Many Days of DDoS for Everyone

The past few weeks have been a flurry of activity for me and everyone at Arbor. We’ve been very involved in the Conficker Working Group efforts and notifying lots of people using ATLAS. Even after that Herculean effort and the great “fizzle” (thank goodness!), there’s lots to do. Blogging has not been at the top of my priority list, however.

Outside of the Conficker mess we’ve been busy in the community watching some DDoS events unfold. Information has been sporadically making it out there; it turns out that Twitter is a great source for DDoS reports once you can separate the legit reports from the cruft. This article, DDoS Attacks on Web Hosts Continue from Data center Knowledge, assembles many of the high profile attacks that folks are talking about. We have data on some of these attacks but not all, and we’re actively looking for C&Cs in all cases. What’s interesting is the major services they’re hitting. There’s no apparent gain here, but definitely some widespread impact.

It amazes me that I’m still talking about this problem over ten years after I first started looking at it, prior to me coming to Arbor.

The second piece worth noting today, Not every Botnet is Conficker, is from the ESET Threat Blog. Basically a Russian news site mentioned several high profile DDoS attacks in Russia and blamed Conficker, for no obvious reason. It turns out that I was characterizing a new (to me) DDoS bot codebase we have dubbed ‘Votwup’ and it’s responsible for at least some of the attacks. And it would be difficult to confuse this malware with Conficker, and it has its own little dropper. In this case once the bot is dropped it checks into a website with its UID and version and gets back a Base64 encoded command:

ZGQxPWh0dHA6Ly90b25rcy5ydS9pbmRleC5waHA/bmFtZT1mb3J1bXM=

Which, when you decode it using Base64, you get:

dd1=http://tonks.ru/index.php?name=forums

The malware starts pounding on the site if you’re not careful. Sure enough that was the DDoS. Most of the Votwup C&Cs we classified so far are dead, but we’ll keep on looking for new ones.

Never a dull day around here, even when you need one.

3 Responses to “Many Days of DDoS for Everyone”

April 09, 2009 at 5:51 am, Russian DDoS Revisited | ThreatBlog said:

[…] He’s now released some more information on that DDoS attack on the Arbor Networks blog here. […]

April 09, 2009 at 5:54 pm, Brian Honan said:

Jose

Just a quick note to say thank you for the time and effort you and the rest of the CWG have been putting into controlling Conficker, and indeed other botnets out there.

It is a pity that Internet security appears to be more of an urgent issues for private individuals and companies than it is for some governments.

April 10, 2009 at 3:48 am, DDoS_Expert said:

Kudos to you and the Arbor team for all the assistance

Comments are closed.