Re: Ransom DDoS attack - need help!
We received a similar ransom e-mail yesterday followed by a UDP flood attack. Here is a sample of the attack traffic we received as well as a copy of the ransom e-mail. Thought this might be useful to others who have been targeted as well. I will have to talk with our upstream providers to get a definitive on the size of the attacks. At the point in time we blackholed our ip we were seeing 20+Gbps. *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP during the ddos event: ================================================ Top 10 flows by packets per pecond for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G 0.002 UDP 120.199.113.49 1900 54177 2048 1.0 M 2.8 G 0.002 UDP 27.208.164.227 1900 54177 2048 1.0 M 2.7 G 0.002 UDP 60.209.31.218 1900 16632 2048 1.0 M 3.0 G 0.002 UDP 27.220.71.238 1900 22456 2048 1.0 M 3.0 G 0.002 UDP 120.236.121.9 1900 62005 2048 1.0 M 2.5 G 0.002 UDP 104.137.222.90 1900 14944 2048 1.0 M 3.7 G 0.002 UDP 121.27.133.72 1900 44417 2048 1.0 M 3.0 G 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G 0.002 UDP 120.197.56.134 1900 30672 2048 1.0 M 2.7 G Top 10 flows by flows per second for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 248.847 UDP 41.214.2.249 123 47207 8.6 M 34594 133.4 M 248.886 UDP 91.208.136.126 123 63775 6.7 M 26813 103.4 M 150.893 UDP 85.118.98.253 123 47207 5.1 M 33843 130.5 M 151.053 UDP 80.179.166.7 123 63775 5.0 M 33292 128.4 M 151.230 UDP 69.31.105.142 123 47207 4.9 M 32657 125.9 M 150.436 UDP 182.190.0.17 123 45291 4.8 M 32128 123.9 M 248.832 UDP 95.128.184.10 123 63775 4.7 M 19020 73.3 M 150.573 UDP 188.162.13.4 123 42571 4.6 M 30514 117.7 M 150.261 UDP 205.128.68.5 123 45291 4.2 M 27777 107.1 M 149.962 UDP 205.128.68.5 123 42571 4.1 M 27443 105.8 M Top 10 flows by bits per second for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G 0.003 UDP 190.184.144.74 53 18340 2048 682666 8.3 G 0.003 UDP 190.109.218.69 53 63492 2048 682666 8.3 G 0.004 UDP 103.251.48.245 53 43701 2048 512000 6.2 G 0.004 UDP 46.149.191.239 53 58439 2048 512000 6.2 G 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G 0.006 UDP 37.72.70.85 53 63909 2048 341333 4.1 G 0.006 UDP 138.204.178.169 53 2162 2048 341333 4.1 G 0.006 UDP 200.31.97.107 53 33765 2048 341333 4.1 G 0.006 UDP 110.164.58.82 53 61397 2048 341333 4.1 G ================================================ Copy of the e-mail headers: Delivered-To: joe@joesdatacenter.com Received: by 10.79.27.84 with SMTP id b81csp1190623ivb; Mon, 7 Dec 2015 15:32:22 -0800 (PST) X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088; Mon, 07 Dec 2015 15:32:22 -0800 (PST) Return-Path: <armada.collective@bk.ru> Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11]) by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21 for <joe@joesdatacenter.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Dec 2015 15:32:22 -0800 (PST) Received-SPF: pass (google.com: domain of armada.collective@bk.ru designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of armada.collective@bk.ru designates 217.69.141.11 as permitted sender) smtp.mailfrom=armada.collective@bk.ru; dkim=pass header.i=@bk.ru; dmarc=pass (p=NONE dis=NONE) header.from=bk.ru DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bk.ru; s=mail; h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From; bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=; b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=; Received: from [95.191.131.93] (ident=mail) by f369.i.mail.ru with local (envelope-from <armada.collective@bk.ru>) id 1a65GX-0008H5-DO for joe@joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300 Received: from [95.191.131.93] by e.mail.ru with HTTP; Tue, 08 Dec 2015 02:32:21 +0300 From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective@bk.ru> To: joe@joesdatacenter.com Subject: =?