krebsonsecurity.com

Reports and investigations into Distributed Denial of Service attacks.

krebsonsecurity.com

Postby Red Dwarf » Fri Nov 18, 2011 4:48 am

The day after Brian Krebs' latest posting (see viewtopic.php?f=9&t=4520&p=53307#p54569 )
containing incriminating evidence from a leaked conversation between Igor Gusev and Dmitry Stupin, a heavy DDOS attack began.

It is currently still in progress after 13 hours
Brian Krebs wrote:yeah, stupid bots are loving my site today. krebsonsecurity.com is intermittently available
Site has been under 1 gigabit ddos for much of the day. Still ongoing


The article that may have triggered this angry reaction has already been syndicated, and can be read at
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: krebsonsecurity.com

Postby issviews » Fri Nov 18, 2011 10:18 am

I just tried to visit krebsonsecurity.com/ (unaware of the DOS attack) and received this page:

403 Forbidden
nginx/0.8.55


Keep your head up Brian, you do a great job so don't let the scumbags drag you down.
issviews
 

Re: krebsonsecurity.com

Postby trobbins » Fri Nov 18, 2011 1:02 pm

krebsonsecurity.com seems to be back up now.
User avatar
trobbins
Spammers' Nightmare
 
Posts: 2558
Joined: Thu Apr 12, 2007 6:55 pm

Re: krebsonsecurity.com

Postby Red Dwarf » Fri Mar 15, 2013 5:04 pm

Not only a DDOS and a reputation attack, but also a physical SWAT attack (using the police) on Brian Krebs himself

A must read:

It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.


...

This morning, Dan Goodin, a good friend and colleague at Ars Technica, published a story about my ordeal after a late night phone interview. This morning, Ars Technica found itself on the receiving end of a nearly identical attack that was launched against my site on Thursday.

Read Brian's report . .
"The World Has No Room For Cowards" at
http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: krebsonsecurity.com

Postby NotBuyingIt » Fri Mar 22, 2013 10:21 pm

Milford, Connecticut, hotbed of cyberhacking:
http://krebsonsecurity.com/2013/03/the- ... -is-today/
NotBuyingIt
Spammer Killing Machine
 
Posts: 612
Joined: Sun Jun 13, 2010 5:22 pm

Re: krebsonsecurity.com

Postby Red Dwarf » Fri Sep 23, 2016 8:30 pm

September 23 2016, KrebsOnSecurity was taken down by DDOS Protection service AKAMAI after the largest attack they have ever experienced

Brian Krebs wrote:"On Tuesday evening, [Sept 20 2016] KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.

The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.

The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline."

"Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.

I can’t say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of this 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners."

(c) Brian Krebs

Shortly after Kreb’s investigative article started hitting the news, Yarden Bidani [ https://twitter.com/AppleJ4ck_vDos ] and Itay Huri [ itay@huri.biz ] were arrested by Israel police in connection with an FBI investigation into the DDoS-for-hire service. After the two handed over their passports, they were released on bond, placed on house arrest and banned from using any electronic communications for 30 days. Ref: http://www.networkworld.com/article/311 ... ested.html

MIRRORS
See also Some Place in Ohio http://someplaceinohio.net/?q=aggregator/categories/5

and Safe-PC Tips and Advice http://safe-pc-tips-and-advice.blogspot.com/2012/03/anti-malware-news-from.html
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: krebsonsecurity.com

Postby Red Dwarf » Fri Sep 23, 2016 9:02 pm

Brian Krebs wrote:20 SEP 2016
DDoS Mitigation Firm Has History of Hijacks

Last week, KrebsOnSecurity detailed how BackConnect Inc. — a company that defends victims against large-scale distributed denial-of-service (DDoS) attacks — admitted to hijacking hundreds of Internet addresses from a European Internet service provider in order to glean information about attackers who were targeting BackConnect. According to an exhaustive analysis of historic Internet records, BackConnect appears to have a history of such “hacking back” activity.

On Sept. 8, 2016, KrebsOnSecurity exposed the inner workings of vDOS, a DDoS-for-hire or “booter” service whose tens of thousands of paying customers used the service to launch attacks against hundreds of thousands of targets over the service’s four-year history in business.

Within hours of that story running, the two alleged owners — 18-year-old Israeli men identified in the original report — were arrested in Israel in connection with an FBI investigation into the shady business, which earned well north of $600,000 for the two men.

In my follow-up report on their arrests, I noted that vDOS itself had gone offline, and that automated Twitter feeds which report on large-scale changes to the global Internet routing tables observed that vDOS’s provider — a Bulgarian host named Verdina[dot]net — had been briefly relieved of control over 255 Internet addresses (including those assigned to vDOS) as the direct result of an unusual counterattack by BackConnect.

