logo

Rapidttp.co.za

So who is attacking us now 

This server has been running non-stop for 1200 days.(up to 18 Sept 2016)

We have been under a variety of attacks from about four different groups over the past few years.

Generally the attacks come from a large number of machines and they have a signature in the form of the method used for the attack and from these signatures one can group the identity of the different groups of attack sites.

On the 2nd August 2016 we noticed attacks coming from a new group.These attacks added an extra 2000 different servers per day making about 25000 attacks per day. What was interesting is that Vietnam played a major part in the source of the attacks accounting for about 24% of all the attacks. Of these attacking sites 97.5% were already in the database and were being blocked. On a weekly basis, the distribution of countries involved in the attack were typically

Country,# of servers involved,Percentage
VN     3146     23.9%
BR     1301     9.9%
IN     1269     9.6%
CN     1244     9.4%
RU     879      6.7%
KR     775      5.9%
TR     423      3.2%
DO     340      2.6%
TW     307      2.3%
AR     295      2.2%
IR     207      1.6%
US     186      1.4%
CO     172      1.3%
UA     164      1.2%
PK     159      1.2%
On the 13th September 2016 - six weeks after beginning, we received the following demands and the traffic from New World Hackers dissappeared for two days.

We are,  New World Hacking Groups
 
We'll begin massive DDoS attack Today, you have 5 hours after reading your posts!!!
 
1 - We'll execute some targeted attacks and check your DDoS servers by the 500 Gbps attack power
2 - We can do multi-vector attacks Layer 3-7 TCP, UDP, SYN; NTP, DNS, SSDP - Amplification
3 - You do not help us antiddos, because we know your real IP address and it will always be able to find out
4 - Do not have time to change the hosting
5 - You can get away from the attack, if you pay 1.5 bitcoin to bitcoin ADDRESS:  1CB7Q8Mb77qSbkXnjynqGTjUTdFzFuV2EJ
6 - If you do not pay before the attack 1.5 bitcoin, the price will increase to 15 bitcoins
7 - Attacks every day will cost you 15 bitcoins
8 - We will continue to attack for a long time, as long as you do not pay!!!
9 - If you do not pay, we will destroy your business
                                                 Transfer 1.5 bitcoin to ADDRESS: 1CB7Q8Mb77qSbkXnjynqGTjUTdFzFuV2EJ
 
How to pay bitcoin? Google for the additional information!
 
The Header for the message was

Return-Path: 
Received: from mail.itb.pl (mail.itb.pl [195.187.73.224])
	by rapidttp.co.za (8.11.6/8.11.6) with ESMTP id u8CMHB928881
	Tue, 13 Sep 2016 00:17:12 +0200
Received: from localhost (localhost [127.0.0.1])
	by mail.itb.pl (Postfix) with ESMTP id 92DF6906F1F
	Tue, 13 Sep 2016 00:14:53 +0200 (CEST)
Received: from mail.itb.pl ([127.0.0.1])
	by localhost (mail.itb.pl [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id 8TFT8dtoovuS 
	Tue, 13 Sep 2016 00:14:53 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail.itb.pl (Postfix) with ESMTP id 41211905F58
	Tue, 13 Sep 2016 00:14:42 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.itb.pl 41211905F58
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=itb.pl;
	s=85CADDD0-B2E9-11E5-9EA6-31253CE080A6; t=1473718482;
	bh=U8mWRbWxSUjKyPxBfNiR4dou1jDsu7uv2h/r8VIThjQ=;
	h=Message-ID:Reply-To:From:To:Subject:Date:MIME-Version:
	 Content-Type;
	b=jBPFUxkDzoGGAYeWMbKEEQsPKJBe6r+c4/aW9IwPc9U/ltPbjCJTmDK+2SVqDquS3
	 1qKTrTY8KNx0Wr7C8psDryN4yRgccM7haBfGXahQdhhhJlYzDmN8OpZUYcJQNcMjvA
	 WiZNJc/sMCVCDIchLJhi8NctvYMX/SsCsVk2FLXc=
X-Virus-Scanned: amavisd-new at itb.pl
Received: from mail.itb.pl ([127.0.0.1])
	by localhost (mail.itb.pl [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id HfwhiooxnFCb ;
	Tue, 13 Sep 2016 00:14:42 +0200 (CEST)
Received: from ygpewj (unknown [131.72.139.161])
	by mail.itb.pl (Postfix) with ESMTPSA id 2CCC2906C59
	Tue, 13 Sep 2016 00:14:29 +0200 (CEST)
Message-ID: <5BA1E02165B19F3CE0E5AC100423677F@itb.pl>
Reply-To: "NHW-Groups" 

After all the threats the New World Hackers resumed their attacks, but the key country involved now became Columbia
CO     3467     28.1% 
VN     1669     13.5%
BR     967      7.8%
IN     701      5.7%
KR     627      5.1%
RU     607      4.9%
CN     541      4.4%
TW     388      3.1%
TR     350      2.8%
US     287      2.3%
DO     195      1.6%
RO     175      1.4%
UA     142      1.1%
AR     122      1.0%
MX     117      0.9%

In second week distribution was

VN     4161     19.6%
BR     2221     10.4%
KR     1663     7.8%
TW     1398     6.6%
CN     1291     6.1%
IN     1205     5.7%
RU     1021     4.8%
TR     985      4.6%
RO     631      3.0%
US     601      2.8%
CO     556      2.6%
MX     326      1.5%
PL     324      1.5%
UA     298      1.4%
AR     289      1.4%

