The site of the radio station "Echo of Moscow" attacked three botnets at once
The DDoS attack on the Ekho Moskvy website began on May 6 at 8:45 Moscow time. Its forerunner on May 5 at 15:00 Moscow time was a small and short-term SYN Flood.
The QRATOR traffic filtering network recorded three different botnets.
')
The first of these, the size of 20,000 machines, performs the classic HTTP Flood - frequent requests to the root page of the site.
In the afternoon, a second network of 45,000 infected computers connected to it. It carries out attacks of two types: UDP Flood with a capacity of more than 1 Gbps and HTTP Flood, in which bots request a random page every 1.5-2 seconds.
The size of the third botnet is only 250 machines. Attacks are aimed at the exhaustion of web server resources (TCP Payload Flood).
Most of the infected computers are located in Asia (China, India, Indonesia, Thailand, the Philippines, Korea, Iran, Iraq) and Africa (Egypt, Algeria, Sudan).
The size of the botnet is increasing and as of 19:50 Moscow time is 89,000 machines. The site is operating normally. Earlier, at the time of connecting a new wave of attackers, there were instabilities in resource availability. This is related to filtering the behavior of an illegitimate user.
A significant intersection of botnets attacking the Echo of Moscow website and some Armenian media was recorded, where, on May 6, parliamentary elections are held.
UPD: Added stop list schedule with geo binding
UPD2: Tech. details at the request of workers:
1) It's simple here:
GET / HTTP / 1. {0,1}
Host: echo.msk.ru
how much we have time until banned.
2.1) UDP Flood is also simple:
we send as many kilobyte UDP packets as we can, payload we hammer randomly.
2.2) HTTP Flood: it is not known what logic they used to select the URL, but it looked something like this (from the same IP):
06 / May / 2012: 17: 06: 35 GET / top / HTTP / 1.1
06 / May / 2012: 17: 06: 35 GET / blog / zoldat / 885435-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 37 GET / likes / e885530 HTTP / 1.1
06 / May / 2012: 17: 06: 37 GET / blog / navalny / 885662-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 38 GET / blog / echomsk / HTTP / 1.1
06 / May / 2012: 17: 06: 40 GET /news/885730-echo.html HTTP / 1.1
06 / May / 2012: 17: 06: 44 GET / tags / 448 / HTTP / 1.1
06 / May / 2012: 17: 06: 45 GET / interview / HTTP / 1.1
06 / May / 2012: 17: 06: 48 GET / blog / maxkatz / 885466-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 49 GET /polls/885608-echo/comments.html HTTP / 1.1
06 / May / 2012: 17: 06: 53 GET / likes / e885426 / HTTP / 1.1
06 / May / 2012: 17: 06: 53 GET / blog / HTTP / 1.1
06 / May / 2012: 17: 06: 55 GET / blog / diletant_ru / 885131-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 56 GET / likes / e885701 HTTP / 1.1
06 / May / 2012: 17: 06: 56 GET /news/885504-echo.html HTTP / 1.1
06 / May / 2012: 17: 06: 57 GET / tags / 32 / HTTP / 1.1
06 / May / 2012: 17: 06: 57 GET / programs / galopom / HTTP / 1.1
06 / May / 2012: 17: 06: 57 GET / blog / greglake_ / HTTP / 1.1
06 / May / 2012: 17: 06: 58 GET / blog / dgudkov / 885655-echo / HTTP / 1.1
06 / May / 2012: 17: 07: 01 GET / blog / bornad / 885688-echo / HTTP / 1.1
3) Here, apparently, they added the bot on the go, because at the beginning (from the same bot) you could see different things:
\ x00flate, gzip, chunked, identity, trailers
\ x00: PHPSESSID = yjjmknexitxltizixmninfxskdjfjjns3kigefqenxqtmg
"././23*#@!#&!@^*(##(()* (^&#*^*(@&)*_)!@*(^&#((^*@$& )
XGET / 4iqvdjjjx2ilxfzfgk http / 0.0
At around 18.00, the guys solved memory problems, and it became clear what was originally intended:
GET / xxidkmie2txz1niln2kx2xxl4ki1tvtmqyjjm4s311kxgvqignxs3e <...> HTTP / 1.1
+
a lot of garbage instead of a query (zero bytes write)
Sometimes they ask /stylesheets/all.css?5 (it’s not clear why).
