In May 15, KTVB reported that a student recently launched a cyber-attack on one of Idaho’s largest school districts. The attack, which was identified as a Distributed Denial of Service (DDoS), practically rendered the entire district’s internet unable to function. The attack was so powerful that it caused internet problems for the affected school district for weeks without ceasing. A lot of Idaho students working on achievement tests lost all their data, and some even had to retake the exam multiple times because of the gravity of the attack. Even the administrative network itself, which, unfortunately, included the teachers’ payroll data was compromised. A DDoS attack occurs when multiple systems compromised by a Trojan are used by a host, or in this case, a channel, to target a single host simultaneously causing a denial of service. In simple terms, the attack floods a single network with immeasurable internet traffic until it simply stops dead on its tracks. Most of these attacks exploit problems within the victim computer’s TCP/IP system. Because a DDoS attack comes from hundreds, possibly even thousands of sources at once, it is practically impossible for any program on earth to track down the actual source of the problem. To make matters worse, a DDoS attack makes it impossible to identify actual, legitimate traffic, because everything gets lost in a haze of incoming data. Despite the overwhelming odds, the authorities managed to trace the attacker’s IP address back to the high school student. Today, he faces the possibility of expulsion, as well as 180 days in a juvenile detention center. Authorities say that he might even be facing serious federal charges. Moreover, the culprit’s parents will also be expected to pay any losses that the school district has incurred due to the attacks. A representative for the West Ada School District said that there might be other students within the area who know how to carry out this cyber-attack. Nevertheless, the spokesperson reassured everyone that further attacks will be dealt with more readily. The district also sent a message to parents of students enrolled in their schools, urging them to help keep their children from committing cyber attacks. Source: http://www.chinatopix.com/articles/51791/20150527/idaho-teen-felony-charges-ddos-attack.htm
Original post:
DDoS Attack Update: Idaho Teen Faces Felony Charges After Unleashing a DDoS Attack on School District
The admin of Therealdeal market ( http://trdealmgn4uvm42g.onion/ ) provided us with some insights about the recent DDo’s attacks that are hitting all the major DNM’s in the past week: In the past few days, it seems like almost every DN market is being hit by DDoS attacks. Our logs show huge amounts of basic http requests aiming for dynamic pages, probably in attempt to (ab)use as many resources as possible on the server side, for example by requesting for pages that execute many sql queries or generate captcha codes. As we are security oriented we manged to halt the attack on our servers the moment it showed up in the logs. Although this required fast thinking, due to the fact that dealing with this kind of attack over tor is not the same as dealing with such attack over clearnet. New addresses? Shifting Pages? Waiting? All these did not work for other markets… Here you can see the beginning and failure, as caught by Dnstats: As you can see, our market’s response time spiked to almost 70 seconds while our market’s usual response time is insanely fast, almost like most clearnet sites. But also, you can see that the response time was back to 2-3 seconds a little after. Here is an example of a darknet market that didn’t know how to combat this problem: The flat line at 0 seconds meaning there was no response from the server. The Problem As opposed to cleanet attacks, where mitigation steps could be taken by simply blocking the offending IP addresses,when it comes to tor, the requests are coming from the localhost (127.0.0.1) IP address as everything is tunneled through tor. Another problem is the fact that the attackers are using the same user-agent of tor browser – hence we cannot drop packets based on UA strings. The attackers are also aiming for critical pages of our site – for example the captcha generation page. Removing this page will not allow our users to login, or will open the site to bruteforce attempts. Renaming this page just made them aim for the new url (almost instantly, seems very much automated). One of the temporary solutions was to run a script that constantly renamed and re-wrote the login page after 1 successful request for a captcha… Attacks then turned into POST requests aiming for the login page. Solutions If you are a DNM owner or just the security admin, check your webserver logs. There is something unique in the HTTP requests, maybe a string asking you to pay to a specific address. (assuming these are the same offenders). Otherwise there might be something else … Hint: you might need to load tcpdump during an attack. Hopefully, you are not using some kind of VPS and have your own dedicated servers and proxy servers. Or if you are using some shit VPS, then hopefully you are using KVM or XEN. (first reason being the memory is leakable and accessible by any other user of the same service). The other reason is – control on the kernel level. You can drop packets containing specific strings by using iptables, or use regex too. This is one example of a commad that we executed (amongst others) to get rid of the offenders, we cannot specify all of them, so be creative! iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string “(RANSOM_BITCOIN_ADDRESS)” -j DROP Where (RANSOM_BITCOIN_ADDRESS) is the unique part of the request… To Other Market Admins: There are additional things to be done, but if we expose them, this will only start a cat and mouse game with these attackers. If you are a DNM admin feel free to sign up as a buyer at TheRealDeal Market and send us a message (including your commonly used PGP), since at the end of the day even though you might see us a competitor in a way, there are some things (like people stuck without their pain medication from mexico) that are priceless… Source: http://www.deepdotweb.com/2015/05/11/this-is-the-ransom-ddos-that-is-hitting-the-dark-net-markets/