An organized cyber crime gang known for aggressively pushing male enhancement drugs and other knockoff pharmaceuticals used Internet addresses belonging to Microsoft as part of a massive denial-of-service attack against KrebsOnSecurity.com late last month.
The attack on my Web site happened on Sept. 23, roughly 24 hours after I published a story about a criminal online service that brazenly sold stolen credit card numbers for less than $2 each (see: I’ll Take Two MasterCards and a Visa, Please). That story got picked up by BoingBoing, Gizmodo, NPR and a variety of other sites, public attention that no doubt played a part in the near-immediate suspension of that criminal Web site.
At first, it wasn’t clear what was behind the attack, which at one point caused a flood of traffic averaging 2.3 gigabits of junk data per second (see graph above). Not long after the attack ended, I heard from Raymond Dijkxhoorn and Jeff Chan, co-founders of SURBL, which maintains a list of Web sites that have appeared in spam. Chan sent me a message saying he had tracked the attack back to several Internet addresses, including at least one that appeared to be located on Microsoft’s network — 131.107.202.197.
According to SURBL, the culprits were botnets under the thumb of “the usual Russian pill gangs”: Dozens of domains that resolve(d) to online pharmacy sites — including bridgetthefidget.com, crazygraze.com, firstgang.com, triplefixes.com and philsgangdirect.com — were using a compromised machine at that Microsoft address as a domain name server.
The attackers then told machines they controlled to access a number of non-existent pages at sites that were pointing to the Internet address my hosting provider has assigned to KrebsOnSecurity.com (94.228.133.16). This forced several hundred or thousand machines to direct their traffic at my site, all in an attempt to prevent legitimate visitors from visiting it.
For example, the attack packets included DNS for false requests such as:
mzkzalczdznzjzfbszvzazd.jumpgirlsaloud.nl A 94.228.133.163
sdfsdfsdfsdfsdffbszvzazd.youralveolarbone.nl A 94.228.133.163
zzncmzkzalczdznzjzfbszvzazd.cheapxenonbulbs.com A 94.228.133.163
zzncmzkzalczdznzjzfbszvzazd.expletivedirect.com A 94.228.133.163
I found the unusual method of attack interesting because it called attention to a significant amount of infrastructure used by the bad guys. For all I know, this may have been intentional, either to let me know who was responsible, or to make me think I knew who was responsible.