probably would destroy itself without Cloudflaresprotection, and furthermore that some might perceive a credibility issue with a company that sells DDoS protection services providing safe havento an entire cottage industry of DDoS-for-hire services.

Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, sometimes we havecourt orders that order us to not take sites down. Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned outto be an elaborate sting operation set up by the FBI.

He said the company has a stated policy of not singling out one type of content over another, citing a fear of sliding down a slippery slope ofcensorship.

In a phone interview today, Prince emphasized that he has seen no indication that actual malicious packets are being sent out of Cloudflaresnetwork from the dozens of booter service Web sites that are using the service. Rather, he said, those booter services are simply the marketing endof these operations.

The very nature of what we are trying to build is a system by which any content can be online and we can make denial-of-service attacks a thingof the past. But that means that some controversial content will end up on our network. We have an attack of over 100 Gbps almost every hour ofevery day. If I really thought it would solve the problem, and if our network was actually being used in these attacks, thats a no-brainer. But I cantget behind the idea that we should deny service to a marketing site just so that it can be attacked by these other sites, and that this will willsomehow make the problem go away. I dont think thats right, and it starts us down a slippery slope.

As a journalist, Im obviously extremely supportive of free speech rights. But it seems to me that most of these DDoS-for-hire services are bydefinition all about stifling speech. Worse yet, over the past few months the individuals behind these offerings have begun to latch onto NTPattacks, said Allison Nixon, a researcher for NTT Com Security who spoke about DDoS protection bypass techniques at last years Black Hat.

There is a growing awareness of NTP based attacks in the criminal underground in the past several months, Nixon said. I believe its becausenobody realized just how many vulnerable servers are out there until recently. The technical problem of NTP amplification has been known for along time. Now that more and more attack lists are being traded around, the availability of DDoS services with NTP attack functionality is on therise.

(S)KIDS JUST WANNA HAVE FUN

The shocking thing about these DDoS-for-hire services is that as Ive reported in several previous stories a majority of them are run by young



kids who apparently can think of no better way to prove how cool and leet they are than by wantonly knocking Web sites offline and bylaunching hugely disruptive assaults. Case in point: My site appears to have been attacked this week by a 15-year-old boy from Illinois who callshimself Mr. Booter Master online.

Prolexic Technologies, the company that has been protecting KrebsOnSecurity from DDoS attacks for the past 18 months, said the attack that hitmy site this week clocked in just shy of 200 Gbps. A year or two ago, a 200 Gbps attack would have been close to the largest attack on record, butthe general upswing in attack volume over the past year makes the biggest attacks timeline look a bit like a hockey stick, according to a blog poston NTP attacks posted today by Arbor Networks. Arbors writeup speaks volumes about the motivations and maturity of the individuals behind amajority of these NTP attacks.

Source: Arbor Networks

The NTP attack on my site was short-lived only about 10 minutes in duration, according to Prolexic. That suggested the attack was little morethan a proof-of-concept, a demonstration.

Indeed, shortly after the attack subsided, I heard from a trusted source who closely monitors hacker activity in the cybercrime underground. Thesource wanted to know if my site had recently been the subject of a denial-of-service attack. I said yes and asked what he knew about it. The sourceshared some information showing that someone using the nickname Rasbora had very recently posted several indicators in a private forum in abid to prove that he had just launched a large attack against my site.

Rasboras posts on Hackforums.

Apparently, Rasbora did this so that he could prove his greatness to the administrators of Darkode, a closely guarded cybercrime forum that hasbeen profiled at length in this blog. Rasbora was anxious to show what he could contribute to the Darkode community, and his application formembership there hinged in part on whether he could be successful in taking down my site (incidentally, this is not the first time Darkodeadministrators have used my site as a test target for vetting prospective members who apply based on the strength of some professed DDoSprowess).

