RIP vDOS, uStress, vStress, PoodleCorp

It all begun one day in July when I couldn’t get on Pokemon GO. Like apparently millions of others. A group called PoodleCorp claimed responsibility for paralyzing Niantic’s servers. Their reasons: “because chaos is entertainment”. Was this true and could I do something to fight this idiocy? I wanted to find out.

In September the people behind PoodleCorp’s DDOS attacks were arrested in Israel. To my knowledge this happened mainly based on the information I gathered and sent to Niantic, Blizzard, Brian Krebs, and others. The material was forwarded to the FBI (by which of these, I don’t know exactly).

It is difficult to say what part of Pokemon GO’s outages were due to DDoS. It appears that at least eventually Niantic (with help from Google) was able to mitigate the attacks very effectively.

PoodleCorp tried to monetize their media attention and started advertising PoodleStresser, a DDOS service tool that, as it turned out, used vDOS as it’s attack back-end.

The vDOS web server hosted a few other sites, mostly booter/stressers:

  • 83144692.com
  • api.vdos-s.com
  • huri.biz
  • trigon.io
  • ustress.io
  • vdos-s.com
  • vstress.net

I’ll be posting stuff I found there and on other servers in this attack infrastructure. I am busy so I can’t say anything about the time frame.

Brian Krebs has posted the attack logs dump from vDOS’s database I provided. Here is a bigger attack log that spans a longer time period and includes attacks from several booters: api_requests.csv.gz (not pdf! Save and rename to .csv.gz)

I post-processed it from the https://api.vdos-s.com/ Apache access log. The fields are mostly self-explanatory. The source IP refers to the booter server that sent the attack request. The config field refers to the PHP file processing the request, “bigpein” and “bigdongs” being PoodleStresser’s scripts.

[New] The original access log is at https://www.sendspace.com/file/4jef3u, 46 mb gzip. It contains mostly booter traffic post-processed/condensed in the csv but also some video sharing and internal chat system requests.

The file does not have information about which customer initiated the attack. Most of these are from vDOS and other booters hosted on the same server (IP changed twice) but some of them we haven’t identified.

I haven’t had time to look up the target IP’s there. It should overlap with what Brian posted. Feel free to comment here if you find anything interesting. There are about 895,000 attacks in that file. Some of the first ones are probably tests made by the developers.

The biggest attacks (against Niantic, Blizzard, etc.) were not made through the booters but by AppleJ4ck with command line tools. I will post command line histories and other logs later.

Stay tuned for more!

Twitter: @drowzeepok

Note to media: don’t call DDoSers “hackers”. They generally can’t hack. Some of these kids know the basics of PHP but mostly use attack tools written by others. They aren’t more skilled than the general population; they are more malicious, irresponsible, greedy, and stupid than the general population.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s