maandag 24 juni 2013

DNS Amplification DDoS Attacks, Booter services and who's behind them.

Lately DNS Amplification DDoS Attacks have drawn a lot of attention. Especially since CloudFlare dedicated several blog posts to them (here and here), and the StopHaus movement almost broke the internet with it.

DNS Amplification Attacks
DNS Amplification attacks work by sending a spoofed UDP packet to a recursive DNS resolver. This DNS server in return will answer the received request to the sender of the packet. The sender of this packet is the spoofed address, which makes it the target of the attack. What makes this attack unique is that the UDP packet sent is of small size, and the packet returned by the DNS server is of large size. This way you amplify the network traffic eventually sent to the target hoping that it cannot handle such an amount and stops responding.
One of the benefits of this attack is that it is very hard to trace the origin. In DDoS attacks botnet are often used, but in this attack you can even mask the bots it is coming from.

To get some more insight on this kind of DDoS Attack, I decided to collect as many data as possible to get a good collection of statistics. In one month I collected 1,244,584 attacks and extracted their details.
Below are the different records I've witnessed: in any +ed 1158923
. in any +e 39651
version.bind ch txt + 405 in any +e 125 in any +e 55
. in type256 +e 50 in a + 11 in a + 10 in a + 6 in a +e 6 in any + 5 in a + 5 in a +e 4 in any +e 4 in a +ed 3 in any +e 3 in any + 3
. in any + 2 in any +e 2 in a +e 2 in a + 2 in any +e 2 in a + 2 in any + 2 in txt +e 1
a1607665836p49394i23167.d2013052812000114314.t6014 1 in a +e 1 in any +ed 1 in a + 1 in a + 1
A list of targetted hosts can be found here.

Who's behind this?
Obviously " in any +ed" is clearly the most used record, not much creativity there. By sending a very small "dig ANY @dns-host" you'll get a big response directly going to the target of 3433 bytes:
root@ubuntu:~# dig ANY @
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.1-P1 <<>> ANY @
;; global options: +cmd
;; Got answer:

;                       IN      ANY
;; ANSWER SECTION:                7200    IN      RRSIG   SPF 5 2 7200 20130719232951 20130619232951 50012 Q8n5F9ZucnRaYw762EghVeq9NLLFN4tuAvJZTue/spQJUnRKcM5WuwR4 F8FuEh55EbIs5YxnrG2LbDmEJDOBh0aER+lE6Ts8TdCyZoTVylSf0kmr tmzf0r80Q5xBOdPMfsSARNxWrFDQr03r69IU0Lsp4EbneiM6wIiI7oyJ bz0=                7200    IN      SPF     "v=spf1 a mx ip4: ip4: ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"                3600    IN      RRSIG   NSEC 5 2 3600 20130719232951 20130619232951 50012
;; Query time: 52 msec
;; WHEN: Sun Jun 23 23:56:27 2013
;; MSG SIZE  rcvd: 3433

But as we look closer several domains are of more interest, especially the names of these five draw attention: 8235 bytes - 20714 bytes 2538 bytes

As can be spotted pretty quickly, the size and content of in particular easily highlight malicious purposes.

If we look at the name servers used we'll see the following: - -

These 3 domains have one corresponding IP address which links them together.
IP address is of particular interest as it runs an IRC server, w00t w00t!

Turns out the guy behind this operation is 16 year old ------ ----. Here's his facebook[removed], skype: [removed], another skype: [removed], hackforums[removed], leakforums[removed] and last but not least, his YouTube account[removed].
******, as his preferred nickname is, is a great talented guy who's very curious and interested in technology. Sadly at this stage of his life he's focused on making money the wrong way. And that's probably why he runs many booter and stress services, with according to his own records 10Gbps capacity. Some examples are: Galaxy booter, Private booter, Versatile booter,,, Dos Boss' DDoS service, Ethernal Booter and many more, according to some of his posts on hackforums he also owns a 4k botnet[removed].

Well ------, as I've done previously with a guy that owned a bitcoin mining botnet, you can contact me and will remove all of your contact details. You sure know how to reach me.

ps. I'm setting up a website which shows ongoing attacks realtime. Anyone willing to voluntarily contribute can contact me. Shoutout to @DnsSmurf who's doing similair things.

