Cops Take Down World’s Biggest ‘DDoS-For-Hire’ Site They Claim Launched 6 Million Attacks





DDoS Protection Powered by  DDos-GuarD

European law enforcement are today celebrating the dismantling of a website police claim sold Distributed Denial of Service (DDoS) attacks and helped launch up to 6 million of them for as many as 136,000 registered users. Four alleged administrators of the webstresser.org service were arrested on Tuesday in the U.K., Canada, Croatia and Serbia, whilst the site was shut down and its infrastructure seized in Germany and the U.S., Europol announced Wednesday.

DDoS attacks typically flood web servers with traffic to take them down. So-called stressers sell those attacks as a service, offering to take down customers’ selected targets for a small fee or providing direct access to a simple DDoS tool. According to investigators working on Operation Power Off, webstresser.org appeared to be the biggest of all such services.


DDoS Protection Powered by  DDos-GuarD



DDoS hits emanating from webstresser.org targeted banks, government institutions, police forces, schools and the gaming industry, investigators said. And Americans made up the majority of both targets and customers on webstresser.org, according to Europol’s lead case coordinator, who asked to remain anonymous in speaking with Forbes exclusively ahead of today’s announcement. “It’s become one of the most important [DDoS stressers] on the market,” he said.

“It is significant,” added Gert Ras, head of the Netherlands National High Tech Crime Unit, speaking of the takedown. “It is a really big one.”

Boastful DDoSers

A Google cache of the webstresser.org site reveals a boastful set of admins, but they appeared to be advertising their DDoS stresser as a testing service to see how well websites could stand up to attacks rather than anything illegal. They claimed to provide “the strongest and most reliable server stress testing” and promised “24/7 customer support spread on over three different continents.” They sold in packages, ranging from $18.99 per month for the “bronze” membership to $49.99 for the “platinum” service.


DDoS Protection Powered by  DDos-GuarD



The team members all went by pseudonyms, including Admin the CEO, backend developer m1rk, head of support Mixerioza and “support agent” Tyrone. They ran a Facebook page too, where they encouraged customer engagement, recently asking for help with YouTube marketing. Whoever managed the Facebook page also reported some problems with the site on April 9. “Deutscher Commercial Internet Exchange is currently experiencing outages so we remain offline until their network is fixed,” one message read. Investigators said they didn’t believe that downtime was related to the law enforcement action, however.

How the investigation went down

Led by the Dutch National High Tech Crime Unit and the UK National Crime Agency (NCA), and assisted by Europol, the investigation into webstresser.org started in October last year, according to the lead case coordinator at Europol.

That month, following a DDoS on an unnamed UK bank, a tip from the NCA landed at the Dutch agency, informing them the web infrastructure for webstresser.org was hosted in the Netherlands. Forbes reviewed domain registration information for the site and found it was registered in October 2015 by someone with a Hotmail email address and who claimed to be based in the small Netherlands village of Gulpen. Forbes emailed the user but had not received a response at the time of publication.


DDoS Protection Powered by  DDos-GuarD



In November, the Dutch police were able to take “snapshots” of the site’s server, from which they recreated their own version of webstresser.org, according to Ras. That allowed them to determine how it worked and eventually led them to the identities of the alleged administrators, though Ras couldn’t say just how as the investigation continues. Even an attempt by the site’s owners to move infrastructure to Germany didn’t stymie the cops, Ras added, as American authorities took down the site today.

Investigators were also able to gather some remarkable statistics from the site, which made apparent the unprecedented scale of the DDoS market. Europol said the total time of persistent DDoS attacks launched via webstresser.org reached 15.5 years. The longest single attack reached around 10 hours, with the average around 20 minutes per target. And the admins made hundreds of thousands of dollars in the process, Ras added, as they accepted payments over PayPal and Bitcoin. Paying via Bitcoin got users a 15% discount too.”The service was professional, the most professional I’ve seen,” said Europol’s investigator. He noted the controllers of the service were using techniques to “amplify” their attacks. One involved the use of the Domain Name Service (DNS), the telephone book of the internet that connects people searching up a web address like Google.com to the relevant server. The attack relies on the fact that the computers used to deal with such requests – open DNS servers – respond to a small question with a large response. With this so-called DNS amplification, it’s possible to make a large number of small requests to the DNS server and pass on the significant returned traffic to a target website. Webstresser.org offered attacks up to 350Gbps, a sizeable hit.


