aa419 DDoS Aug 2013 Breakdown
Over the past few days, aa419 has been under a DDoS attack once agin. Somewhere out there, there is a happy “scammer client”. We are always happy to please and note your appreciation of our services, confirming the need for aa419 to be on the net doing what we do.
So when our “scammer client” hired a botnet to show his appreciation, we put steps into place.
It was believed to be in the best interests of the Internet community publish these statistics
A Problem in Escalation
Of late botnets have been abused to DDoS anti-abuse sites in an attempt at hiding criminality that targets the end users. However reporting these bots is a near impossible task due to lacking and stale information on network owners. Many companies that spend millions on advertising trying to convince their clients they are simply the best, are extremely negligent when maintaining their network information at their Regional Internet Registry.
What does this mean to you as a user of their services?
If a party like aa419 happens to notice abuse coming from an IP addess you are using, we will not know it is you who it is currently assigned to. What we will see is the network owner information (theoretically at least). There should be some form of valid contact that can easily be reached that will allow us to inform your provider of this abuse. However, if this information is not available, we have to go on a sleuthing exercise to try and determine the relevant esclation channel, or or alternative (slower) escalation channels.
In the meantime somebody unknown to you may have full access to your system, downloaded malware onto your system and is abusing it to attack us. His unauthorized access also allows him to steal information from you such as passwords and other personal details about you that in turn can be abused to your detriment. Also, at the same time, you may well be paying for his abuse of your system in terms of bandwidth used. Your system may also be abused to compromise other parties on the same home network as you, safely protected inside your own home network (or so you thought)!
As such any responsible provider would be keen to know about abuse on their network and not allowed it to be used as such. But if they cannot be contacted, they do not live up to their promised service.
At this stage we should also mention that another category of provider exists, one that supplies VPN’s to his clients. This can be done responsibly, or irresponsibly. We will shortly see an example of this.
After trying to manually contact providers or other responsible parties, with numerous bounced emails ( It was also considered publishing such network records, but that will keep for if we ever end up in this situation again.), it was decided to publish our botnet client related DDoS statistics. This will enable the internet user to decide for himself what is safe and what is not, allowing him to protect himself.
aa419 invites contact from the providers and CERTS if evidence is needed. A special email address has been set up to receive your emails: ddosalert(AT)aa419.org.
A total of 3782 were sorted by Region, Country Code, AS number. and IP address. This allows the reader to easily spot problem areas and take perventative action.
We have also posted the full details by regions:
- AFRINIC (African Region)
- APNIC (Asia/Pacific Region)
- ARIN (North America)
- LACNIC (South America)
- RIPENCC (Europe)
Here is a summary of each area:
297 Bots total for AFRINIC
73 Algeria – The country with the most bots in AFRINIC
65 The AS with the most bots was AS36947: ALGERIE TELECOM
1299 Bots total for APNIC
310 India – The country with the most bots in APNIC
119 The AS with the most bots was AS36947: BSNL Internet
42 Bots total
35 USA – The country with the most bots in ARIN
9 The AS with the most bots was AS4436: nLayer*
*Also see what part VPN providers plays in these stats in
“A Special Note on the USA” below
593 Bots total
184 PERU – The country with the most bots in LACNIC
119 The AS with the most bots was AS6147: Telefonica del Peru S.A.A.
1551 Bots total for RIPENCC
348 Iran – The country with the most bots in RIPENCC
210 The AS with the most bots was AS21277: Newroz Telecom Ltd.
1551 Region with the highest number of bots – RIPENCC
348 Iran – The country with the most bots
210 AS21277: Newroz Telecom Ltd, the AS with the most bots
TOP 10 ASNs
210 AS21277 Newroz Telecom Ltd, Iran
173 AS6147 Telefonica del Peru S.A.A., Peru
127 AS9198 JSC Kazakhtelecom, Kazakhstan
119 AS9829 BSNL Internet, India
92 AS50710 EarthLink Ltd, Iraq
91 AS12880 Information Technology Company (ITC), Iran
86 AS8151 Uninet S.A. de C.V., Mexico
84 AS17882 UNIVISION LLC, Mongolia
80 AS36947 ALGERIE TELECOM, Algeria
75 AS14754 Telgua, Guatemala
Top 10 Countires
348 IR Iran
310 IN India
308 IQ Iraq
223 TH Thailand
216 PH Philippines
198 RU Russia
192 KZ Kazakhstan
184 PE Peru
144 VN Vietnam
100 MX Mexico
Some of the statistics are not a surprise and has been discussed before. However we were certainly surprised by the appearance of some of these countries on the radar. Somewhere the figure was bantered about that the Internet serves 2.4 billion users currently. We are all one another’s neighbor. We trust this serves as a red flag to take corrective action if you find yourself to be linked to any of these stats in any way and we cans stay good neighbors.
A Special Note on the USA
Of note is how few bots were seen from the USA. The USA needs to be commended for their low prevalence in the logs.
At this stage it may be appropriate to analyze the top four abused US networks. Where abuse could be seen, the most abused networks can be attributed to VPN providers. nLayer, Hurricane Electric and EGIHosting are well known. Areti Internet is a new name to us.
9 AS4436 nLayer
5 AS6939 Hurricane Electric, Inc
5 AS21321 Areti Internet Ltd.
3 AS18779 EGIHosting
Let us put this into perspective:
22 IPs attributed to nLayer/Hurricane Electric/Aret/EGIHosting
35 Abused IP addresses for the USA.
More than half the USA abuse was attributable to VPNS!
Further, more than one remote bot may abuse a single VPN provider. As such:
22+ Bots attributed to nLayer/Hurricane Electric/Aret/EGIHosting
nLayer, Hurricane Electric and EGIHosting has been observed to be a contributor to online incidents where even the most common garden variety scammer scamms from. Their appearance once again, but now in denial of service attacks, is predictable as these providers have no real control over who they allow on their services as their is no real accountability. One of their common clients, AnchorFree with their HotSpot Shield product, by their own admittance, keeps no logs to ensure their user’s privacy. Privacy to do what? Privacy and anonymity are not synonyms. We see the results in our logs and in our email boxes. Likewise we can be sure other service providers see the same.resulting abuse related to these VPN services. Previous HostExploit reports bears testimony to this.
List and Block Removal
Numerous parties had (not so) bright ideas to automate processes and did so incorrectly. These further contributed substantially to the server load and have been blocked, although not listed, One or more such entries may still exist. If you find yourself listed, please consider what you did that may have caused you to be listed before contacting us.
If you are one of our friends with a special arrangement, please accept our apologies.
We accept list removal requests for innocent issues, however the logs will be scrutinized before considering such requests.
Should a network provider indicate an IP address or range has been cleaned, such an IP address or range will be unblocked in good faith. Repeat requests to unblock after a previous unblocking was done and malicious activity was seen again causing blocking, will not be done without explanations of what was done in an attempt to resolve this issue.
All possible steps were taken to check the logs for correctness as to present accurate and reliable data. No responsibility will be taken for information supplied in good faith but which is not correct. Checking the activity of each connection during a DDoS attack manually is near impossible. Automation may fail and produce false positives. Where such FP’s were noted, corrective steps were taken and the results reproduced as to produce fair and impartial statistics.