35 opmerkingen:

  1. Could you please add me on skype or contact me with my email:
    skype: jenny.dematteo

  2. this is just sad, hiding behind 7 proxies is just childs play, and hackdorums is filled with a bunch of skids. Leakforums is the only site you actually got right.

  3. You don't get a big response using UDP, which is what a DNS resolver or stub resolver does first. You get a tiny response, which is actually smaller than the question itself, and that says "please try again using TCP"

    Your dig command clearly shows that dig retried using TCP.

    This makes a big difference. TCP is much harder to spoof than UDP. Because of this, TCP is not used for DDoS attacks using DNS amplification. And this is how rate-limitation has been implemented in modern DNS servers. This mitigates amplification while not breaking legitimate clients.

    Most DNS resolvers will not send a reply using UDP that is larger than 4096 bytes. Google intentionally reduced this limit down to 512 bytes. While scanning a large number of open resolvers, I could only find one service (that fixed this vulnerability since) accepting to send responses up to 16384 bytes (!) over UDP. Maybe these large records were specially crafted to abuse this service, as they were pretty much useless everywhere else.

  4. Start stress testing your servers using our bandwidthful network
    with up to 30Gbps of bandwidth dedicated to each user!
    Not satisifed? Refund guaranteed for all purchases. Using our variety of servers and our fast network, booter, ip stresser, stresser, ip booter and CStress Booter is able to provide up to 30Gbps of bandwidth dedicated for each IP stresser user.

  5. Thanks for sharing informative blog.. please visit once at

  6. Get daily ideas and methods for making $1,000s per day ONLINE for FREE.

  7. You need to remember that the most recommended Bitcoin exchange company is YoBit.

  8. I've used Kaspersky Anti virus for a couple of years now, and I recommend this anti virus to everyone.

  9. Claim faucet bitcoins at Moon Bitcoin. 163 satoshis every 1 hour.

  10. Over at Bonus Bitcoin you can recieve faucet bitcoins. 300 to 5,000 satoshis every 15 minutes.

  11. Smart multi-currency mining pool & 1-click graphic miner.

    Mine effectively with your computer or smartphone.

    Generate the most profit automining coins with the highest returns.

    Download MINERGATE.

  12. Ever considered maximizing your free bitcoin collections by utilizing a BTC FAUCET ROTATOR?

  13. BlueHost is definitely the best website hosting provider with plans for all of your hosting needs.

  14. Children's Day in India Children’s Day 2018 will be celebrated at Wednesday, on 14th of November. ... 14th of November (birthday of Pandit Jawaharlal Nehru) has been set to celebrate as children’s day all over the India. ... The birthday of Chacha Nehru, a great Indian leader, is celebrated as Children’s ...
    Strong Women Quotes

  15. Thanks For sharing such a amazing article, i really love to read your content regulearly.

    Get Amazing Quotes collecion..........
    love quotes

    On our site...

  16. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic. Love Quotes ||Love quotes for him ||Love quotes for her


  17. Appreciating the hard work you put into your site and detailed information you offer. It’s nice to come across a blog every once in a while that isn’t the same out of date rehashed material, Asking questions are truly good thing if you are not understanding something fully, except this article presents pleasant understanding yet, Please stay us informed like this. Thank you for sharing.

    This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.

    great faith quotes||faith quotes bible||faith quotes images

  18. CamYogi offers you the opportunity to book the best wedding photographers in Kolkata who have the experience and expertise to beautifully frame the precious moments of your special day. Choose from the most famous photographers who are available on the date of your occasion and match up to your desired price range.

    Find out more at:

  19. Emailnphonelist is your go-to list broker for all your online business as well as consumer lists. We are a team of data brokers who started in 2011. Moreover, we are considered as one of the very few trusted mailing list brokers online for lead generation.
    Find out more at:-

  20. Good work. thank you for such kind of great information. For More

  21. It is very useful information. Thank you. For more information related to this Click here

  22. wow ! What a great content! I found your blog on google and loved reading it greatly. It is a great post indeed. Much obliged to you and good fortunes. keep sharing.
    whatsapp status quotes

  23. Thank you for sharing your expertise. This post is very helpful.
    jokes in hindi

  24. wow ! What a great content! I found your blog on google and loved reading it greatly. It is a great post indeed. Much obliged to you and good fortunes. keep sharing.
    lws quotes