Plunging into a DDoS hole: a how-to guide

One of my blogs was recently treated to a large dose of DDoS that took it offline for the best part of a week. It comes with the territory I guess. The good news is that, as ever, attacks on corruption reporting and on freedom of expression tend to produce Streisand effects:

Besides the genuine good will, support, and empathy of some folks, the saga continues of course. There’s an online netherworld, mostly inhabited by dodgy operators whose raison d’être is to service criminals. Distributed Denial of Service, or DDoS, is among the services on offer. So basically anyone, from anywhere, can organise attacks and take targets offline, causing disruption, which depending on size of attack, ends up costing loads of time and money.

And this can be done, basically, using the same methods employed by the corrupt and their money launderers across the world: by use of shell companies in offshore jurisdictions to cloak identity of controlling parties. In our case, we found Panama -of course- and Seychelles. In fact, the registered address of IP owner in Victoria is used by the likes of Mossack Fonseca.

DDoS attack was launched from 191.96.249.70. That IP has exactly the same location than Rosneft HQ, and is located in the close vicinity of Russia’s Kremlin.

Once IP address of originating attack is located (in Moscow, in the Kremlin vicinity), it is a matter of seconds to find company, domain and person responsible. But then the man behind, a Chris or Christian, is a bit of a ghost.

His emails originate from around Milan, in Italy. In some bitcoin pages he provided a telephone number whose prefix (0371) belongs to Lombardia, which is the region where Milan is located. His computer operating system appears to be configured in Italian as well, so these three bits of info would suggest that he is in Italy. None of the reverse number lookup online sites available for Italy have any record of phone number 0371 1721122, which oddly appears to be a landline.

No record of company Dmzhost Limited appear in Italy’s register of companies either. A UK company associated to Dmzhost (Jupiter 25 Limited) is just a shell, managed by a proxy, that won’t be revealing much. Regarding Dmzhost’s Moscow’s location, consulted OCCRP sources said that though no firm conclusions should be drawn yet, a “state apparatus” could be involved.

Then, with his email address (chris@dmzhost.co) I found his Skype username: dmzhost2. With that in hand and using Maltego’s CE I was able to find more info, and produce a helpful graph.

I couldn’t find any functional resolver to determine his Skype IP address, as Microsoft seems to have sorted that vulnerability. So I got in touch with dmzhost.co domain registrar (Namecheap), and with dmzhost.co hosting provider (Cloudflare), neither of which has replied to requests for full contact details of owner of dmzhost.co.

Some test were also ran with Kali tools, to see what sort of server configuration and services are being used.

I also sent an assistance request to Henk van Ess, for he developed a very useful Facebook search tool, alas our man doesn’t seem to be using Facebook at all.

There are no records of a company called Dmzhost associated with Panama Papers, Offshore leaks and Bahamas leaks. One last recourse was to look into Amsterdam register of companies. None of the entities with similar names appear related to our ghost DDoSer.

He’s done a very good job at hiding his real identity. None of the sources consulted, arguably the top investigative folks / organisations in the world, had heard anything about Chris and his Dmzhost operation beyond what I was able to find in my investigation. However we remain confident that sooner or later he’s real world persona will be revealed, after all no one is infallible, and complete online anonymity is almost impossible to achieve.