CastleCops :: View topic - March 26: Genesis of an attack on CastleCops

March 26: Genesis of an attack on CastleCops
Goto page 1, 2 Next
CastleCops -> DDoS

Author: Paul,

Posted: Wed Mar 26, 2008 12:56 pm Post subject: March 26: Genesis of an attack on CastleCops

Looks like we're at the beginning of a new denial of service attack against www.castlecops.com. I'm currently investigating and mitigating. As this seems to be the start of an attack, there is the potential for it to increase.

Author: Paul,

Posted: Wed Mar 26, 2008 1:56 pm Post subject:

OK top offenders initiating this new attack:

189.189.17.87
195.241.64.216
69.159.192.24
83.8.254.170
81.33.224.48
84.254.213.81
201.10.102.119
213.151.104.227
86.146.120.252
204.191.123.203
82.159.117.125
83.14.255.130
86.212.212.1
88.246.24.26
89.136.138.60
60.48.56.120
88.16.202.183
88.231.225.212
116.71.28.219
89.123.134.6
90.209.60.157
85.18.136.103
91.7.120.195
193.251.92.39
77.253.253.55
85.98.93.111
83.189.3.235
61.11.46.70
87.120.237.125
70.155.43.253
78.175.142.24
85.102.154.118

Some of the recent ones under mitigation:

70.176.3.197
75.146.75.29
83.12.79.203
69.159.192.24
201.11.187.100
81.26.141.38
76.4.226.188
88.227.43.250
200.82.89.110

Interestingly, these came in very quickly:

84.22.53.8
84.22.53.9
84.22.53.10
84.22.53.4
84.22.53.5
84.22.53.6
84.22.53.7
84.22.53.11

Following the same signature and then disappeared. I haven't posted all the IPs.

Author: tembow,

Posted: Wed Mar 26, 2008 8:38 pm Post subject:

I can use the botnet reporter as a DDOS reporter.
All I need is the IPs with timestamps,and the Time Zone, in a format like this

200.82.89.110 yy-mm-dd hh:mm:ss

Author: Paul,

Posted: Thu Mar 27, 2008 1:34 pm Post subject:

Curious what the email looks like?

Author: ernstl, Location: USA

Posted: Thu Mar 27, 2008 3:13 pm Post subject: Re: March 26: Genesis of an attack on CastleCops

Paul wrote:

We have been rattling a lot of cages lately and to me, this DDOS shows we are on the right track.

Ernstl

Author: mrrockford,

Posted: Thu Mar 27, 2008 3:50 pm Post subject:

Info thread at CC.de

http://de.castlecops.com/forum/showthread.php?t=2406

Author: mrrockford,

Posted: Thu Mar 27, 2008 5:14 pm Post subject:

Howdy,

Mitigation must be working, I have almost no lag getting around right now.

161ppm 3.303s (0.414s)

1PM Central - 161ppm 0.954s (0.107s)

Author: 0vermind, Location: USA

Posted: Thu Mar 27, 2008 7:40 pm Post subject:

Hey it's not all bad!

I mean look at it this way:
If your being attacked that really just means that you are such a big threat that people try to take you down.
That means that your doing a good job!!

Even better they exposed them selfs. ALWAYS when I get a hold of an IP Address that committed crime I report it and call up the ISP did that to a user and I think they got terminated.

It's always fun to beat the idiot cybercriminals!

-Mike

Author: tembow,

Posted: Thu Mar 27, 2008 7:42 pm Post subject:

Paul wrote:

Curious what the email looks like?

It has a fixed template header and trailer, with the ASN-specific data in the middle. Here is an example taken from the botnet reporter for one ISP on Jan 28.. The system gathers multiple ASNs under the same ISP where applicable. In this case, there are two for the same addressee (12271 and 20001).

General format is
{insert fixed format header here re the DDOS}

In the following list, the timestamps are in time zone GMT+00. Please adjust them to your local time zone. Locate the customer connected at that IP address at those times, and take the appropriate action. All of these incidents were in the last 3 days.

Here are the IP addresses of each machine which is infected, the time stamps when first and last seen, the number of times it was observed, your Autonomous System Number, and the reverse lookup on the IP address if available.

--------------------------------------

Code:

IP ADDRESS FIRST SEEN GMT+00 LAST SEEN GMT+00 TIMES ASN PTR LOOKUP

208.120.227.178 2008/01/28 23:20:33 2008/01/29 22:27:20 10 12271 user-387hoti.cable.mindspring.com.
208.120.76.209 2008/01/28 23:17:23 2008/01/29 00:24:54 23 12271 user-387gj6h.cable.mindspring.com.
64.131.146.121 2008/01/28 10:33:26 2008/01/30 05:48:57 231 12271 user-10874jp.cable.mindspring.com.
64.131.174.232 2008/01/28 16:33:08 2008/01/29 11:09:03 30 12271 user-1087bn8.cable.mindspring.com.
76.15.58.5 2008/01/28 12:36:25 2008/01/28 19:31:58 23 12271 user-160ueg5.cable.mindspring.com.
64.203.41.231 2008/01/28 10:41:17 2008/01/30 06:23:20 126 20001 user-10cmaf7.cable.mindspring.com.

--------------------------------------

{insert fixed trailer here}

If you want me to run it, you can supply your own header / trailer. All I need is the simplified log (IP + Timestamp) and the Time zone

Author: PCBruiser,

Posted: Thu Mar 27, 2008 7:51 pm Post subject:

@Paul, I posted something for you in AH.

Author: StopDDoS, Location: USA

Posted: Thu Mar 27, 2008 9:23 pm Post subject:

If you want any help give us a call Smile

more IPs would be good.

www.stopddos.org

Author: AlphaCentauri,

Posted: Thu Mar 27, 2008 9:35 pm Post subject:

Thanks for all you do, Paul, I know what an effort you must be putting in to allow us to keep our access to the site. And the people who benefit most will never know why there was a dead link in that email that asked them to update their banking information or download an ecard from an admirer -- but we know.

Author: newangels,

Posted: Thu Mar 27, 2008 9:44 pm Post subject:

Well they can try, it must mean Castlecops is doing a fabulous job and they are running scared, keep up the great work guys, there are more of us than there are of them.

Author: Paul,

Posted: Fri Mar 28, 2008 3:52 pm Post subject:

The attack continues... hopefully false positive blocks are kept to a minimum.

Author: brewt, Location: USA

Posted: Fri Mar 28, 2008 4:00 pm Post subject:

Site is very responsive.
Thanks for the hard work.

CastleCops -> DDoS

All times are GMT

Goto page 1, 2 Next Page 1 of 2