South African IP addresses appear on massive DDoS-for-hire list

Two Israeli hackers were recently arrested by Israeli police on behalf of the FBI, following revelations about an underground service called vDOS – a distributed denial-of-service (DDoS) platform for hire.

A DDoS attack typically uses multiple systems to flood the bandwidth or resources of a target, usually one or more web servers, with the aim of knocking them offline.

Krebs on Security reported that vDOS earned over $600,000 helping customers coordinate more than 150,000 DDoS attacks over the past two years.

The service was recently hacked, revealing the details of “tens of thousands of paying customers and their targets”.

“To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement,” said Krebs on Security.

“And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic.”

Attack details

Last week, DDoS protection service CloudFlare released a file of around four months of vDOS attack logs.

The log contains over 170,000 entries of attacks, stretching from April 2016 to July 2016.

The file contains:

  • vDOS username that ordered and paid for the attack.
  • Target Internet (IP) address.
  • Attack method.
  • Internet (IP) address of the vDOS user.
  • Date and time of the attack.
  • Browser user agent string of the vDOS user.

The file contains several South African IP addresses, including attack targets and the IP addresses of locals who ordered attacks.

The table below provides a snippet from the vDOS log file which relates to South Africa.

It should be noted that an attacker may use various methods to spoof their IP address to launch attacks.

They can also use anonymous proxies, VPNs, and other methods to hide their real location and identities.

User Attack target Users IP address Atack Date Browser
GnikLlort Launched a stress test on 185.24.99.98:80 for 1200 using DNS 105.229.63.204 (ZA) 02-05-2016 05:33 Mozilla Firefox v46.0 on Windows
x0123 Launched a VIP stress test on 173.168.226.27:80 for 1200 using DNS 197.189.238.185 (ZA) 28-06-2016 17:12 Google Chrome v51.0.2704.103 on Windows
GnikLlort Launched a stress test on 5.206.225.107:80 for 1200 using DNS 41.13.196.187 (ZA) 04-05-2016 05:01 Mozilla Firefox v46.0 on Windows
GnikLlort Launched a stress test on 139.162.210.32:80 for 1200 using DNS 41.3.20.248 (ZA) 05-05-2016 01:18 Mozilla Firefox v46.0 on Windows
GnikLlort Launched a stress test on 188.138.17.37:80 for 1200 using xSYN 41.13.196.108 (ZA) 09-05-2016 04:48 Mozilla Firefox v46.0 on Windows
GnikLlort Launched a stress test on 69.175.22.130:80 for 1200 using DNS 41.13.224.234 (ZA) 10-05-2016 02:38 Mozilla Firefox v46.0 on Windows
w3stside Launched a stress test on 196.11.240.215:80 for 500 using DNS 197.87.14.33 (ZA) 04-06-2016 18:18 Mozilla Firefox v46.0 on Windows

More on DDoS attacks

Biggest DDoS attack in Q1 2016 was 289Gbps

Google’s Project Shield: protecting news sites against DDoS attacks

Massive increase in DDoS attacks

Latest news

Partner Content

Show comments

Recommended

Share this article
South African IP addresses appear on massive DDoS-for-hire list