Tag Archives: DDoS

About DD4BC

This is an FAQ about DD4BC that I wrote for Akamai, and it appeared here and here.

DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai’s PLXsert and CSIRT teams continue to investigate attack activity related to the group.

In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That’s up from the high of 15-20 Gbps observed in early May. (A full history of the group’s exploits and firepower can be found in this advisory from April.)

Below are the most commonly asked questions we’ve received from customers, along with some answers.

What is new since the last update?

The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company’s reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack.

Continue reading

Loading

You Spin Me Right Round, Like a Record Baby…

Here’s a fun one I got to play with the other day. It’s not so much a vulnerability but some bad coding that could have presented itself to look like a denial of service attack. It triggered rate controls on the WAF, which will often get my attention. Then I looked and saw it was mostly coming from a single IP address. Right there, you can almost immediately rule out DDoS, because the first D is for “distributed”. A single IP isn’t very well “distributed”.

Looking into the IP address, I noticed that it was coming from a media outlet in Latin America. I haven’t seen too many news orgs that want to DoS a site. Plus, all the requests were all going to the same file on a customer’s site, and it was pretty innocuous. It was just a story that was relevant to the news org.

Next, I looked a little more into the file that was being called. I put the URL into a browser and I got a white screen. Nothing. But looking a little more closely, I could see that the page just kept reloading. A “View ->Source” of the page showed nothing. Blankness. Nothing was loading, even though the page was reloading endlessly. What was causing that?

Let’s take a piece out of the transaction. Remove the browser. I opened up terminal and did a curl of the URL and got a response. Included in the response, in the header was:

<head><meta http-equiv="refresh" content="0;url=/removed/index.html"> </head>

Well, there we go. For some reason, someone put a meta refresh on the page, to refresh every 0 seconds, which is basically constantly and forever. This was just a mistake by a developer, as sites will often put in a refresh, either in the meta tag or in the javascript, to force reloading, which the skeptical side of me says is to increase advertising views. If you’re going to sit on a page for a while, the server is going to reload that page and reload the ads, possibly showing new ones, or just getting a new impression of the old ones. Except setting the refresh to 0 means the page never loads completely.

So why did the media site link to this page if it never loads? I suspect the link was old and the refresh changed after the page had been linked. Then everyone who clicked on the link on the media site, to this reloading site, probably left it running for at least a few seconds or possibly just left it running in a browser tab and waited. You get enough of these at the same time and it can look like a DoS. But as we can see, if it looks like a DoS, smells like a DoS and quacks like a Dos, it might still not be a DoS.

Fun stuff.

Loading