In third week of attack distribution was

VN     2340     11.0%
BR     2323     10.9%
CN     1813     8.5%
TR     1393     6.6%
IN     1392     6.6%
KR     1326     6.2%
RU     1232     5.8%
TW     1125     5.3%
US     695      3.3%
RO     522      2.5%
AR     462      2.2%
MX     397      1.9%
UA     391      1.8%
PL     381      1.8%
CO     334      1.6%

In fourth week of attack distribution was

VN     3414     14.8%
BR     2458     10.7%
UA     1990     8.6%
TR     1475     6.4%
TW     1225     5.3%
IN     1143     5.0%
RU     1139     4.9%
CN     1064     4.6%
KR     892      3.9%
US     632      2.7%
AR     539      2.3%
RO     508      2.2%
CO     429      1.9%
PL     413      1.8%
MX     385      1.7%

In fifth week of attack distribution was

VN     4369     18.3%
BR     2617     11.0%
UA     2045     8.6%
TW     1501     6.3%
TR     1436     6.0%
RU     1170     4.9%
IN     1047     4.4%
CN     960      4.0%
KR     625      2.6%
US     555      2.3%
AR     545      2.3%
RO     539      2.3%
CO     421      1.8%
MX     343      1.4%
PL     335      1.4%

In six week of attack distribution was peak

VN     2713     12.2%
UA     2429     11.0%
BR     1709     7.7%
TR     1445     6.5%
RU     1350     6.1%
TW     1303     5.9%
CN     1064     4.8%
US     1036     4.7%
IN     996      4.5%
KR     542      2.4%
RO     487      2.2%
PL     478      2.2%
AR     447      2.0%
MX     343      1.5%
FR     326      1.5%

In seventh week of attack distribution was peak

VN     3019     12.6%
UA     2170     9.1%
BR     1713     7.2%
TW     1692     7.1%
RU     1496     6.2%
TR     1490     6.2%
CN     1371     5.7%
IN     1041     4.3%
US     1006     4.2%
KR     848      3.5%
AR     551      2.3%
RO     544      2.3%
PL     467      2.0%
MX     383      1.6%
CO     371      1.5%

In eighth week of attack distribution was

VN     3418     18.5%
TW     1541     8.3%
BR     1474     8.0%
KR     1036     5.6%
RU     1021     5.5%
CN     970      5.2%
IN     922      5.0%
TR     908      4.9%
UA     690      3.7%
US     455      2.5%
RO     425      2.3%
AR     349      1.9%
PL     289      1.6%
CO     287      1.6%
MX     250      1.4%

In ninth week of attack distribution was

VN     2980     16.0%
BR     1611     8.6%
TW     1607     8.6%
CN     1152     6.2%
RU     1043     5.6%
TR     1001     5.4%
IN     957      5.1%
KR     579      3.1%
US     503      2.7%
RO     495      2.7%
AR     472      2.5%
UA     451      2.4%
PL     348      1.9%
MX     322      1.7%
CO     312      1.7%

In tenth week of attack distribution was (fading starts)

CN     1581     10.9%
BR     1331     9.2%
VN     1215     8.4%
TW     967      6.6%
RU     855      5.9%
IN     792      5.4%
TR     681      4.7%
UA     491      3.4%
US     471      3.2%
AR     380      2.6%
RO     344      2.4%
PL     337      2.3%
KR     316      2.2%
CO     290      2.0%
FR     254      1.7%

In eleventh week of attack distribution was (fading quickly)

CN     1307     12.4%
BR     1243     11.8%
VN     833      7.9%
TW     724      6.9%
RU     533      5.1%
IN     522      4.9%
TR     462      4.4%
US     353      3.3%
AR     340      3.2%
UA     301      2.9%
RO     288      2.7%
KR     248      2.4%
PL     239      2.3%
MX     221      2.1%
FR     192      1.8%

In twelveth week of attack distribution was (Ukraine to the rescue)

UA     1639     15.2%
VN     1003     9.3%
CN     911      8.4%
BR     895      8.3%
TW     679      6.3%
RU     557      5.1%
IN     473      4.4%
TR     461      4.3%
AR     348      3.2%
US     322      3.0%
KR     284      2.6%
RO     276      2.6%
PL     233      2.2%
MX     186      1.7%
FR     138      1.3%

In thirteenth week of attack distribution was

CN     1903     14.0%
VN     1068     7.9%
TW     952      7.0%
BR     898      6.6%
TR     873      6.4%
RU     759      5.6%
US     756      5.6%
UA     748      5.5%
IN     436      3.2%
AR     401      3.0%
RO     345      2.5%
PL     319      2.4%
MX     301      2.2%
KR     293      2.2%
TH     281      2.1%

In fourteenth week of attack distribution was

CN     1471     16.8%
VN     956      10.9%
BR     742      8.5%
TW     714      8.2%
RU     486      5.6%
US     411      4.7%
AR     303      3.5%
IN     299      3.4%
KR     294      3.4%
TR     290      3.3%
RO     259      3.0%
UA     213      2.4%
PL     161      1.8%
MX     140      1.6%
FR     129      1.5%

We identify and classify EVERY attacker and block future attacks from that group of servers. Lists are availalble for interested parties

For the past 18 years the server has been serving information from a stand alone webserver running a linux operating system. The server supplies about 3.2 million documents per annum in the form of HTML, PDF and JPG files. In the whole 17 years, on only about five occasions has it stopped and needed a reboot. Two of these stopages have happened in the past fifty months.

The attacks are processed by software and barely 1% of machine resources are wasted on the project - However the data provided is extremely useful for mapping out the players. We identify every one of the servers involved in the attacks. In this attack year we have processed 2 million attacks per month from 200000 different servers.


less character endorsement rib anti agreement accept clearing sched co edia harmonised dumping ow rate exempt extra african media permit index

Trolley Scan (Pty) Ltd /info@trolleyscan.com