Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Published on May 8, 2015 11:00 UTC by GovCERT.ch (permalink)
Last updated on May 8, 2015 11:05 UTC
In the past days MELANI / GovCERT.ch has received several requests regarding a Distributed Denial of Service (DDoS) extortion campaign related to 'DD4BC'. The DD4BC Team (that is how the attackers call themselves) started its DDoS extortion campaigns in 2014. While these attacks have targeted foreign organisations in the past months, we have seen an increase of activity of DD4BC in Europe recently. Since earlier this week, the DD4BC Team expanded their operation to Switzerland. MELANI / GovCERT.ch is aware of several high profile targets in Switzerland that have recently received a blackmail from DD4BC and have consequently suffered from DDoS attacks, obviously conducted by DD4BC.
The DDoS attacks usually start with NTP (port 123 UDP) and SSDP (port 1900 UDP) amplification attacks targeting the victims public website, taking advantage of millions of insecure or misconfigured devices around the world. Later on, we have seen the attackers moving to TCP SYN flooding and layer 7 attacks to bypass mitigation measures taken by the ISP. Taking advantage of amplification attacks by abusing the NTP, SSDP or DNS protocol, the attackers are in theory able to launch DDoS attacks consuming a bandwidth of up to 500 Gbit/s (which is about 1'000 times more than a usually DSL / cable line is able to handle). However, so far we have observed DDoS attacks conducted by DD4BC to be only about 4 - 30 Gbit/s.
Rather than give in and pay DD4BC a certain amount of Bitcoins, we recommend victims to talk to their Internet Services Provider (ISP) to discuss mitigation techniques, such as IP based rate limiting or (temporary) Geo IP address filter. In addition, we recommend to file a criminal complaint at your local police.
Possible mitigation techniques (these have to be discussed with your ISP or upstream provider):
MELANI / GovCERT.ch is currently preparing a more detailed guideline with regards to how to deal with DDoS attacks and while release it soon.
Back to top