2013/08/11

aa419 DDoS Aug 2013 Breakdown


Over the past few days, aa419 has been under a DDoS attack once agin. Somewhere out there, there is a happy "scammer client". We are always happy to please and note your appreciation of our services, confirming the need for aa419 to be on the net doing what we do.

So when our "scammer client" hired a botnet to show his appreciation, we put steps into place.
It was believed to be in the best interests of the Internet community publish these statistics

A Problem in Escalation

Of late botnets have been abused to DDoS anti-abuse sites in an attempt at hiding criminality that targets the end users. However reporting these bots  is a near impossible task due to lacking and stale information on network owners. Many companies that spend millions on advertising trying to convince their clients they are simply the best, are extremely negligent when maintaining their network information at their Regional Internet Registry.

What does this mean to you as a user of their services?

If a party like aa419 happens to notice abuse coming from an IP addess you are using, we will not know it is you who it is currently assigned to. What we will see is the network owner information (theoretically at least). There should be some form of valid contact that can easily be reached that will allow us to inform your provider of this abuse. However, if this information is not available, we have to go on a sleuthing exercise to try and determine the relevant esclation channel, or or alternative (slower) escalation channels.

In the meantime somebody unknown to you may have full access to your system, downloaded malware onto your system and is abusing it to attack us. His unauthorized access also allows him to steal information from you such as passwords and other personal details about you that in turn can be abused to your detriment. Also, at the same time, you may well be paying for his abuse of your system in terms of bandwidth used. Your system may also be abused to compromise other parties on the same home network as you, safely protected inside your own home network (or so you thought)!

As such any responsible provider would be keen to know about abuse on their network and not allowed it to be used as such. But if they cannot be contacted, they do not live up to their promised service.

At this stage we should also mention that another category of provider exists, one that supplies VPN's to his clients. This can be done responsibly, or irresponsibly. We will shortly see an example of this.

After trying to manually contact providers or other responsible parties, with numerous bounced emails ( It was also considered publishing such network records, but that will keep for if we ever end up in this situation again.), it was decided to publish our botnet client related DDoS statistics. This will enable the internet user to decide for himself what is safe and what is not, allowing him to protect himself.

aa419 invites contact from the providers and CERTS if evidence is needed. A special email address has been set up to receive your emails: ddosalert(AT)aa419.org.

The Statistics


A total of 3782 were sorted by Region, Country Code, AS number. and IP address. This allows the reader to easily spot problem areas and take perventative action.

We have also posted the full details by regions:

Summaries 

Here is a summary of each area:

  AFRINIC

   297  Bots total for AFRINIC
    73  Algeria - The country with the most bots in AFRINIC
    65  The AS with the most bots was AS36947: ALGERIE TELECOM

  APNIC 

  1299  Bots total for APNIC
   310  India - The country with the most bots in APNIC
   119  The AS with the most bots was AS36947: BSNL Internet

  ARIN 

    42  Bots total
    35  USA - The country with the most bots in ARIN
     9  The AS with the most bots was AS4436:  nLayer* 

        *Also see what part VPN providers plays in these stats in 
                "A Special Note on the USA" below

  LACNIC

   593  Bots total
   184  PERU - The country with the most bots in LACNIC
   119  The AS with the most bots was AS6147: Telefonica del Peru S.A.A.

  RIPENCC 

  1551  Bots total for RIPENCC
   348  Iran - The country with the most bots in RIPENCC
   210  The AS with the most bots was AS21277: Newroz Telecom Ltd.

  OVERALL

  1551  Region with the highest number of bots - RIPENCC
   348  Iran - The country with the most bots
   210  AS21277: Newroz Telecom Ltd, the AS with the most bots 

  TOP 10 ASNs

  210 AS21277 Newroz Telecom Ltd, Iran 
  173 AS6147  Telefonica del Peru S.A.A., Peru
  127 AS9198  JSC Kazakhtelecom, Kazakhstan

  119 AS9829  BSNL Internet, India 
   92 AS50710 EarthLink Ltd, Iraq
   91 AS12880 Information Technology Company (ITC), Iran
   86 AS8151  Uninet S.A. de C.V., Mexico
   84 AS17882 UNIVISION LLC, Mongolia
   80 AS36947
ALGERIE TELECOM, Algeria
   75 AS14754 Telgua, Guatemala 

  Top 10 Countires

  348 IR Iran
  310 IN India
  308 IQ Iraq
  223 TH Thailand
  216 PH Philippines
  198 RU Russia
  192 KZ Kazakhstan

  184 PE Peru
  144 VN Vietnam
  100 MX Mexico


Some of the statistics are not a surprise and has been discussed before. However we were certainly surprised by the appearance of some of these countries on the radar. Somewhere the figure was bantered about that the Internet serves 2.4 billion users currently. We are all one another's neighbor. We trust this serves as a red flag to take corrective action if you find yourself to be linked to any of these stats in any way and we cans stay good neighbors.

A Special Note on the USA

Of note is how few bots were seen from the USA. The USA needs to be commended for their low prevalence in the logs.

At this stage it may be appropriate to analyze the top four abused US networks. Where abuse could be seen, the most abused networks can be attributed to VPN providers. nLayer, Hurricane Electric and EGIHosting are well known. Areti Internet is a new name to us.

  9 AS4436  nLayer
  5 AS6939  Hurricane Electric, Inc
  5 AS21321 Areti Internet Ltd.

  3 AS18779 EGIHosting

Let us put this into perspective:

  22  IPs attributed to nLayer/Hurricane Electric/Aret/EGIHosting 
  35  Abused IP addresses for the USA. 

More than half the USA abuse was attributable to VPNS!

Further, more than one remote bot may abuse a single VPN provider. As such:

   22+ Bots attributed to nLayer/Hurricane Electric/Aret/EGIHosting

nLayer, Hurricane Electric and EGIHosting has been observed to be a contributor to online incidents where even the most common garden variety scammer scamms from. Their appearance once again, but now in denial of service attacks, is predictable as these providers have no real control over who they allow on their services as their is no real accountability.  One of their common clients, AnchorFree with their HotSpot Shield product, by their own admittance, keeps no logs to ensure their user's privacy. Privacy to do what? Privacy and anonymity are not synonyms. We see the results in our logs and in our email boxes. Likewise we can be sure other service providers see the same.resulting abuse related to these VPN services. Previous HostExploit reports bears testimony to this.

List and Block Removal

Numerous parties had (not so) bright ideas to automate processes and did so incorrectly. These further contributed substantially to the server load and have been blocked, although not listed, One or more such entries may still exist. If you find yourself listed, please consider what you did that may have caused you to be listed before contacting us.

If you are one of our friends with a special arrangement, please accept our apologies.

We accept list removal requests for innocent issues, however the logs will be scrutinized before considering such requests.

Should a network provider indicate an IP address or range has been cleaned, such an IP address or range will be unblocked in good faith. Repeat requests to unblock after a previous unblocking was done and malicious activity was seen again causing blocking, will not be done without explanations of what was done in an attempt to resolve this issue.

Disclaimer

All possible steps were taken to check the logs for correctness as to present accurate and reliable data. No responsibility will be taken for information supplied in good faith but which is not correct. Checking the activity of each connection during a DDoS attack manually is near impossible. Automation may fail and produce false positives. Where such FP's were noted, corrective steps were taken and the results reproduced as to produce fair and impartial statistics.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.