DDoS Protection Powered by  DDos-GuarD

A warning

Not only were alleged administrators arrested (their names have not yet been released and so Forbes has not been able to contact their legal representation) but police across the world have also paid visits to users of webstresser.org, either arresting them or warning about their continued use of such DDoS products. The NCA said an arrest in Netherlands and another in Hong Kong had taken place today. “The message here is that people who use these services will not stay anonymous,” Ras said. “We will bring them to court.”



Whilst webstresser.org was the biggest fish in the DDoS stresser pond to fall to date, others have been dismantled in recent months. In August, the vDOS service that launched more than two million DDoS attacks over four years was closed and the alleged owners arrested in Israel. Their lawyers said the vDOS operators were simply running a legitimate tool to help businesses test the cybersecurity of their website.

It would appear cops across the world aren’t buying such claims.



Over 15,000 Memcached DDoS Attacks Hit 7,100 Sites in Last 10 Days





DDoS Protection Powered by  DDos-GuarD

Memcached reflections that recently fueled two most largest amplification DDoS attacks in the history have also helped other cybercriminals launch nearly 15,000 cyber attacks against 7,131 unique targets in last ten days, a new report revealed.

Chinese Qihoo 360’s Netlab, whose global DDoS monitoring service ‘DDosMon’ initially spotted the Memcached-based DDoS attacks, has published a blog post detailing some new statistics about the victims and sources of these attacks.



The list of famous online services and websites which were hit by massive DDoS attacks since 24th February includes Google, Amazon, QQ.com, 360.com, PlayStation, OVH Hosting, VirusTotal, Comodo, GitHub (1.35 Tbps attack), Royal Bank, Minecraft and RockStar games, Avast, Kaspersky, PornHub, Epoch Times newspaper, and Pinterest.


DDoS Protection Powered by  DDos-GuarD

Overall, the victims are mainly based in the United States, China, Hong Kong, South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.

According to Netlab researchers, the frequency of attacks since 24th February has increased dramatically, as listed below:

Before 24th February, the day when Memcached-based DDoS attacks were first spotted, the daily average was less than 50 attacks.



Between 24th and 28th February, when Memcached as a new amplification attack vector was not publicly disclosed and known to a small group of people, the attacks raised to an average of 372 attacks per day.
Soon after the first public report came on 27th February, between 1st and 8th March, the total number of attacks jumped to 13,027, with an average of 1,628 DDoS attack events per day.

Netlab’s 360 0kee team initially discovered the Memcached vulnerability in June 2017 and disclosed (presentation) it in November 2017 at a conference, but its researchers have hardly seen any Memcache DDoS attacks since then.


DDoS Protection Powered by  DDos-GuarD



Expect More Record-Breaking DDoS Attacks





DDoS Protection Powered by  DDos-GuarD

“This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed,” said Akamai, a cloud computing company that helped Github to survive the attack.

In a post on its engineering blog, Github said, “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Dubbed Memcrashed, the amplification DDoS attack works by sending a forged request to the targeted Memcrashed server on port 11211 using a spoofed IP address that matches the victim’s IP.



A few bytes of the request sent to the vulnerable server trigger tens of thousands of times bigger response against the targeted IP address.


DDoS Protection Powered by  DDos-GuarD

Expect More Record-Breaking DDoS Attacks

Though amplification attacks are not new, this attack vector evolves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch potentially more massive attacks soon against other targets.

To prevent Memcached servers from being abused as reflectors, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use.

