@BannedOffline and Fantomnet

@BannedOffline started to collaborate closely with Fantomnet to build a anti-DDOS hosting service for  GSH and their supporters: ghostantiddos.com. Fantonment claims two have two members Crazy and Mike Fantom.

ghostantiddos.com’s low-cost DDOS protection strategy was to host the protected site behind third party providers offering DDOS protection and focus on layer 7 (application) protection as this the most common traffic that leaks through such providers.

By using (abusing) several providers with anti-DDoS capabilities as FranTech, Incapsula, Securi, Psychz, OVH, Amazon, Akamai and Google, @BannedOffline and Fantomnet run a “resilient” infrastructure at the lower possible costs.

At the same time, attack traffic most probably is generated from hosting providers with a good track record of “spoofing friendly packages” as BlazingFast, CNSERVERS, etc.

Thanks to historical data of the domain registrations of:

ghostantiddos.com
ghostsquadsecurity.com
bannedoffline.xyz
bangstresser.com
downthem.xyz
digital-solutions.xyz
ghostsquadhackers.biz
ghostsquadhackers.org
ghostsquadhackers.ml
ghostsquadhackers.cf
preservetheinternet.com

We traced @BannedOffline to the email address: ztrouie@outlook.com. Under the logic of low-cost, anonymous access to domain names, it is common to see the registration of free domains with the OpenTLD (.ml .cf). Using historical data, we have linked ghostantiddos.com and other domains used by the Ghost Squad Hackers to the hosting provider Orca Tech (orca.tech). Orca Tech has been providing hosting services to several stress testers sites this year. One of the “stress testing projects” was orcahub.com, a free stress tester hosted at OVH. Orca Tech does not run its own Autonomous System, but as described by @BannedOffline, it runs his services. Orca Tecgh relies on Layer 4 protection from third party providers and deploys L7 protection in his VPSs or dedicated servers.

Orca Tech also provides VPN access via the project AegisVPN.com and free DDOS protection with the project athenalayer.com. @BannedOffline endorses AthenaLayer as anti-DDoS provider and during DDoS campaign Fuqursec. Other domains associated with Orca Tech are ddos-protection.io and NALSec.com.

Orca Tech is operated by Nicholas Lim, a young computer science student of the Washington Central University in his early twenties. Nicholas manages the infrastructure for the group. In mid September, he posted a message in @OfficialFantomN , which included a phrase saying that he resigns from such stressful project.

(Update 1st September 2016. ghostantiddos.com remains operative at the IP addresses 5.206.225.179 and 104.194.206.119 using protection from Blazing Fast/Dotsi and Spartan Host that offers DDoS protection for minecraft servers)