fingerprint shows China and Russia related as expected Why do the abuse teams in China and Russia ignore basic abuse reports, why peer/setup connections to companies where abuse is ignored.
Colin > On 8 Dec 2015, at 07:24, Joe Morgan <j...@joesdatacenter.com> wrote: > > We received a similar ransom e-mail yesterday followed by a UDP flood > attack. Here is a sample of the attack traffic we received as well as a > copy of the ransom e-mail. Thought this might be useful to others who have > been targeted as well. I will have to talk with our upstream providers to > get a definitive on the size of the attacks. At the point in time we > blackholed our ip we were seeing 20+Gbps. > > *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP > during the ddos event: > ================================================ > > Top 10 flows by packets per pecond for dst IP: 96.43.134.147 > Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps > 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G > 0.002 UDP 120.199.113.49 1900 54177 2048 1.0 M 2.8 G > 0.002 UDP 27.208.164.227 1900 54177 2048 1.0 M 2.7 G > 0.002 UDP 60.209.31.218 1900 16632 2048 1.0 M 3.0 G > 0.002 UDP 27.220.71.238 1900 22456 2048 1.0 M 3.0 G > 0.002 UDP 120.236.121.9 1900 62005 2048 1.0 M 2.5 G > 0.002 UDP 104.137.222.90 1900 14944 2048 1.0 M 3.7 G > 0.002 UDP 121.27.133.72 1900 44417 2048 1.0 M 3.0 G > 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G > 0.002 UDP 120.197.56.134 1900 30672 2048 1.0 M 2.7 G > > Top 10 flows by flows per second for dst IP: 96.43.134.147 > Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps > 248.847 UDP 41.214.2.249 123 47207 8.6 M 34594 133.4 M > 248.886 UDP 91.208.136.126 123 63775 6.7 M 26813 103.4 M > 150.893 UDP 85.118.98.253 123 47207 5.1 M 33843 130.5 M > 151.053 UDP 80.179.166.7 123 63775 5.0 M 33292 128.4 M > 151.230 UDP 69.31.105.142 123 47207 4.9 M 32657 125.9 M > 150.436 UDP 182.190.0.17 123 45291 4.8 M 32128 123.9 M > 248.832 UDP 95.128.184.10 123 63775 4.7 M 19020 73.3 M > 150.573 UDP 188.162.13.4 123 42571 4.6 M 30514 117.7 M > 150.261 UDP 205.128.68.5 123 45291 4.2 M 27777 107.1 M > 149.962 UDP 205.128.68.5 123 42571 4.1 M 27443 105.8 M > > Top 10 flows by bits per second for dst IP: 96.43.134.147 > Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps > 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G > 0.003 UDP 190.184.144.74 53 18340 2048 682666 8.3 G > 0.003 UDP 190.109.218.69 53 63492 2048 682666 8.3 G > 0.004 UDP 103.251.48.245 53 43701 2048 512000 6.2 G > 0.004 UDP 46.149.191.239 53 58439 2048 512000 6.2 G > 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G > 0.006 UDP 37.72.70.85 53 63909 2048 341333 4.1 G > 0.006 UDP 138.204.178.169 53 2162 2048 341333 4.1 G > 0.006 UDP 200.31.97.107 53 33765 2048 341333 4.1 G > 0.006 UDP 110.164.58.82 53 61397 2048 341333 4.1 G > > ================================================ > > Copy of the e-mail headers: > > Delivered-To: j...@joesdatacenter.com > Received: by 10.79.27.84 with SMTP id b81csp1190623ivb; > Mon, 7 Dec 2015 15:32:22 -0800 (PST) > X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088; > Mon, 07 Dec 2015 15:32:22 -0800 (PST) > Return-Path: <armada.collect...@bk.ru> > Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11]) > by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21 > for <j...@joesdatacenter.com> > (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); > Mon, 07 Dec 2015 15:32:22 -0800 (PST) > Received-SPF: pass (google.com: domain of armada.collect...@bk.ru > designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11; > Authentication-Results: mx.google.com; > spf=pass (google.com: domain of armada.collect...@bk.ru > designates 217.69.141.11 as permitted sender) > smtp.mailfrom=armada.collect...@bk.ru; > dkim=pass header.i=@bk.ru; > dmarc=pass (p=NONE dis=NONE) header.from=bk.ru > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=bk.ru; s=mail; > h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From; > bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=; > > b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=; > Received: from [95.191.131.93] (ident=mail) > by f369.i.mail.ru with local (envelope-from <armada.collect...@bk.ru>) > id 1a65GX-0008H5-DO > for j...@joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300 > Received: from [95.191.131.93] by e.mail.ru with HTTP; > Tue, 08 Dec 2015 02:32:21 +0300 > From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collect...@bk.ru> > To: j...@joesdatacenter.com > Subject: =?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?= > MIME-Version: 1.0 > X-Mailer: Mail.Ru Mailer 1.0 > X-Originating-IP: [95.191.131.93] > Date: Tue, 08 Dec 2015 02:32:21 +0300 > Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collect...@bk.ru> > X-Priority: 3 (Normal) > Message-ID: <1449531141.2696...@f369.i.mail.ru> > Content-Type: multipart/alternative; > boundary="--ALT--7N12aTwEB8hvVlFgA0NbUaD4Daicjipu1449531141" > X-Mras: Ok > X-Spam: undefined > > Copy of the e-mail: > From: Armada Collective <armada.collect...@bk.ru> > Subject: Ransom request: DDoS Attack > > Message Body: > FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE > DECISION! > > > We are Armada Collective. > > If you haven heard for us, use Google. Recently, we have launched some of > the largest DDoS attacks in history. > Check this out, for example: > https://twitter.com/optucker/status/665470164411023360 (and it was measured > while we were DDoS-ing 3 other sites at the same time) > And this: https://twitter.com/optucker/status/666501788607098880 > > We will start DDoS-ing your network if you don't pay 20 Bitcoins @ > 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday. > > > Right now we will start small 30 minutes UDP attack on your site IP: > 96.43.134.147 It will not be hard, just to prove that we are for real > Armada Collective. > > If you don't pay by Wednesday, massive attack will start, price to stop > will increase to 40 BTC and will go up 2 BTC for every hour of attack and > attack will last for as long as you don't pay. > > In addition, we will be contacting affected customers to explain why they > are down and recommend them to move to OVH. We will do the same on social > networks. > > Our attacks are extremely powerful - peaks over 1 Tbps per second. > > Prevent it all with just 20 BTC @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe > > > Do not reply, we will not read. Pay and we will know its you. AND YOU WILL > NEVER AGAIN HEAR FROM US! > > And nobody will ever know you cooperated. > > -- > Thank You, > Joe Morgan - Owner > Joe's Datacenter, LLC > http://joesdatacenter.com > 816-726-7615