Rasbora, like other young American kids involved in DDoS-for-hire services, hasnt done a great job of separating his online self from his real lifepersona, and it wasnt long before I was speaking to Rasboras dad. His father seemed genuinely alarmed albeit otherwise clueless to learnabout his sons alleged activities. Rasbora himself agreed to speak to me, but denied that he was responsible for any attack on my site. He did,however, admit to using the nickname Rasbora and eventually to being consumed with various projects related to DDoS activities.

Rasbora maintains a healthy presence on Hackforums[dot]net, a relatively open forum that is full of young kids engaged in selling hacking servicesand malicious code of one kind or another. Throughout 2013, he ran a DDoS-for-hire service hidden behind Cloudflare called Flashstresser.net,but that service is currently unreachable. These days, Rasbora seems to be taking projects mostly by private contract.



Some of Rasboras posts prior to our phonecall.

Rasboras most recent project just happens to be gathering, maintaining huge top quality lists of servers that can be used to launch amplificationattacks online. Despite his insistence that hes never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts onHackforums might conclude that he was actively involved in DDoS attacks for hire.

I dont see what a wall of text can really tell you about what someone does in real life though, said Rasbora, whose real-life identity is beingwithheld because hes a minor. This reply came in response to my reading him several posts that hed made on Hackforums not 24 hours earlierthat strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called Hiring a hit on a Web sitethat Rasbora has since deleted, he tells a fellow Hackforums user, If all else fails and you just want it offline, PM me.

Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that hedoesnt DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges.

Tags: Allison Nixon, Arbor Networks, CloudFlare, Darkode, Hackforums, Lance James, Matthew Prince, network time protocol, NTP, NTT ComSecurity, Prolexic Technologies, Rasbora, SymantecThis entry was posted on Friday, February 14th, 2014 at 7:13 pm and is filed under A Little Sunshine, The Coming Storm. You can follow any comments to this entry through theRSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

20 comments

1. Ralph DaughertyFebruary 14, 2014 at 7:33 pm

Who knows, maybe his dad will ground him and take away his Internet privileges.

You can betcha after that phonecall that his dad is seriously considering it, if he hasnt already.

He messed with the wrong target, so to speak.

Reply

2. CakeFebruary 14, 2014 at 7:40 pm

Yo krebs I updated the domain as its mine.

Wanna talk to me?

Come on Leak.sx, Im Cake.

Lol, next time search more.

Reply

3. StratocasterFebruary 14, 2014 at 8:17 pm

After Comcast and Time Warner Cable merge, the DDOS attacks wont happen as fast and will cost a lot more.

Reply

BV1February 14, 2014 at 8:58 pm



HA!

Reply

4. Doktor McNastyFebruary 14, 2014 at 8:46 pm

Ok so Ive been involved with computers since the mid-nineties and at this point am running an IT department. Im by no means leet but Iget by and can usually solve problems and even automate things here and there. What boggles my mind is how does someone who has beenalive for less time than I have been learning and working with computers learn enough about how the fundamental structure of the internetworks to be able to pull these kinds of things off? Disclaimer: yes Im jealous but that doesnt quite explain it. He cant have even beenstudying for those 15 years as he needed a few years to learn how to just READ didnt he?

Maybe his parents are grounding him to a corner with technical manuals and a computer when he acts up?

How does this all play out, do you suppose?

Reply

CakeFebruary 14, 2014 at 8:50 pm

Yea about that, I had to even learn how to use cd..

Hes still coming back to me each fucking time, so no hes not able to pull off without others help.

And for the parent side, Krebs broke some laws of Privacy and such by calling them and they did not care.

Anyways, hes a skid.

Reply

BrianKrebsFebruary 14, 2014 at 8:55 pm

Watch your mouth. And I broke privacy laws? How do you figure? The kids dad explicitly gave me permission to interviewhim. And whats more, I dont even name the little turkey, so its hardly an invasion of privacy.

Reply

scottFebruary 14, 2014 at 9:06 pm

Calling people must apparently be an invasion of privacy or something

Reply

RoflFebruary 14, 2014 at 9:00 pm

Jesus youre arrogant, you undoubtedly obtained the scripts from someone else yourself.

