How I caught a hacker
It happened in early 2008, when I was still working at a large Ukrainian bank as an engineer in the IT department. The New Year holiday fuss was just asleep, and the load on the technical support divisions diminished a bit, as one of the web servers reporting to me reported on the place ending on the disk. A quick analysis showed that the IIS server’s logs were rapidly growing, on which one of the bank’s public payment systems was spinning. My fears came true - a DDOS attack began on the server.
The attack format was as follows: at a speed of 150-200 requests per second, using the GET method, the same URL was accessed from a large number of IP addresses. Those. worked a small international botnet. The server itself and the firewall of the bank coped with the attack, so I had enough time to study the attack and develop a plan of measures to eliminate it.
First, I analyzed the geography of the attacking IP addresses. The intensity was evenly spread across countries, and it was impossible to block any regions - customers from all over the world would use the banking web-service, and blocking any segment would mean financial losses for the bank. Further, assuming a possible increase in the intensity of the attack, I optimized the size of the attacked page to a minimum. The load on the server and the firewall dropped, which was not long in coming. The hacker who managed the botnet changed the address of the URL being attacked, and the attack was re-arranged for the GIF image - one of the most voluminous elements of the site. These actions gave me a good lead, and I thoroughly prepared for counteractions. I wrote a number of scripts using LogParser , processing web server logs and revealing "abnormal" client behavior. “Abnormal” was considered to refer to the pages in a sequence that is not inherent in either the bank’s customers or the botnet. LogParser successfully coped with gigabyte logs, which gave me a good chance of a quick response.
At this point, the attack reached 500 requests per second. Thus, I prepared myself, and threw the bait - renamed the attacked picture, made the return page with the 404th error minimal, and waited. After a while, the attack stopped for a moment. Since its effectiveness was reduced to zero, the hacker started manually, through the browser, “probing” the site for the presence of voluminous elements - LogParser quickly identified this “abnormal” behavior. That was enough for me - the hacker’s IP address was in my hands, and he, surprisingly, did not belong to an anonymous proxy server, but to one of the Ukrainian hosters, but also to a good client of this very web service of the bank.
')
- Hello, Sergey Ivanovich, good afternoon, you are disturbed from <% bank_name%>, from your server the DDOS attack on our site is coordinated
- Hello. Tell me ip
- XXX.XXX.XXX.XXX
- Yes, the client is now working in a terminal session on this server, I will disconnect it, and give you access to the server. These freaks need to be fought. By the way, I have his contact details.
- Thank you, I will inform the bank security service, they will contact you.
... to be continued (dialogue with the hacker in ICQ, “cutting off” the worm’s head, my testimony in the management of combating economic crimes and, in fact, how it ended)
UPD: on the advice of banzeg moved to Information Security
UPD: continued here: How I caught a hacker 2
The attack format was as follows: at a speed of 150-200 requests per second, using the GET method, the same URL was accessed from a large number of IP addresses. Those. worked a small international botnet. The server itself and the firewall of the bank coped with the attack, so I had enough time to study the attack and develop a plan of measures to eliminate it.
First, I analyzed the geography of the attacking IP addresses. The intensity was evenly spread across countries, and it was impossible to block any regions - customers from all over the world would use the banking web-service, and blocking any segment would mean financial losses for the bank. Further, assuming a possible increase in the intensity of the attack, I optimized the size of the attacked page to a minimum. The load on the server and the firewall dropped, which was not long in coming. The hacker who managed the botnet changed the address of the URL being attacked, and the attack was re-arranged for the GIF image - one of the most voluminous elements of the site. These actions gave me a good lead, and I thoroughly prepared for counteractions. I wrote a number of scripts using LogParser , processing web server logs and revealing "abnormal" client behavior. “Abnormal” was considered to refer to the pages in a sequence that is not inherent in either the bank’s customers or the botnet. LogParser successfully coped with gigabyte logs, which gave me a good chance of a quick response.
At this point, the attack reached 500 requests per second. Thus, I prepared myself, and threw the bait - renamed the attacked picture, made the return page with the 404th error minimal, and waited. After a while, the attack stopped for a moment. Since its effectiveness was reduced to zero, the hacker started manually, through the browser, “probing” the site for the presence of voluminous elements - LogParser quickly identified this “abnormal” behavior. That was enough for me - the hacker’s IP address was in my hands, and he, surprisingly, did not belong to an anonymous proxy server, but to one of the Ukrainian hosters, but also to a good client of this very web service of the bank.
')
- Hello, Sergey Ivanovich, good afternoon, you are disturbed from <% bank_name%>, from your server the DDOS attack on our site is coordinated
- Hello. Tell me ip
- XXX.XXX.XXX.XXX
- Yes, the client is now working in a terminal session on this server, I will disconnect it, and give you access to the server. These freaks need to be fought. By the way, I have his contact details.
- Thank you, I will inform the bank security service, they will contact you.
... to be continued (dialogue with the hacker in ICQ, “cutting off” the worm’s head, my testimony in the management of combating economic crimes and, in fact, how it ended)
UPD: on the advice of banzeg moved to Information Security
UPD: continued here: How I caught a hacker 2
Source: https://habr.com/ru/post/86282/
All Articles