Harambe or not harambe!

Harambe or not harambe!

Shame on you!

For the past  twelve hours, the SpoofIT website has been suffering a series of denial of service attacks. The first attack was launched by @bannedoffline from 178.251.228.80. The application layer attack is using a tool known as Hulk.

The first attack was launched from AS30823 Combahton IT Services the evening of the 17th of October 2016.

@BannedOffline, that claimed in the past being part of the attack against Brian Krebs, launched a HTTP flooding attack against this site from one of the servers that is also using for the protection of the Ghost Squad Hackers anti-ddos site ddos-shield.biz

 

ddos_spoofit_3
@bannedoffline believes that this site is operated by Brian Krebs

For the attack @BannedOffline is using the IP 178.251.228.80. This IP hosts ddos-shield.biz, a project operated by @BannedOffline. In HackForums, @BannedOffline requests to attack the same IP to test his setup.

A sample of the flooding request that reassembles Hulk DDOS tool looks like

178.251.228.80 - - [17/Oct/2016:20:41:36 +0000]  "GET /?6xd=PpDXrT HTTP/1.1" 405 568 [378] "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/4.0; WOW64)" "---" "DE" "AS30823 COMBAHTON combahton IT Services UG (haftungsbeschraenkt)"
ddos_spoofit_2
@Bannedoffline giving one of the IPs of the GHS servers to test his protection

 

What is going on with those Ponies?

About the same time that the attacks started, the owner of Proginter.com that in another article we have linked with booter.xyz, has kindly requested us to remove any connections of Proginter.com with booter.xyz in this article.

Eden Hen, owner of Proginter.com has reached us a few days ago to clarify his role in the hosting of  booter.xyz.

During our email exchange, Eden is trying to provide tangible evidence that he is not connected with Poni Walker. According to Eden Hen, Poni Walker is not working for him and he is deliberately using his company’s image just to gain attention.

When asked about booter.xyz, Eden Hen (CEO of Proginter.com) has confirmed that he has hosted the Stress Testing Service in the past but he removed as soon as he was “notified”.

More details on this, soon!

ddos_spoofit_1
Eden Hen claims not to have any connection with “Naftali-Naftaliev aka Poni Walker”.

 

ddos_spoofit_4

The second wave of attacks is using a ~ 3000 IP dedicated botnet with a large footprint in China (> 80%). At 12.00 PM UTC the attack is still active.

Samples of the requests look like:

GET /harambe HTTP/1.1
HOST: spoofit.org
X-Forwarded-For: 120.214.244.242
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36
Cache-Control: no-cache

The user agents used by the botnet follows:

Mozilla/5.0 (Linux; Android 4.2.2; AFTB Build/JDQ39) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.173 Mobile Safari/537.22
Mozilla/5.0 (Linux; Android 4.4.3; KFTHWI Build/KTU84M) AppleWebKit/537.36 (KHTML, like Gecko) Silk/47.1.79 like Chrome/47.0.2526.80 Safari/537.36

Mozilla/5.0 (Linux; Android 5.0.2; LG-V410/V41020c Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Safari/537.36

Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T550 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/3.3 Chrome/38.0.2125.102 Safari/537.36

Mozilla/5.0 (Linux; Android 5.1.1; SM-G928X Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36

Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.83 Mobile Safari/537.36

Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Lumia 950) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Mobile Safari/537.36 Edge/13.10586

A sample of the IP addresses of the botnet follows, please let us know if you know anything about it!

ISO	IP ADDRESS		AS NAME
=========================================

CN	101.17.183.26		4837
CN	101.17.184.160		4837
CN	101.17.225.23		4837
CN	101.18.190.172		4837
CN	101.18.52.117		4837
CN	101.19.233.37		4837
CN	101.19.41.250		4837
CN	101.20.153.238		4837
CN	101.20.187.25		4837
CN	101.20.210.87		4837
CN	101.20.223.7		4837
CN	101.20.91.41		4837
CN	101.21.153.208		4837
CN	101.21.21.143		4837
CN	101.21.255.89		4837
CN	101.22.223.153		4837
CN	101.22.38.151		4837
CN	101.22.85.49		4837
CN	101.23.157.246		4837
CN	101.23.71.194		4837
CN	101.23.99.57		4837
CN	101.24.116.178		4837
CN	101.24.250.79		4837

Another botnet joining the attack?

A second botnet is now part of the attack. The attacks is a WordPress XMLRPC Reflection attack composed of ~2600 new servers. The attack is sourced by one single server hosted at AS64484

 
    2016-09-23 - 2016-10-17: 64484 - 191.96.249.0/24
        2016-09-01: ASDMZHOST , NL
    2016-09-22 - 2016-09-22: 135340 - 191.96.249.0/24
        2016-04-15: DIGITALOCEAN-AS-IN Digital Ocean, Inc., US

    2016-08-10 - 2016-09-21: 64484 - 191.96.249.0/24
        2016-09-01: ASDMZHOST , NL

    2016-04-21 - 2016-08-09: 29073 - 191.96.249.0/24
        2016-07-13: QUASINETWORKS , NL
        2016-04-16: QUASINETWORKS Quasi Networks LTD., NL

    2016-03-17 - 2016-04-20: 61440 - 191.96.248.0/21
        2016-04-08: Digital Energy Technologies Chile SpA, CL
        2014-03-29: Digital Energy Technologies Chile SpA,CL

    2016-03-16 - 2016-03-16: 200859 - 191.96.249.0/24
        2015-03-26: SPSBUILDING "SPS BUILDING COMPANY"LTD,BG

    2016-02-18 - 2016-03-15: 61440 - 191.96.249.0/24
        2014-03-29: Digital Energy Technologies Chile SpA,CL

    2016-02-11 - 2016-02-17: 201341 - 191.96.249.0/24
        2014-11-21: TESONET Tesonet Ltd,LT

    2016-01-01 - 2016-02-10: 61440 - 191.96.249.0/24
        2014-03-29: Digital Energy Technologies Chile SpA,CL

Following our mission of exposing the hosting companies and carriers enabling these attacks,  I asked where prefix 191.96.249.0/24 is currently sourced.

Wait for it! The upstream provider of AS64484 is…. Ecatel!

And by the way, in the same network could be found in the past the domain name server for amplists.com, used by VDOS to build their DNS amplification attacks.

 

Ecatel is upstream of the XMLRPC attack generator
Ecatel is upstream of the XMLRPC attack generator
digital_energy_dmz1
Rings the bell? A prefix from Digital Energy announced via Ecatel upstreams

And here a much nicer representation of the prefix “mobility”. The network has been on the move constantly as described in another article. (Check the section, Let’s move it, move it)

191-96-249-0_24-2_mobility

The IP space seems to host servers from protonhost.net, a bullet proof hosting

Protonhost.net - Bullet Proof Hosting
Protonhost.net – Bullet Proof Hosting

Updated 19th October 2016

The attack has remain active for 24h now. Sample of the current flooding requests

39.89.29.60 - - [19/Oct/2016:10:37:45 +0000]  "GET /sup HTTP/1.1" 200 178 [395] "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "---" "CN" "AS4837 CNCGROUP China169 Backbone"

120.52.94.54 - - [19/Oct/2016:10:37:44 +0000]  "GET /sup HTTP/1.1" 200 178 [442] "-" "Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T550 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/3.3 Chrome/38.0.2125.102 Safari/537.36"