Note that this botnet is small but major: Canada, Germany, Spain, France, Great Britain, Greece, Italy, Poland, Portugal.
The QRATOR traffic filtering network recorded three different botnets.
')
The first of these, the size of 20,000 machines, performs the classic HTTP Flood - frequent requests to the root page of the site.
In the afternoon, a second network of 45,000 infected computers connected to it. It carries out attacks of two types: UDP Flood with a capacity of more than 1 Gbps and HTTP Flood, in which bots request a random page every 1.5-2 seconds.
The size of the third botnet is only 250 machines. Attacks are aimed at the exhaustion of web server resources (TCP Payload Flood).
Most of the infected computers are located in Asia (China, India, Indonesia, Thailand, the Philippines, Korea, Iran, Iraq) and Africa (Egypt, Algeria, Sudan).
The size of the botnet is increasing and as of 19:50 Moscow time is 89,000 machines. The site is operating normally. Earlier, at the time of connecting a new wave of attackers, there were instabilities in resource availability. This is related to filtering the behavior of an illegitimate user.
A significant intersection of botnets attacking the Echo of Moscow website and some Armenian media was recorded, where, on May 6, parliamentary elections are held.
UPD: Added stop list schedule with geo binding
UPD2: Tech. details at the request of workers:
1) It's simple here:
GET / HTTP / 1. {0,1}
Host: echo.msk.ru
how much we have time until banned.
2.1) UDP Flood is also simple:
we send as many kilobyte UDP packets as we can, payload we hammer randomly.
2.2) HTTP Flood: it is not known what logic they used to select the URL, but it looked something like this (from the same IP):
06 / May / 2012: 17: 06: 35 GET / top / HTTP / 1.1
06 / May / 2012: 17: 06: 35 GET / blog / zoldat / 885435-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 37 GET / likes / e885530 HTTP / 1.1
06 / May / 2012: 17: 06: 37 GET / blog / navalny / 885662-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 38 GET / blog / echomsk / HTTP / 1.1
06 / May / 2012: 17: 06: 40 GET /news/885730-echo.html HTTP / 1.1
06 / May / 2012: 17: 06: 44 GET / tags / 448 / HTTP / 1.1
06 / May / 2012: 17: 06: 45 GET / interview / HTTP / 1.1
06 / May / 2012: 17: 06: 48 GET / blog / maxkatz / 885466-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 49 GET /polls/885608-echo/comments.html HTTP / 1.1
06 / May / 2012: 17: 06: 53 GET / likes / e885426 / HTTP / 1.1
06 / May / 2012: 17: 06: 53 GET / blog / HTTP / 1.1
06 / May / 2012: 17: 06: 55 GET / blog / diletant_ru / 885131-echo / HTTP / 1.1
06 / May / 2012: 17: 06: 56 GET / likes / e885701 HTTP / 1.1
06 / May / 2012: 17: 06: 56 GET /news/885504-echo.html HTTP / 1.1
06 / May / 2012: 17: 06: 57 GET / tags / 32 / HTTP / 1.1
06 / May / 2012: 17: 06: 57 GET / programs / galopom / HTTP / 1.1
06 / May / 2012: 17: 06: 57 GET / blog / greglake_ / HTTP / 1.1
06 / May / 2012: 17: 06: 58 GET / blog / dgudkov / 885655-echo / HTTP / 1.1
06 / May / 2012: 17: 07: 01 GET / blog / bornad / 885688-echo / HTTP / 1.1
3) Here, apparently, they added the bot on the go, because at the beginning (from the same bot) you could see different things:
\ x00flate, gzip, chunked, identity, trailers
\ x00: PHPSESSID = yjjmknexitxltizixmninfxskdjfjjns3kigefqenxqtmg
"././23*#@!#&!@^*(##(()* (^&#*^*(@&)*_)!@*(^&#((^*@$& )
XGET / 4iqvdjjjx2ilxfzfgk http / 0.0
At around 18.00, the guys solved memory problems, and it became clear what was originally intended:
GET / xxidkmie2txz1niln2kx2xxl4ki1tvtmqyjjm4s311kxgvqignxs3e <...> HTTP / 1.1
+
a lot of garbage instead of a query (zero bytes write)
Sometimes they ask /stylesheets/all.css?5 (it’s not clear why).
Note that this botnet is small but major: Canada, Germany, Spain, France, Great Britain, Greece, Italy, Poland, Portugal.
Source: https://habr.com/ru/post/143404/
All Articles