Reply

CakeFebruary 14, 2014 at 9:02 pm

Cant deny and cant accept as I wrote a couple things myself.And I never even said anything about scripts.

Reply

5. Robert ScrogginsFebruary 14, 2014 at 8:58 pm

I suppose it plays out by the kid eventually getting a law degree and then going into politics where he winds up in Congress!

Regards,

Reply



6. Annie C. BaiFebruary 14, 2014 at 9:22 pm

I was wondering (worried) when I couldnt get onto your site on Tuesday, but since you were only down for 10 minutes, maybe that was justmy broke-down iPhone 4. Good to hear you are on the case as usual. What a tangled web the free Internet is

Reply

7. Ken CarterFebruary 14, 2014 at 9:28 pm

Great post, but I think your analysis of DDoS-for-hire sites attacking one another, is static and therefore incomplete. Granted, at leastinitially, DDoS-for-hire sites might start to attack one another if kicked out from behind security networks. However, in the longer run,attacking each other is ultimately unprofitable, just as the Sopranos and Corleones dont go on whacking one another forever. The weakerones will get knocked out, but sooner or later they will achieve some truce, divvy up the territories, and start on more profitable criminalventures. You get North Jersey and I get every thing south of Mulberry Street. At the end, you would be left with a Nash Equilibrium and aDarwinian outcome comprised of the most ruthless sites. Full disclosure: I work for CloudFlare.

Reply

8. JCitizenFebruary 14, 2014 at 9:38 pm

And yet I cant remember ever have trouble getting to your site! Maybe this is why others posting here complain of lag time before theirposts show up? Otherwise PFTT! they be a figment of the imagination go away figment! ]:)

Reply

9. AllHailLordKrebenFebruary 14, 2014 at 10:38 pm

Kerb, you better watch out. These pro hackers might want more of you.

Reply

10. TheOreganoRouter.onionFebruary 14, 2014 at 10:52 pm

I would get law enforcement involved , then charge him as a juvenile , to teach this young kid a good lesson in not trying to take downinternet security websites.

Reply

11. iMatrixFebruary 14, 2014 at 11:04 pm

Dont blame rasbora. Looking on his activity he aint launching a dos on a website like yours. The only place of him brag about his activity isleak.sx and he does good reviews on stressers.

P.S DOS Attack servers are now costly and rare, its hard to find one so he cant gather 200Gbps DOS server. The only one capable of doingthis is cyberbunker.

Reply

12. CloudflareCustomerFebruary 14, 2014 at 11:23 pm

Cloudflare saying that theyre not seeing any outbound activity is totally disingenuous, but technically true. Since they only handle requestedtraffic, not all outbound traffic, they only see connections that are initiated from outside. The root server could be sending out traffic andtheyre be none the wiser. Its even better if theres more than one connection on the server.

Reply

13. Lysergic Acid DiethylamideFebruary 14, 2014 at 11:39 pm

From wikipedia: A rasbora is a member of a group of small minnow-type fish

appropriate handle for a 15-year-old boy.



Reply

14. RobFebruary 15, 2014 at 1:58 am

Im not a fan of CloudFlare. I had a problem accessing one of their clients sites but the only way to contact CloudFlare is is to sign-on as anew client. I did that (it was free and only took a minute) and then filled out a Tech. Support Ticket, but when I tried to submit the ticket,the web-form was SO broken I had to give up and just remove the original site from my bookmarks.

Im one of those people who thinks the inventors of the so-called Cloud were probably smart, while their clients definitely arent. But theredont seem to be many of us who think this. Or maybe most of us can only speak Russian. Who knows? I imagine Russians laugh pretty hardabout the cloud. Maybe THEY invented it. Maybe Mr. Kaspersky invented it. They invented Tetris, after all, and won the space racedespite/while being a communist country: 1st space ship, 1st animal, 1st man, 1st woman in space. As for the moon, they just usedtelescopes. Brilliant!