DDoS Protection Powered by  DDos-GuarD



World’s biggest DDoS attack record broken after just five days





DDoS Protection Powered by  DDos-GuarD
Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

DDoS Protection Powered by  DDos-GuarD

The attacks use shoddily secured memcached database servers to amplify attacks against a target. The assailant spoofs the UDP address of its victim and pings a small data packet at a memcached server that doesn’t have an authenticated traffic requirement in place. The server responds by firing back as much as 50,000 times the data it received.



With multiple data packets sent out a second, the memcached server unwittingly amplifies the deluge of data that can be sent against the target. Without proper filtering and network management, the tsunami of data can be enough to knock some providers offline.

There are some simple mitigation techniques, notably blocking off UDP traffic from Port 11211, which is the default avenue for traffic from memcached servers. In addition, the operators of memcached servers need to lock down their systems to avoid taking part in such denial of service attacks.



“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” said Carlos Morales, VP of sales, engineering and operations at Arbor Networks.

“It is critically important for companies to take the necessary steps to protect themselves.”

It has been nearly five years since the first memcached attacks were reported, but in the last few weeks they have grown in popularity, and even include ransoms. It’s clear these are going to be a feature unless memcached server operators get their act together.

DDoS Protection Powered by  DDos-GuarD



DDoS Attacks Increase in Volume and Duration in Q1 2018





DDoS Protection Powered by  DDos-GuarD

Distributed denial-of-service (DDoS) attack events are on the rise in the first quarter of 2018. That’s the word from a recent Kaspersky Lab study, which found “a significant increase in both the total number and duration of DDoS attacks against Q4 2017.”

Synchronized (SYN) attacks remain the most popular vector, accounting for 57.3 percent of the total volume of incidents. In addition, over 95 percent of all DDoS attack reports came from the top 10 countries, out of 79 total.

DDoS Attacks Increase in Length and Breadth
It’s not all bad news: The share of Linux botnets fell from 71 percent last year to 66 percent in Q1 2018. But the growth of specific botnet classes, such as Darkai, prompted a return to multiday DDoS attacks. The Kaspersky report noted that one attack lasted 297 hours — more than 12 days — which is the longest attack since 2015.




While these multiday events aren’t common, the report revealed a sixfold increase in sustained attacks, or those lasting longer than 50 hours. At the same time, short-term attacks are on the rise, up to 91.47 percent of all attacks from 85.5 percent last year.


DDoS Protection Powered by  DDos-GuarD

Kaspersky also noted that amplification attacks are ramping up again, this time using Memcached and Lightweight Directory Access Protocol (LDAP) vectors rather than network time protocol (NTP) and Domain Name System (DNS)-based boosting. The authors warned that, as the year goes on, this could prove troublesome on the Dark Web because it “has one of the biggest amplification factors.”



Progress on the DDoS Attack Front
In addition to the sheer number of attacks, companies must contend with cost. A survey by Corero Network Security found that organizations spend up to $50,000 dealing with a single attack.

Reputational damage is also an issue. According to Security Boulevard, after an online poker site fell victim to multiple DDoS attack events in late April, many users became frustrated, arguing that the company’s “technical and management expertise is zilch” and calling for it to “make it right.”

There is some progress on the DDoS attack front. According to Forbes, European law enforcement recently shut down a website that sold DDoS attacks and helped launch them for millions of paying customers. The agency warned companies and individuals to stop using DDoS “stresser” services or face legal repercussions.




DDoS Protection Powered by  DDos-GuarD

Taking Out the Garbage Traffic

According to Kaspersky, attacks in early March against code sharing site GitHub hit record volumes of “garbage” traffic at more than 1 TB per second using Memcached.

The security firm said it expects this traffic trend to continue this year. It predicted that “server owners will quickly spot the abundance of garbage traffic and patch up vulnerabilities, which will dent the popularity of attacks of this type.”

As noted above, however, amplification attacks may shift to LDAP services as threat actors look for ways to improve DDoS throughput.


DDoS Protection Powered by  DDos-GuarD