[AusNOG] ATTENTION: Ransom request!!!
Nick Evendor
nickevendor at outlook.com
Tue Jul 12 13:39:09 EST 2016
Skeeve hit the nail on the head you need to be ready with an action plan.
We were caught out this year thinking that we had enough bandwidth and would never get attacked. After a hard lesson of reality over a weekend we established a soak and scrub service with Micron21 and now enjoy watching graphs peak when attacks come in. Do your network a favor as we say in Scouts "Be Prepared" http://www.micron21.com/ddos-soak-scrub.php
Nick
From: skeeve+ausnog at eintellegonetworks.com
Date: Mon, 11 Jul 2016 14:21:09 +1000
To: Paul.Baker at vocus.com.au
CC: ausnog at ausnog.net
Subject: Re: [AusNOG] ATTENTION: Ransom request!!!
Yes. Of the 10 or so I've seen this year, I've seen (I think) 2 or 3 go through with it and a DoS attack hitting within the window. I've not seen anyone pay.
The problem is, this crap is so easy to automate.
Best thing to do is let them hit you and be prepared with an anti-DDoS from someone like Micron21. Have it so that you can bring up over an Elastic Fabric very quickly... and have it pre-configured and ready to go.
So:
1. Ignore the payment2. Prepare to be hit with an attack3. When the attack does nothing, they won't bother you again
...Skeeve
Skeeve Stevens - Founder & The Architect - eintellego Networks Pty LtdEmail: skeeve at eintellegonetworks.com ; Web: eintellegonetworks.comCell +61 (0)414 753 383 ; Skype: skeeve ; LinkedIn: /in/skeeve ; Expert360: Profile ; Keybase: https://keybase.io/skeeve
On Mon, Jul 11, 2016 at 1:59 PM, Paul Baker <Paul.Baker at vocus.com.au> wrote:
I believe these are a real threat, albeit from a lazy attacker. We’ve experienced large attacks accompanying identical threat emails from the group. They rarely ever follow up after the deadline comes, or follow up with a 48 hours time extension, then
give up. Has anyone experienced anything more than the initial 15 minute “warning attack”?
Regards,
Paul Baker | Network Architect (Innovation and Network Strategy)
D: +61 2 8999 8134 E: Paul.Baker at vocus.com.au
P: 1300 88 99 88 or +61 2 8999 8999 W: vocus.com.au
A: Level 2, 20 Bridge Street, Sydney, NSW 2000, Australia
From: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Keith Anderson <keitha at apcs.com.au>
Date: Sunday, 10 July 2016 at 11:21 AM
To: Luca Salvatore <luca at digitalocean.com>
Cc: "ausnog at ausnog. net List" <ausnog at ausnog.net>
Subject: Re: [AusNOG] ATTENTION: Ransom request!!!
Hi All,
Well the time came and went, was as disappointing as Y2K, a non event.
Have a good weekend all, whats left of it….
ThanksKeith
apcs
Keith Anderson l Managing
Director
AUS Mobile. +61
400 947 947
Fax.
1300 7654 27
PNG Phone. +675
303 1236 Mobile. +675 76 947 947 Fax. +675
325 9066
Email. keitha at apcs.com.au l Web.
www.apcs.com.au
PastedGraphic-2.tiff
On 9 Jul 2016, at 1:55 AM, Luca Salvatore <luca at digitalocean.com> wrote:
They are fake... nothing ever happens. We've had a bunch of threats from them and it never eventuates into anything.
On Fri, Jul 8, 2016 at 9:21 AM, A
<clonemeagain at gmail.com> wrote:
Cloudflare have an interesting article on it:
https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/
On 8 Jul 2016 11:15 pm, "Keith Anderson" <keitha at apcs.com.au> wrote:
Hi All,
Glad we have DoS filtering in place, hope it works.
received this one yesterday.
Have a good weekend all,
### HEADER
Received: from removed [x.x.x.x])
by removed (Postfix) with ESMTP id E077333F9F
for <systemadmin at removed>; Thu, 7 Jul 2016 15:04:38 +1000 (PGT)
X-ASG-Debug-ID: 1467867840-06ff6519594ed72d0001-Vn5JKc
Received: from ks3293195.kimsufi.com (ks3293195.kimsufi.com [5.135.186.134]) by filter1-removed with ESMTP id zxmM3rWeIgLfLFeL
for <Removed>; Thu, 07 Jul 2016 05:04:02 +0000 (GMT)
X-Barracuda-Envelope-From: armada.collective at gmail.com
X-Barracuda-Effective-Source-IP: ks3293195.kimsufi.com[5.135.186.134]
X-Barracuda-Apparent-Source-IP: 5.135.186.134
From: Armada Collective <armada.collective at gmail.com>
To: <sysadmin at removed>
Subject: ATTENTION: Ransom request!!!
X-Barracuda-Connect: ks3293195.kimsufi.com[5.135.186.134]
X-Barracuda-Start-Time: 1467867841
X-Barracuda-URL: XXX
X-ASG-Orig-Subj: ATTENTION: Ransom request!!!
X-Barracuda-Scan-Msg-Size: 1266
X-Virus-Scanned: by bsmtpd at XXXX
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 2.00
X-Barracuda-Spam-Status: No, SCORE=2.00 using global scores of TAG_LEVEL=4.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=MISSING_DATE, MISSING_MID, PLING_PLING
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31081
Rule breakdown below
pts rule name description
---- ---------------------- --------------------------------------------------
0.14 MISSING_MID Missing Message-Id: header
1.40 MISSING_DATE Missing Date: header
0.46 PLING_PLING Subject has lots of exclamation marks
Message-ID: <20160707050438.7DECC16CC0B3 at filter1-XXX>
Date: Thu, 7 Jul 2016 05:04:38 +0000
Return-Path: armada.collective at gmail.com
MIME-Version: 1.0
Content-Type: text/plain
X-MS-Exchange-Organization-Network-Message-Id: 07157968-b5a4-4cfa-da65-08d3a624c308
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: POM.local
X-MS-Exchange-Organization-AuthAs: Anonymous
### END FULL HEADER
-----Original Message-----
From: Armada Collective [mailto:armada.collective at gmail.com]
Sent: Thursday, 7 July 2016 3:05 PM
To: Removed
Subject: ATTENTION: Ransom request!!!
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
All your servers will be DDoS-ed starting Saturday (Jul 9 2016) if you don't pay 5 Bitcoins @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
When we say all, we mean all - users will not be able to access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP X.X.X.X It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by Saturday, attack will start, price to stop will increase by 5 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just 5 BTC @ 14T7TxDxhhpYtgNgrK1hpe4UsfULZDhFoC
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
———————————
apcs
Keith Anderson l Managing
Director
AUS Mobile. +61
400 947 947
Fax.
1300 7654 27
PNG Phone. +675
303 1236 Mobile. +675 76 947 947 Fax. +675
325 9066
Email. keitha at apcs.com.au l Web.
www.apcs.com.au
<PastedGraphic-2.tiff>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
--
Luca Salvatore
Manager, Network Team | DigitalOcean
Phone: +1 (929) 214-7242
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160712/ad66ba79/attachment.html>
More information about the AusNOG
mailing list