Reply

Leave a commentName (required)

Email (required)

Website

Comment

Submit Comment Notify me of followup comments via e-mail

Advertisement

Recent Posts The New Normal: 200-400 Gbps DDoS Attacks Email Attack on Vendor Set Up Breach at Target Security Updates for Shockwave, Windows Florida Targets High-Dollar Bitcoin Exchangers Target Hackers Broke in Via HVAC Company

Subscribe by emailYour email:



Enter email address...

Subscribe Unsubscribe

Made possible by Prolocation

Prolocation: For all your hosting needs. Fast. Reliable. Powerful.

Support KrebsOnSecurity!

Support KrebsOnSecurity!

SANS 2014

Use "Krebs5_SANS" for 5% off any class

CategoriesA Little SunshineAll About SkimmersBreadcrumbsData BreachesHow to Break Into SecurityLatest WarningsOtherPharma WarsSecurity ToolsTarget: Small BusinessesThe Coming StormTime to PatchWeb Fraud 2.0

All About ATM Skimmers



Click image for my skimmer series.

ArchivesFebruary 2014January 2014December 2013November 2013October 2013September 2013August 2013July 2013June 2013May 2013April 2013March 2013February 2013January 2013December 2012November 2012October 2012September 2012August 2012July 2012June 2012May 2012April 2012March 2012February 2012January 2012December 2011November 2011October 2011September 2011August 2011July 2011June 2011May 2011April 2011March 2011February 2011January 2011December 2010November 2010October 2010September 2010August 2010July 2010June 2010May 2010April 2010March 2010February 2010January 2010December 2009



The Value of a Hacked PC

Badguy uses for your PC

Tags0day adobe adobe flash player adobe reader apple atm skimmer chrome chronopay cyberheist f-secure Facebook fbi firefox flash Glavmed gmailgoogle Google Chrome Igor Gusev internet explorer java Liberty Reserve Mac mastercard mcafee microsoft money mules operaOracle patch tuesday pavel vrublevsky RSA Rx-Promotion safari secunia Spamit spyeye Symantec twitter Visa webmoney windows zero dayzeus ZeuS TrojanTools for a Safer PC

Tools for a Safer PC

BlogrollArbor Networks BlogBleeping ComputerCERIAS / SpafContagio Malware DumpCyber Crime & Doing TimeCyveillance BlogDHS Daily ReportDSL ReportsESET Threat BlogF-Secure BlogFireEye Malware Intel LabFortinet BlogFox-IT InternationalGFI LabsGoogle Online Security BlogGraham Cluley, SophosImperva BlogKaspersky BlogMalcovery SecurityMalware Domain List ForumMalware Don't Need CoffeeMicrosoft Malware Protection CenterRed Tape Chronicles



SANS Internet Storm CenterSchneier on SecuritySecureWorksSecuring the HumanSecurosisStopBadwareSymantec Response BlogTaoSecurityTrendMicro BlogUnmask Parasites BlogUS CERTWebsenseWilders Security ForumsWired.com's Threat LevelXylitol

The Pharma Wars

Spammers Duke it Out

Badguy Uses for Your Email

Your email account may be worth far more than you imagine.

eBanking Best Practices

eBanking Best Practices for Businesses

Most Popular Posts



Sources: Target Investigating Data Breach (620)Cards Stolen in Target Breach Flood Underground Markets (445)Reports: Liberty Reserve Founder Arrested, Site Shuttered (416)Following the Money, ePassporte Edition (353)U.S. Government Seizes LibertyReserve.com (315)Who's Selling Credit Cards from Target? (269)Would You Have Spotted the Fraud? (257)Target Hackers Broke in Via HVAC Company (252)Firefox Zero-Day Used in Child Porn Hunt? (218)VISA Blocks ePassporte (207)

Category: Web Fraud 2.0

Innovations from the Underground

2014 Krebs on Security. Powered by WordPress. Privacy Policy

ddos-200-400-gbps

Documents

gbps of ddos

gbps ddos attacks krebs

gbps attack

gbps ddos attacksover

todays ddos attacks

gbps of traffic

ddos tool

mondays ddos