After security journalist Brian Krebs exposed the DDoS-for-hire service, vDOS, and the alleged owners of the service were arrested, a massive attack was launched against the Krebs on Security site.
Last Thursday, Krebs wrote about vDOS and the two 18-year-old Israeli hackers running the DDoS attack service. In the past two years, the duo launched over 150,000 attacks and made at least $618,000. vDOS had been hacked, and Krebs had obtained a copy of the vDOS database.
vDOS had paying subscribers, with the cost depending upon how many seconds the DDoS attack lasted. Krebs reported, “In just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic.”
Shortly after Kreb’s investigative article started hitting the news, Yarden Bidani and Itay Huri were arrested by Israel police in connection with an FBI investigation into the DDoS-for-hire service. After the two handed over their passports, they were released on bond, placed on house arrest and banned from using any electronic communications for 30 days.
On Friday, the Krebs on Security site was hit with a “heavy and sustained denial-of-service attack, which spiked at almost 140 Gbps.” Krebs added, “A single message was buried in each attack packet: ‘godiefaggot’.”
Firm launched BGP hijacking attack against vDOS
Also on Friday, vDOS—which had a minimum of four servers hosted in Bulgaria—went offline. The reason for this, according to Krebs, was a BGP hijacking attack launched by BackConnect Security. The company offers “advanced DDoS protection services.” You can theoretically “watch a replay” of the attack, according to commenters on Krebs’ article.
Bryant Townsend, CEO of BackConnect Security, confirmed it was behind the attack, telling Krebs that it had been attacked and vDOS had claimed credit.
“For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend said. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”
CloudFlare dumped vDOS logs
Then on Friday evening, CloudFlare—which vDOS had been hiding behind—released vDOS attack logs from April through July 2016. Although vDOS had been operating since September 2012, a good portion of the logs had likely been wiped.
Regarding the logs released by CloudFlare, Krebs reported:
The file lists the vDOS username that ordered and paid for the attack; the target Internet address; the method of attack; the Internet address of the vDOS user at the time; the date and time the attack was executed; and the browser user agent string of the vDOS user.
vDOS operators had bad OPSEC
The two Israeli hackers were lax about OPSEC and protecting their identities. They published a technical paper (pdf) on DDoS attack methods with Huri using his real name and Bidani using a Gmail address that linked back to being a vDOS administrator.
Additionally, Bidani—aka “AppleJ4ck”—had discussed DDoS attacks on Facebook. Huri’s phone number was used for the vDOS site registration records and for receiving text messages when a vDOS customer opened a support ticket. Huri—aka P1st—had planned to join the Israel Defense Forces. If that is still the plan, then he’ll surely learn better OPSEC.
I highly recommend reading both of Krebs’ articles: Alleged vDOS Proprietors Arrested in Israel and Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years. The attacks may still be ongoing against Krebs’ site, as there were times when it was unreachable.