How I caught a hacker
This happened in early 2008, when I was still working as an engineer in an IT department at a large Ukrainian bank. As the New Year's holiday bustle was falling asleep, and the load on the technical support units was slightly reduced, as one of the web servers reporting to me informed me of the place that was ending on the disk. A quick analysis showed that the logs of the IIS server, on which one of the bank's public payment systems are spinning, were rapidly growing. My fears were justified - a DDOS attack began on the server.
The attack format was as follows: at a speed of 150-200 requests per second, using the GET method, the same URL was accessed from a large number of IP addresses. Those. a small international botnet worked. The server itself and the bank’s firewall completely coped with the attack, so I had enough time to study the attack and develop an action plan to eliminate it.
The first thing I did was analyze the geography of the attacking IP addresses. The intensity was evenly spread across countries, and it was impossible to block any regions - customers from all over the world used the banking web service, and blocking any segment would mean financial losses for the bank. Further, assuming a possible increase in attack intensity, I optimized the size of the attacked page to a minimum. The load on the server and the firewall fell, which did not take long. The hacker who controlled the botnet changed the address of the attacked URL, and the attack switched to a GIF image - one of the most voluminous elements of the site. These actions gave me a good lead, and I thoroughly prepared for counter-actions. I wrote a series of scripts using LogParserprocessing the web server logs and detecting "abnormal" client behavior. An “abnormal” was considered to be pages accessed in a sequence that was not inherent to either the bank’s customers or the botnet. LogParser successfully coped with gigabyte logs, which gave me good chances for a quick response.
At this point, the attack reached 500 requests per second. Thus, I prepared, and threw the bait - renamed the attacked image, made the returned page with the 404th error minimal, and waited. After some time, the attack momentarily stopped. Since its effectiveness was reduced to zero, the hacker began manually, through the browser, to “probe” the site for the presence of volume elements - LogParser quickly detected such an “abnormal” behavior. That was enough for me - the hacker’s IP address was in my hands and, surprisingly, it didn’t belong to an anonymous proxy server, but to one of the Ukrainian hosters, but also a good client of this bank’s web service.
- Hello, Sergey Ivanovich, good afternoon, you are disturbed from <% bank_name%>, coordination of a DDOS attack to our site is coming from your server
- Hello. Tell me IP
- XXX.XXX.XXX.XXX
- Yes, the client is now working in a terminal session on this server, I will disconnect it, and I will give you access to the server. These freaks need to be fought. By the way, I have his contact details.
- Thank you, I will inform the bank security service, they will contact you.
... to be continued (dialogue with a hacker in ICQ, “cutting off” the worm’s head, my testimony in the Office for Combating Economic Crimes and, in fact, how it ended)
UPD: on the advice of banzeg transferred to UPD Information Security
: continued here: How I caught hacker 2
The attack format was as follows: at a speed of 150-200 requests per second, using the GET method, the same URL was accessed from a large number of IP addresses. Those. a small international botnet worked. The server itself and the bank’s firewall completely coped with the attack, so I had enough time to study the attack and develop an action plan to eliminate it.
The first thing I did was analyze the geography of the attacking IP addresses. The intensity was evenly spread across countries, and it was impossible to block any regions - customers from all over the world used the banking web service, and blocking any segment would mean financial losses for the bank. Further, assuming a possible increase in attack intensity, I optimized the size of the attacked page to a minimum. The load on the server and the firewall fell, which did not take long. The hacker who controlled the botnet changed the address of the attacked URL, and the attack switched to a GIF image - one of the most voluminous elements of the site. These actions gave me a good lead, and I thoroughly prepared for counter-actions. I wrote a series of scripts using LogParserprocessing the web server logs and detecting "abnormal" client behavior. An “abnormal” was considered to be pages accessed in a sequence that was not inherent to either the bank’s customers or the botnet. LogParser successfully coped with gigabyte logs, which gave me good chances for a quick response.
At this point, the attack reached 500 requests per second. Thus, I prepared, and threw the bait - renamed the attacked image, made the returned page with the 404th error minimal, and waited. After some time, the attack momentarily stopped. Since its effectiveness was reduced to zero, the hacker began manually, through the browser, to “probe” the site for the presence of volume elements - LogParser quickly detected such an “abnormal” behavior. That was enough for me - the hacker’s IP address was in my hands and, surprisingly, it didn’t belong to an anonymous proxy server, but to one of the Ukrainian hosters, but also a good client of this bank’s web service.
- Hello, Sergey Ivanovich, good afternoon, you are disturbed from <% bank_name%>, coordination of a DDOS attack to our site is coming from your server
- Hello. Tell me IP
- XXX.XXX.XXX.XXX
- Yes, the client is now working in a terminal session on this server, I will disconnect it, and I will give you access to the server. These freaks need to be fought. By the way, I have his contact details.
- Thank you, I will inform the bank security service, they will contact you.
... to be continued (dialogue with a hacker in ICQ, “cutting off” the worm’s head, my testimony in the Office for Combating Economic Crimes and, in fact, how it ended)
UPD: on the advice of banzeg transferred to UPD Information Security
: continued here: How I caught hacker 2