11:56 As I caught the hacker | |
It happened in early 2008, when I worked at a major Ukrainian bank as an engineer in the IT-department. Only slept a Christmas holiday bustle and stress of the tech support department a little diminished, as one of my reporting of web-servers reported the ending location on the disk. A quick analysis showed that the rapidly growing logs of IIS server that turns one of the public payment systems bank. My fears were justified - on the server started DDOS attack. The format of the attack was as follows: at a rate of 150-200 requests per second, the method GET, went on appeal to the same URL with a large number of IP addresses. Ie worked for a small international botnet. The server and firewall with attack bank copes well, so I had enough time to study the attack and develop an action plan to address it. First, I analyzed the geography of the attacking IP-addresses. The intensity was evenly spread across countries, and to block any of the regions was impossible - a bank web-service use clients from around the world, and blocking any segment, would mean the bank's financial losses. Further, assuming a possible increase in the intensity of the attacks, I optimized the size of the attacked page to a minimum. The load on the server and the firewall has fallen, which is not long in coming. A hacker who ran botnet changed the address of the victim's URL, and an attack on the retooled image GIF - one of the three-dimensional elements of the site. These actions have given me a good clue, and I am thoroughly prepared for counteractions. I wrote several scripts using LogParser, processing logs web-servers and identifying "abnormal" behavior of the customer. "Anomalous" was considered an appeal to the pages in sequence, not inherent in either the bank's clients, nor the botnet. LogParser successfully coped with the gigabyte logs, which gave me a good chance of a rapid response. At this point the attack has reached 500 requests per second. Thus, I am prepared, and cast the bait - renamed the attacked image, made returns a page with a 404 minimum, and waited. After some time of the attack momentarily stopped. Since its effectiveness has been reduced to zero, the hacker started manually via the browser, "feelers" site for the presence of bulk elemenov - LogParser quickly identify such "anomalous" behavior. That I had enough - IP-address of the hacker was in my hands, and he, surprisingly, did not belong to an anonymous proxy server, and one of the Ukrainian hosts and in combination, and a good client of this same web-service bank. Hello, Sergei Ivanovich, good day, you suffer from <% bank_name%>, c your server is coordinated DDOS attack on our website Hello. Tell me the IP XXX.XXX.XXX.XXX Yes, the client now works in a terminal session on that server, I turn it off and give you access to the server. With these monsters must be fought. By the way I have his contact details. Thanks, I'll let the security services of the bank, they will contact you. To be continued (the dialogue with the hacker in the ICQ, «cutting off" the head worm, my testimony in the Department on struggle against economic crimes and, in fact, than it ended up) UPD: on the advice of banzeg moved to Information Security UPD: continued here: How can I catch a hacker 2 | |
|
Total comments: 0 | |