DDoS Attacks from Nowhere

By: Jose -

Over the weekend Ed Vielmetti pointed out to me that Zooomr had been under a DDoS attack as they were preparing to roll out their 2.0 site. As discussed on their blog, the Zooomr guys describe what’s going on (well, in very limited detail):

Well that’s how it feels when you work really hard for something for weeks just to have some bully kick sand in your face in the end. Yeah, we most likely will not be launching tonight and that sucks. I guess it goes with the territory when you’re a small start up. All of your photos are safe and your blogged photos will still work. We just need to stop this attack before we will be able to go back online.

Add to this some confusion (at least on my end), there’s another Zoomr that looks similar (photo sharing):

$ host www.zoomr.com
www.zoomr.com has address
$ host www.zooomr.com
www.zooomr.com is an alias for zooomr.com.
zooomr.com has address

This has me wondering: who would want to DDoS Zooomr (with three o’s)? Is it because they’re rumored to be in acquisition talks? Maybe it’s the Flickr guys, fearing the competition! (I’m kidding, I don’t think anyone at Flickr, Yahoo!, or any of their affiliates would do such a thing, and I’m certainly not accusing them of such a tactic.) Repeat this for about 99% of the daily DDoS targets. Some are just obvious – Microsoft, SCO, Google, some anti-spam operation – but many are just not. When we monitor botnets, we don’t usually see people talking about why they’re launching relatively high profile DDoS attacks. This is not a scenario we’d see…

Setting, some hacked Linux web server hanging off a cable modem somewhere in broadband-space. Enter channel left, we find two botmasters and a hundred thousand bots from around the world.

 botnet_guy_1: our customer, russian_guy_1@spammers.com, has paid up. $25k per day to DDoS those guys
 botnet_guy_2: cool, let's go!
 botnet_guy_2: .login passwd
 botnet_guy_2: .ddos.icmp 1024 100
 BOT-1: Flooding with 1024 byte packets for 100 seconds
 BOT-2: Flooding with 1024 byte packets for 100 seconds
etc etc 

Instead, it’s usually much less clearer. What we wind up doing is having to do much detective work, and we share our data from time to time with other groups who are on the heels of some of the bigger-named DDoS groups. Many of the DDoS events we see are pretty small-time, very personal types of attacks. However, at times you get a front row seat to the major events, but still an incomplete picture. You know the group behind the actual attack, but you don’t know who asked for it or why just on the basis of bot channel logs. Being a DDoS root-cause investigator isn’t just slinging code, it’s a lot of gumshoe work. And, some days it’s just fun!