Warning: Dangerous DDoS attacks by ZZb00t targeting multiple new victims
A series of unrelenting DDoS attacks has been primarily targeting European and especially German websites since late April. Behind the attacks on ecommerce shops, logistic enterprises and telecommunications providers is a hacker with the Twitter handle @ZZb00t. The LSOC is warning of the attacks that are targeting the original web server IP addresses and internal networks.
On the grounds that “So much #insecure #servers out there“ (source: Twitter, 29.04.2017) a hacker with the pseudonym ZZb00t has been repeatedly starting DDoS attacks against websites since April 22. The majority of his victims are located in Germany. Looking for weaknesses in IT infrastructure, ZZb00t has already successfully attacked ecommerce shops, logistic enterprises and telecommunications providers. Though many of the attacked companies purchased DDoS protection, they are defenseless against these attacks. According to analyses from the Link11 Security Operation Centers (LSOC), the reason for this is that no protection of the Origin IP was set up and that the protective solution was not fully implemented. Besides that, the attacked companies did not implement DDoS infrastructure protection.
According to the LSOC analysis, the following information about the DDoS attackers is available:
- Perpetrators: ZZb00t describes himself on his @zzb00t Twitter profile as a “gray hat,” who previously worked as an IT security consultant. He exclusively uses tweets to communicate his attacks and to ridicule the attacked companies: “„Did I mention that I hear hardstyle during an attack? Strikes hard as #DDoS“ (source: Twitter, 13.05.2017).ZZb00t answered the question of whether a group or a loner was behind it with a tweet: „I'M NOT A GROUP!!! You got pwned by a single person“ (source: Twitter, 13.05.2017)
- Chronology: On April 22, ZZb00t began communicating on Twitter about his DDoS activities. This coincided almost perfectly with the DDoS blackmailing from the XRM-Squad. This group declared their attacks from April 19 to 26, 2017 to be pentests against companies in Germany, but reinstated them a week later. Since the first day and tweet, ZZb00t has been active on a daily basis, announcing attacks, commenting on the consequences, and mocking his victims.
- Motivation: Financial interests do not appear to be behind ZZb00t’s DDoS attacks. The LSOC is not aware of any information about demands for protection money. ZZb00t describes himself in his Twitter profile, however, as a “#vulnerabilities hunter” and repeatedly states that the reason for his behavior is the poor protection of servers: „So much #insecure #servers out there“ (source: Twitter, 29.04.2017).
- Targets: Despite having mainly targeted logistics companies, the following industries have also been victims of ZZb00t: Hosting providers, ecommerce shops, online marketplaces as well as e-sports platforms.
- Early warnings: ZZb00t announces his attacks with several hours’ notice in his tweets: „Stresstest will start on 15/05/2017 15:00 CEST (source: Twitter, 14.05.2017) and “your server performance test is on the way. Starting at 19:00 CEST (source: Twitter, 11.05.2017)
- Attack patterns: ZZb00T relies on volume, protocol, and application attacks that last from a few minutes to several hours and days. The effectiveness of the attacks is not exceptionally high with up to 20 Gbps. But it’s enough to take servers with 1-2 Gbps uplinks offline.
- What makes the attacks by ZZb00T special is that they don’t attack the domain names, but rather take aim at the original IP address. Information on which IP addresses belong to a domain can be queried online in databases with just a few clicks of the mouse. ZZb00t specifically exploits the vulnerability of many IT infrastructures that neglect the DDoS protection for their original IP addresses and don’t shield them from direct access with a Site Shield.
- Risk assessment: The DDoS-related downtime of the attacked companies speaks for themselves. ZZb00t is very successful with his attacks. His announcements of new attacks must absolutely be taken seriously.
The LSOC is advising all companies to consider whether the existing current DDoS protection of their domain name also covers the subdomains. In addition, the IP address of the original server must not be directly accessible from the internet. To this end, the implementation of a Site Shield is recommended. To protect even internal networks, an infrastructure protection solution via BGP should be installed.
Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.
Follow Link11 on Twitter
A simple visualization of how the Underground Cybercrime Economy cashes in on data and DDoS attacks. To learn more,…
9 Retweets 9Read More
How to protect your business and website from DDoS attacks during the biggest sales period of the year:…
5 Retweets 6Read More
What are DDoS Attacks and how do cybercriminals use them as weapons to shut down IT infrastructures? And more impor…
7 Retweets 5Read More
This is why (and how) you should block bots on your business website (includes a list of most common bot attacks):…
13 Retweets 9Read More
What is Web Application Firewall, why do you need it and how does it protect your company? Learn more by reading ou…
3 Retweets 5Read More
@RandyLoss Hah, you weren't the only one saying that.
0 Retweets 0
@vxtrade Your company might ;)
0 Retweets 1
@deckhand25 He is not, but close enough! ;)
0 Retweets 1
What would you do if you received a 180 000€ DDoS extortion email warning to exceed your web infrastructure defense…
1 Retweets 4Read More
Get a detailed and up to date overview of the global DDoS threat landscape by taking a look at our DDoS Report from…
6 Retweets 5Read More
@SecurityParalok Link11 DDoS Protection can help!
0 Retweets 0