My next class:

Denial of Service Attack Aftermath (and what did Iran have to do with it?)

Published: 2010-01-06. Last Updated: 2010-01-06 04:16:58 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

I finally finished the report summarizing what we learned from yesterday's denial of service attack. Luckily it was small and easily defeated. The interesting part with attacks like this is to try to attribute them to a group or individual. In this case, my best guess is that this is an individual living in England. The individual appears to have some ties to Iran. Probably a student going to school in England.

The attack itself was rather simple, and required little skill. We got some great help from some of the administrators of the system attacking us. Most likely, the root cause was unprotected FTP accounts. These unprotected FTP accounts got used to upload a malicious ASP script, which was then used to attack our site. The script was very simple and had no "command and control" channel. Instead, it required a GET request hitting the specific URL to activate the attack.

The full report got a bit long for a diary, so I wrote it up as a PDF for download. I know... yet another PDF ;-).

Link to the PDF: http://isc.sans.org/presentations/jan4ddos.pdf

To make you feel better, here the checksums:

md5: 8eb9d6ef20c05875688d97fd3192a7e9
sha1: c097c740669869349bb5f8a3d3447ffa0376f928
ripemd160: 227feacd529de68c0634e1b5ca574d55cacf31ef

GPG signature:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEABEDAAYFAktEDmIACgkQPNuXYcm/v/3qzQCfRLKM64UiiWgWp0QDEomX1VAE
/gsAn2Dxst/Pe8kYsNz+QCmSZng+yRNj
=Or18
-----END PGP SIGNATURE-----

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ddos ipv6
6 comment(s)
My next class:

Comments

Ohhh, a PDF! :o

From a little digging, I think *.perr.cable.virginmedia.com is most likely 'Perry Barr', population ~23k+, one of eleven parliamentary constituencies of Birmingham, England. That area's demographics suggest a particularly high (~30%) Asian and/or Muslim population, and it is home to Birmingham City University; all supportive of the theory that this could have been an Iranian student living in England.

Virgin Media seem to assign IPs 77.100.28.0 through 77.100.31.255 to that region, according to some of their RIPE WHOIS data. But it's possible that customers outside of the region (or outside of Birmingham completely) are served from UBRs located there. IPs assigned by Virgin Media are usually issued dynamically via DHCP to customers, but in practice they tend to remain the same for months or years at a time.

By the way, the "en-US" in the browser string seems quite common among Firefox users, even in the UK and Canada. Depending how/where it's downloaded, I suspect the Firefox download site tries to use GeoIP to serve a version with a specific default locale, otherwise 'en-US' is used, and most people will not change the locale settings manually after install.
Very interesting report. I love hearing stories about skiddies' happless hacking efforts and how easily they are foiled; gives me a warm fuzzy feeling!

Thanks
couple people asked about the shell scripts I used. You can find them here:

https://blogs.sans.org/appsecstreetfighter/2010/01/06/dos-attack-after-action-report-shell-scripts/
Good writeup Johannes!
I can't help thinking you mentioning Iran early in an investigation is politically motivated to coincide with The White House's foriegn policy.


Also, you say England, when I think you ment UK or did you actually mean _England_?


Also, I don't think its helpful mentioning Virgin Media, as they are a good ISP that don't deserve to be singled out.


"That area's demographics suggest a particularly high (~30%) Asian and/or Muslim population, and it is home to Birmingham City University"


This is no evidence whatsoever, its circumstantial.
For request limiting I can highly recommend the Linux IPtables modules "hashlimit" and "recent". Once an IP (or subnet) sends too many requests, it can automatically be added to a "recent" list for dropping. If you also use the "update" and "seconds" options of "recent", the IPs will automatically be unbanned after staying silent for a while. Good for dynamically assigned IPs.
The only problem is finding a good limit, to avoid banning legitimate IPs like busy proxies.

Diary Archives