Warning: Dangerous DDoS attacks by ZZb00t targeting multiple new victims
A series of unrelenting DDoS attacks has been primarily targeting European and especially German websites since late April. Behind the attacks on ecommerce shops, logistic enterprises and telecommunications providers is a hacker with the Twitter handle @ZZb00t. The LSOC is warning of the attacks that are targeting the original web server IP addresses and internal networks.
On the grounds that “So much #insecure #servers out there“ (source: Twitter, 29.04.2017) a hacker with the pseudonym ZZb00t has been repeatedly starting DDoS attacks against websites since April 22. The majority of his victims are located in Germany. Looking for weaknesses in IT infrastructure, ZZb00t has already successfully attacked ecommerce shops, logistic enterprises and telecommunications providers. Though many of the attacked companies purchased DDoS protection, they are defenseless against these attacks. According to analyses from the Link11 Security Operation Centers (LSOC), the reason for this is that no protection of the Origin IP was set up and that the protective solution was not fully implemented. Besides that, the attacked companies did not implement DDoS infrastructure protection.
According to the LSOC analysis, the following information about the DDoS attackers is available:
- Perpetrators: ZZb00t describes himself on his @zzb00t Twitter profile as a “gray hat,” who previously worked as an IT security consultant. He exclusively uses tweets to communicate his attacks and to ridicule the attacked companies: “„Did I mention that I hear hardstyle during an attack? Strikes hard as #DDoS“ (source: Twitter, 13.05.2017).ZZb00t answered the question of whether a group or a loner was behind it with a tweet: „I'M NOT A GROUP!!! You got pwned by a single person“ (source: Twitter, 13.05.2017)
- Chronology: On April 22, ZZb00t began communicating on Twitter about his DDoS activities. This coincided almost perfectly with the DDoS blackmailing from the XRM-Squad. This group declared their attacks from April 19 to 26, 2017 to be pentests against companies in Germany, but reinstated them a week later. Since the first day and tweet, ZZb00t has been active on a daily basis, announcing attacks, commenting on the consequences, and mocking his victims.
- Motivation: Financial interests do not appear to be behind ZZb00t’s DDoS attacks. The LSOC is not aware of any information about demands for protection money. ZZb00t describes himself in his Twitter profile, however, as a “#vulnerabilities hunter” and repeatedly states that the reason for his behavior is the poor protection of servers: „So much #insecure #servers out there“ (source: Twitter, 29.04.2017).
- Targets: Despite having mainly targeted logistics companies, the following industries have also been victims of ZZb00t: Hosting providers, ecommerce shops, online marketplaces as well as e-sports platforms.
- Early warnings: ZZb00t announces his attacks with several hours’ notice in his tweets: „Stresstest will start on 15/05/2017 15:00 CEST (source: Twitter, 14.05.2017) and “your server performance test is on the way. Starting at 19:00 CEST (source: Twitter, 11.05.2017)
- Attack patterns: ZZb00T relies on volume, protocol, and application attacks that last from a few minutes to several hours and days. The effectiveness of the attacks is not exceptionally high with up to 20 Gbps. But it’s enough to take servers with 1-2 Gbps uplinks offline.
- What makes the attacks by ZZb00T special is that they don’t attack the domain names, but rather take aim at the original IP address. Information on which IP addresses belong to a domain can be queried online in databases with just a few clicks of the mouse. ZZb00t specifically exploits the vulnerability of many IT infrastructures that neglect the DDoS protection for their original IP addresses and don’t shield them from direct access with a Site Shield.
- Risk assessment: The DDoS-related downtime of the attacked companies speaks for themselves. ZZb00t is very successful with his attacks. His announcements of new attacks must absolutely be taken seriously.
The LSOC is advising all companies to consider whether the existing current DDoS protection of their domain name also covers the subdomains. In addition, the IP address of the original server must not be directly accessible from the internet. To this end, the implementation of a Site Shield is recommended. To protect even internal networks, an infrastructure protection solution via BGP should be installed.