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?= MIME-Version: 1.0 X-Mailer: Mail.Ru Mailer 1.0 X-Originating-IP: [95.191.131.93] Date: Tue, 08 Dec 2015 02:32:21 +0300 Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective@bk.ru> X-Priority: 3 (Normal) Message-ID: <1449531141.2696669@f369.i.mail.ru> Content-Type: multipart/alternative; boundary="--ALT--7N12aTwEB8hvVlFgA0NbUaD4Daicjipu1449531141" X-Mras: Ok X-Spam: undefined Copy of the e-mail: From: Armada Collective <armada.collective@bk.ru> Subject: Ransom request: DDoS Attack Message Body: FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective. If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history. Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time) And this: https://twitter.com/optucker/status/666501788607098880 We will start DDoS-ing your network if you don't pay 20 Bitcoins @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday. Right now we will start small 30 minutes UDP attack on your site IP: 96.43.134.147 It will not be hard, just to prove that we are for real Armada Collective. If you don't pay by Wednesday, massive attack will start, price to stop will increase to 40 BTC and will go up 2 BTC for every hour of attack and attack will last for as long as you don't pay. In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We will do the same on social networks. Our attacks are extremely powerful - peaks over 1 Tbps per second. Prevent it all with just 20 BTC @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! And nobody will ever know you cooperated. -- Thank You, Joe Morgan - Owner Joe's Datacenter, LLC http://joesdatacenter.com 816-726-7615
hi joe On 12/08/15 at 01:24am, Joe Morgan wrote:
We received a similar ransom e-mail yesterday
:-) dont pay real $$$ ... pretend that it was paid and watch for them to come get the ransom ... never give your real banking info ask them, where do you send the "$xx,000" mastercard gift card by fedex/ups/dhl ... law enforcement might get lucky with real physical addresses ... once in a while, there are dumb criminals that show up on tv news
followed by a UDP flood attack.
*pout* or not ... their demo shows they've got the zombie botnet capable of sending 20+Gbps .... law enforcement and ISP security dept "should be interested" to trace them down ... but it takes tons of (their) resources to take the next steps: who is it and where are the attackers *pout* ... udp ddos floods are "expensive" to solve ... unfortunately, you cannot mitigate any incoming UDP-ddos attacks at your server/router.... udp mitigation has to be done by" - somehow, you need to find out who they are etc and legally seize their botnet - your upstream ISP/peer whom doesn't send it to you - or you setup and 2nd pipe at a geographically different colo ( cheaper ) - or you first send your udp traffic thru a ( expensive ) ddos scrubber the idea of "limit" the udp traffic is basically useless, since udp packets already came down the wire ... you should at least not reply to any udp ddos packet - don't send "host not available", etc etc
Here is a sample of the attack traffic we received as well as a copy of the ransom e-mail. Thought this might be useful to others who have been targeted as well. I will have to talk with our upstream providers to get a definitive on the size of the attacks. At the point in time we blackholed our ip we were seeing 20+Gbps.
*Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP during the ddos event:
since it is a webserver they're playing with ... there's "dozen" things you can do to mitigate the UDP flood attacks - web server should only be running apache ... remove ntpd, bind, etc, etc, etc aka, remove the risks of udp amplification - make sure required things like ntpd/sshd etc are using local non-routable ip# - long common sense list of stuff to do ... including the 4 points listed above everybody would want the timezone so they can check their "bandwidth" monitor to see if 20Gbps hurts them too
Top 10 flows by packets per pecond for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G 0.002 UDP 120.199.113.49 1900 54177 2048 1.0 M 2.8 G 0.002 UDP 27.208.164.227 1900 54177 2048 1.0 M 2.7 G
what app do yu have that talks to port 1900 ? these are probably spoof'd src address .... but you will never know until you look up these ip# to see if there is any common link to it like it all belonging to the same zombie net for all ListofZombiehosts do - whois 175.43.224.99 - traceroute 175.43.224.99 done - udp is primarily used for ntp, dns, nfs, x11, snmp, etc if the service is not used, turn off the ntp/bind/nfsd/X11/snmpd daemons
Top 10 flows by flows per second for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 248.847 UDP 41.214.2.249 123 47207 8.6 M 34594 133.4 M 248.886 UDP 91.208.136.126 123 63775 6.7 M 26813 103.4 M 150.893 UDP 85.118.98.253 123 47207 5.1 M 33843 130.5 M
they like to play with ntpd ... make sure your NTPd sw is patched
Top 10 flows by bits per second for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G 0.003 UDP 190.184.144.74 53 18340 2048 682666 8.3 G 0.003 UDP 190.109.218.69 53 63492 2048 682666 8.3 G
they like to play with DNS ... make sure your bind sw is patched and properly configured ( not open resolver, etc )
================================================
Copy of the e-mail headers:
Delivered-To: joe@joesdatacenter.com Received: by 10.79.27.84 with SMTP id b81csp1190623ivb; Mon, 7 Dec 2015 15:32:22 -0800 (PST)
i assume this ip# is your own local lan ?
X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088; Mon, 07 Dec 2015 15:32:22 -0800 (PST) Return-Path: <armada.collective@bk.ru>
something tangible to trace/monitor good luck trying to get bk.ru and their ISP to help resolve the ransom issue traceroute bk.ru traceroute mail.ru traceroute 217.69.141.11 traceroute 95.191.131.93 whois 217.69.141.11 whois 95.191.131.93 politely rattle the security cages of the NOC for each of the ISPs that is listed in traceroute and especially the IP# owner
Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11]) by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21 for <joe@joesdatacenter.com> ...
Received: from [95.191.131.93] (ident=mail) by f369.i.mail.ru with local (envelope-from <armada.collective@bk.ru>) .... Received: from [95.191.131.93] by e.mail.ru with HTTP; Tue, 08 Dec 2015 02:32:21 +0300 From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective@bk.ru> ....
X-Mailer: Mail.Ru Mailer 1.0
looks like they are using webmail ??
X-Originating-IP: [95.191.131.93]
mail.ru knows exactly who is/was using their ip# 95.191.131.93 at 02:32:21 +0300
Date: Tue, 08 Dec 2015 02:32:21 +0300 Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective@bk.ru>
...
If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history. Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time) And this: https://twitter.com/optucker/status/666501788607098880
We will start DDoS-ing your network if you don't pay 20 Bitcoins @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday.
orders of magnitude cheaper than tracking down who it is that sent the email and chasing down their botnet everybody in the world, should not be using any of the products/services whom also support bitcoin or any other anonymous payment methods
Right now we will start small 30 minutes UDP attack on your site IP: 96.43.134.147 It will not be hard, just to prove that we are for real Armada Collective.
tough group .... the FBI, interpol and especially the russian law enforcement group should be interested to get hold of them ... it will be expensive in time to track them down while they collect enough $$$ from lots of folks that dont want to deal with the primary issue of ransoms
If you don't pay by Wednesday, massive attack will start, price to stop will increase to 40 BTC and will go up 2 BTC for every hour of attack and attack will last for as long as you don't pay.
In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We will do the same on social networks.
:-)
Our attacks are extremely powerful - peaks over 1 Tbps per second.
that should be big enough of an issues that all ISPs between them and you would want to stop it too it's gonna be expensive in time and staff to play cat-n-mouse with them
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
:-) magic pixie dust alvin # DDoS-Mitigator.net
On 10 December 2015 at 01:48, alvin nanog <nanogml@mail.ddos-mitigator.net> wrote:
what app do yu have that talks to port 1900 ?
UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are also from a reflection attack. We filter UDP 1900 at our border. Not to protect our network from attack, although it still helps. The packets might have come down our IP transit pipes, which are high capacity, but we can still stop it from doing further damage at the smaller pipes in our access network. We filter UDP 1900 because too many of our customers run vulnerable CPE devices that can be abused as a Chargen reflector. We stop that hard by dropping UDP 1900 both ingress and egress. He is being hit with a volume based UDP reflection attack. The IP addresses are not faked. They all lead back to people that run vulnerable CPE devices, NTP servers or open DNS resolvers. Reflection attacks require that you have the ability to send out faked IP addresses. Botnets are generally unable to do that. Their max attack size is limited by the bandwidth at the server, where they have the ability to send out faked UDP packets. Keep attacking you if you do not pay is bad business. They could be attacking someone who will pay instead. No one has infinite attack bandwidth available. Regards, Baldur
On 10 December 2015 at 01:48, alvin nanog <nanogml@mail.ddos-mitigator.net
wrote:
what app do yu have that talks to port 1900 ?
UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are also from a reflection attack.
Sorry I was made aware that UDP 1900 is SSDP. We still block it :-) To my knowledge there is no real use case for it and no user has ever complained about that being blocked. Regards, Baldur
On 8 Dec 2015, at 14:24, Joe Morgan wrote:
At the point in time we blackholed our ip we were seeing 20+Gbps.
These two presos discuss extortion DDoS and UDP reflection/amplification attacks, specifically - it isn't necessary to resort to D/RTBH to deal with these attacks: <https://app.box.com/s/776tkb82634ewvzvp26nnout6v4ij39q> <https://app.box.com/s/r7an1moswtc7ce58f8gg> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
fingerprint shows China and Russia related as expected Why do the abuse teams in China and Russia ignore basic abuse reports, why peer/setup connections to companies where abuse is ignored. Colin
On 8 Dec 2015, at 07:24, Joe Morgan <joe@joesdatacenter.com> wrote:
We received a similar ransom e-mail yesterday followed by a UDP flood attack. Here is a sample of the attack traffic we received as well as a copy of the ransom e-mail. Thought this might be useful to others who have been targeted as well. I will have to talk with our upstream providers to get a definitive on the size of the attacks. At the point in time we blackholed our ip we were seeing 20+Gbps.
*Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP during the ddos event: ================================================
Top 10 flows by packets per pecond for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G 0.002 UDP 120.199.113.49 1900 54177 2048 1.0 M 2.8 G 0.002 UDP 27.208.164.227 1900 54177 2048 1.0 M 2.7 G 0.002 UDP 60.209.31.218 1900 16632 2048 1.0 M 3.0 G 0.002 UDP 27.220.71.238 1900 22456 2048 1.0 M 3.0 G 0.002 UDP 120.236.121.9 1900 62005 2048 1.0 M 2.5 G 0.002 UDP 104.137.222.90 1900 14944 2048 1.0 M 3.7 G 0.002 UDP 121.27.133.72 1900 44417 2048 1.0 M 3.0 G 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G 0.002 UDP 120.197.56.134 1900 30672 2048 1.0 M 2.7 G
Top 10 flows by flows per second for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 248.847 UDP 41.214.2.249 123 47207 8.6 M 34594 133.4 M 248.886 UDP 91.208.136.126 123 63775 6.7 M 26813 103.4 M 150.893 UDP 85.118.98.253 123 47207 5.1 M 33843 130.5 M 151.053 UDP 80.179.166.7 123 63775 5.0 M 33292 128.4 M 151.230 UDP 69.31.105.142 123 47207 4.9 M 32657 125.9 M 150.436 UDP 182.190.0.17 123 45291 4.8 M 32128 123.9 M 248.832 UDP 95.128.184.10 123 63775 4.7 M 19020 73.3 M 150.573 UDP 188.162.13.4 123 42571 4.6 M 30514 117.7 M 150.261 UDP 205.128.68.5 123 45291 4.2 M 27777 107.1 M 149.962 UDP 205.128.68.5 123 42571 4.1 M 27443 105.8 M