Asked about the reason for the counterattack, BackConnect CEO Bryant Townsend confirmed to this author that it had executed what’s known as a “BGP hijack.” In short, the company had fraudulently “announced” to the rest of the world’s Internet service providers (ISPs) that it was the rightful owner of the range of those 255 Internet addresses at Verdina occupied by vDOS.


(c) Brian Krebs
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: krebsonsecurity.com

Postby Red Dwarf » Fri Sep 23, 2016 9:17 pm

Snippets from the Brian Krebs blog, Sept 8.

Brian Krebs wrote:08 SEP 2016
Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years
<>
The Web server hosting vDOS also houses several other sites, including huri.biz, ustress.io, and vstress.net.
Virtually all of the administrators at vDOS have an email account that ends in v-email.org, a domain that also is registered to an Itay Huri
with a phone number that traces back to Israel.
<>
Excerpts -vDOS tech support tickets

> (‘4130′,’Hello `d0rk`,\r\nAll Israeli IP ranges have been blacklisted due to security reasons.\r\n\r\nBest regards,\r\nP1st.’,’03-01-2015 08:39),

> (‘15462′,’Hello `g4ng`,\r\nMh, neither. I\’m actually from Israel, and decided to blacklist all of them. It\’s my home country, and don\’t want something to happen to them :)\r\n\r\nBest regards,\r\nDrop.’,’11-03-2015 15:35),

<>

WHO RUNS vDOS?

As we can see from the above responses from vDOS’s tech support, the owners and operators of vDOS are young Israeli hackers who go by the names P1st a.k.a. P1st0, and AppleJ4ck. The two men market their service mainly on the site hackforums.net, selling monthly subscriptions using multiple pricing tiers ranging from $20 to $200 per month. AppleJ4ck hides behind the same nickname on Hackforums, while P1st goes by the alias “M30w” on the forum.


(c) Brian Krebs krebsonsecurity.com has address 127.0.0.1

Note: huri.biz/login.php prompts Itay Huri for his login
Code: Select all
http://web.archive.org/web/20160407031207/http://huri.biz/login.php
Welcome, Itay.
Please sign in to your account
Name: Itay Huri
Password:
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: krebsonsecurity.com

Postby Red Dwarf » Mon Oct 10, 2016 3:18 pm

The highly acclaimed and much attacked Brian Krebs blog at krebsonsecurity.com has survived one of the largest DDOS attacks in Internet history, which took place in September 2016.

Though its DDOS protection service is understandably no longer offering him free protection, it is clear that he has moved his platform to a new provider, and that is GOOGLE.

Evidence of the change is

1. in a Whois lookup of the domain name:
Code: Select all
Domain Name: KREBSONSECURITY.COM
Registrar: TUCOWS DOMAINS INC.
Sponsoring Registrar IANA ID: 69
Whois Server: whois.tucows.com
Referral URL: http://www.tucowsdomains.com
Name Server: NS-CLOUD-D1.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-D2.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-D3.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-D4.GOOGLEDOMAINS.COM
Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited

Updated Date: 25-sep-2016
Creation Date: 23-nov-2009
Expiration Date: 23-nov-2016


Registered with Canadian registrar Tucows Inc, it has the full range of protections against being transferred, updated or deleted. An attack on its name servers would be an attack on Google's cloud servers.

2. Where is the domain's web site hosted?
> krebsonsecurity.com has IP address 130.211.45.45

3. Who manages that address?
Code: Select all
NetRange:       130.211.0.0 - 130.211.255.255
CIDR:           130.211.0.0/16
NetName:        GOOGLE-CLOUD
OrgName:        Google Inc.
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US


The DDOS protection is part of Google's offering known as Project Shield

Conclusion 1. Presumably any new attack designed to shut his site down will have to take down Google itself.
Conclusion 2. The attacks on KrebsonSecurity have resulted in his site now becoming practically impregnable.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10519
Joined: Tue Jun 27, 2006 2:01 am

Re: krebsonsecurity.com

Postby spamislame » Wed Oct 12, 2016 12:07 pm

Project shield is actually a layer *in front of* wherever the actual live servers are, which has not been divulged.

https://support.google.com/projectshield/answer/6358113

Project Shield will instead be the first layer of defence. Attack traffic, in essence, will never hit the live server, and the live server's true location will never be exposed.

Shield was created specifically to allow journalists to be rendered unattackable (via internet) and in some cases unidentifiable.

It's a brilliant idea.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am


Return to Denial of Service Attacks [DDOS]

Who is online

Users browsing this forum: No registered users and 1 guest