(11:02:24 PM) zimzum: around?
(11:02:34 PM) zimzum has not been authenticated yet. You should authenticate this buddy.
(11:02:34 PM) Unverified conversation with zimzum started.
(9/16/2011 6:26:16 AM) MattM@staminus.net: hey
(9:53:36 AM) zimzum: around?
(9:53:40 AM) MattM@staminus.net: yes
(9:53:43 AM) zimzum: ah
(9:54:00 AM) zimzum: ok umm...where to start
(9:54:57 AM) zimzum: ok so my friend's data center (alchemy.net) received ddos. the ddos was not hitting an irc-related customer but I have stuff in his DC to I agreed to look into it
(9:55:46 AM) zimzum: in the process I discovered that 1 of the reflectors attacking his datacenter was also attacking yours
(9:55:47 AM) zimzum: lol
(9:55:56 AM) MattM@staminus.net: sweet
(9:56:06 AM) zimzum: within my organization we have a SANS handler
(9:56:24 AM) zimzum: he assisted me in the matter
(9:56:33 AM) zimzum: sec
(9:57:05 AM) zimzum:
alert tcp $HOME_NET any -> [72.20.37.45,72.20.38.118,72.20.38.4,72.20.38.92,72.20.40.52,72.20.41.225,72.20.44.133,72.20.44.135,72.20.44.205,72.20.45.83] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 167) - BLOCKING SOURCE"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405332; rev:2449; fwsam: dst, 30 days;) alert udp $HOME_NET any -> [72.20.37.45,72.20.38.118,72.20.38.4,72.20.38.92,72.20.40.52,72.20.41.225,72.20.44.133,72.20.44.135,72.20.44.205,72.20.45.83] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 167) - BLOCKING SOURCE"; reference:url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405333; rev:2449; fwsam: dst, 30 days;)
(9:57:16 AM) zimzum: your victim IP was 72.20.41.205
(9:57:36 AM) zimzum: when i looked around to find out more info I found those snort rules in the botnet C&C rules from emerging threats...
(9:58:27 AM) zimzum: basically, a (relatively) new udp reflection/amplification attack is being perpetrated where people are abusing "Enemy Territory" game servers as the reflectors and requesting game information with a spoofed UDP packet
(9:58:41 AM) MattM@staminus.net: fun
(9:58:55 AM) zimzum: all of those stam IPs are sh3lls
(9:59:32 AM) zimzum: so after i wrap up ddos analysis and leave my buddy to auditing his bgp prefixes i go on efnet
(9:59:53 AM) zimzum: wherein my friend is upset over a channel takeover. he lost a channel that he has had since 1999 to a guy named medeski
(10:00:18 AM) zimzum: and his friend
(10:00:23 AM) zimzum: guess who hosts their botnet!
(10:01:08 AM) zimzum: paid for by some guy named dystro
(10:01:23 AM) zimzum: now they're juping nicknames with it lol
(10:01:29 AM) zimzum: so i have to ask you....how the fuq does sh3lls stay in business man!
(10:01:38 AM) MattM@staminus.net: no clue
(10:01:40 AM) zimzum: oh and lets forget all of that for a second
(10:01:45 AM) zimzum: they also have user 'haddem'
(10:01:49 AM) zimzum: who I am sure you're familiar with
(10:01:55 AM) MattM@staminus.net: i haven't been on efnet for 5 years
(10:01:56 AM) MattM@staminus.net: maybe more
(10:02:10 AM) zimzum: well hes been sending (and attracting) >10gbit ddos to staminus
(10:02:21 AM) zimzum: and is quite friendly with kelly last i checked
(10:02:29 AM) zimzum: you should probably famliarize yourself haha
(10:03:21 AM) zimzum: the SANS handler had this to say when your ASN came up "seems they take a lot of heat. and there are often questions about what side of the fence they are on"
(10:04:32 AM) zimzum: i would like to approach sh3lls directly about some of these issues but its owner has been idle a couple days now
(10:05:06 AM) zimzum: any suggestions? policies of yours I should know about?
(10:05:14 AM) MattM@staminus.net: no idea
(10:05:49 AM) MattM@staminus.net: I don't follow this kind of drama. If you have abuse to report, email abuse@staminus.net.
(10:06:08 AM) zimzum: you don't follow your data center getting ddos'd?
(10:06:26 AM) MattM@staminus.net: No, we get hundreds of > 10 Gbps attacks per day.
(10:06:36 AM) MattM@staminus.net: Thousands of attacks in total.
(10:06:44 AM) zimzum: awesome.
(10:07:27 AM) MattM@staminus.net: I don't want to sound dismissive, but I just don't handle abuse, whether at our customers, or from our customers.
(10:10:12 AM) zimzum: ok
(10:11:09 AM) MattM@staminus.net: also, our TOS is at www.staminus.net/TOS
(10:11:26 AM) MattM@staminus.net: So if you're emailing abuse@, make sure there's a violation there