Top 10 flows by bits per second for dst IP: 96.43.134.147 Duration Proto Src IP Addr Src Pt Dst Pt Packets pps bps 0.002 UDP 92.241.8.75 53 5575 2048 1.0 M 12.4 G 0.003 UDP 190.184.144.74 53 18340 2048 682666 8.3 G 0.003 UDP 190.109.218.69 53 63492 2048 682666 8.3 G 0.004 UDP 103.251.48.245 53 43701 2048 512000 6.2 G 0.004 UDP 46.149.191.239 53 58439 2048 512000 6.2 G 0.001 UDP 175.43.224.99 1900 22456 2048 2.0 M 5.8 G 0.006 UDP 37.72.70.85 53 63909 2048 341333 4.1 G 0.006 UDP 138.204.178.169 53 2162 2048 341333 4.1 G 0.006 UDP 200.31.97.107 53 33765 2048 341333 4.1 G 0.006 UDP 110.164.58.82 53 61397 2048 341333 4.1 G
================================================
Copy of the e-mail headers:
Delivered-To: joe@joesdatacenter.com Received: by 10.79.27.84 with SMTP id b81csp1190623ivb; Mon, 7 Dec 2015 15:32:22 -0800 (PST) X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088; Mon, 07 Dec 2015 15:32:22 -0800 (PST) Return-Path: <armada.collective@bk.ru> Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11]) by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21 for <joe@joesdatacenter.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Dec 2015 15:32:22 -0800 (PST) Received-SPF: pass (google.com: domain of armada.collective@bk.ru designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of armada.collective@bk.ru designates 217.69.141.11 as permitted sender) smtp.mailfrom=armada.collective@bk.ru; dkim=pass header.i=@bk.ru; dmarc=pass (p=NONE dis=NONE) header.from=bk.ru DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bk.ru; s=mail; h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From; bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=; b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=; Received: from [95.191.131.93] (ident=mail) by f369.i.mail.ru with local (envelope-from <armada.collective@bk.ru>) id 1a65GX-0008H5-DO for joe@joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300 Received: from [95.191.131.93] by e.mail.ru with HTTP; Tue, 08 Dec 2015 02:32:21 +0300 From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective@bk.ru> To: joe@joesdatacenter.com Subject: =?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?= MIME-Version: 1.0 X-Mailer: Mail.Ru Mailer 1.0 X-Originating-IP: [95.191.131.93] Date: Tue, 08 Dec 2015 02:32:21 +0300 Reply-To: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= <armada.collective@bk.ru> X-Priority: 3 (Normal) Message-ID: <1449531141.2696669@f369.i.mail.ru> Content-Type: multipart/alternative; boundary="--ALT--7N12aTwEB8hvVlFgA0NbUaD4Daicjipu1449531141" X-Mras: Ok X-Spam: undefined
Copy of the e-mail: From: Armada Collective <armada.collective@bk.ru> Subject: Ransom request: DDoS Attack
Message Body: FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history. Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time) And this: https://twitter.com/optucker/status/666501788607098880
We will start DDoS-ing your network if you don't pay 20 Bitcoins @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe by Wednesday.
Right now we will start small 30 minutes UDP attack on your site IP: 96.43.134.147 It will not be hard, just to prove that we are for real Armada Collective.
If you don't pay by Wednesday, massive attack will start, price to stop will increase to 40 BTC and will go up 2 BTC for every hour of attack and attack will last for as long as you don't pay.
In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We will do the same on social networks.
Our attacks are extremely powerful - peaks over 1 Tbps per second.
Prevent it all with just 20 BTC @ 19zErvraWpnLj4Ga7nsLXh8C52g1zogYJe
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
And nobody will ever know you cooperated.
-- Thank You, Joe Morgan - Owner Joe's Datacenter, LLC http://joesdatacenter.com 816-726-7615
On December 10, 2015 at 08:20 colinj@gt86car.org.uk (Colin Johnston) wrote:
fingerprint shows China and Russia related as expected Why do the abuse teams in China and Russia ignore basic abuse reports, why peer/setup connections to companies where abuse is ignored.
I wonder how much of this is due to language difficulties. Imagine if all your abuse messages and lots of this often informal (and formal) documentation was in Chinese or Russian. Maybe that leads to more poorly managed network facilities and these miscreants take advantage of that. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
participants (6)
-
alvin nanog
-
Baldur Norddahl
-
bzs@theworld.com
-
Colin Johnston
-
Joe Morgan
-
Roland Dobbins