Online Poker Forum at Full Tilt Poker

g_420man · Posted: Wed Feb 20, 2008 8:55 pm Post subject: Fulltilt and service attacks

This can be found in the original here: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080218

Monday, 18 February 2008
Gambling Websites Under Attack

As many of you know, we do a lot of work with internet relay chat (IRC)-based botnets. It was and for the most part still is the bread and butter of the botnet world. However, more and more new botnets are turning their backs on IRC and are moving to the web and embracing port 80. Well we haven�t just been sitting idle and twiddling our thumbs. We have been watching and monitoring HTTP-based botnets for quite some time now. Just yesterday one in particular managed to grab our attention, so we have decided to put it under the microscope.

Early yesterday morning I logged online to take a look at the live output of the distributed denial of service (DDoS) attacks that have been coming from HTTP botnets we are monitoring. It only took a moment for this becoming rather interesting. The word �poker� appeared a few times and quickly caught my eye. As it turns out, I was logged in from my hotel room in Las Vegas and had actually just returned from playing poker. The output I was presented with looked something like this (extraneous and other information have been removed/edited):

ddos_command=`flood http`, control_server=`<removed>`,ddos_target=`www.fulltiltpoker.com`ddos_command=`flood http`, control_server=`<removed>`,ddos_target=`www.titanpoker.com`ddos_command=`flood http`, control_server=`<removed>`,ddos_target=`www.cdpoker.com`
These are all familiar websites, especially the website for Full Tilt Poker. They are one of the bigger Poker websites on the Internet. Typing all three of these websites into a browser revealed that only one of them, CDPoker, was actually accessible. For the next hour or so that I checked, I could not reach Full Tilt's website at all and Titan Poker would load sporadically. Further review would later show that CDPoker may have some form of DDoS protection through Prolexic and that Titan Poker was using four different IP addresses. That might explain why CDPoker had no load issues and Titan Poker would periodically load, albeit usually rather slowly. It would appear that Internet poker websites were under attack. As a result we decided to dig a little deeper into the activities of this particular HTTP botnet.

It wouldn�t take long to find out this botnet wasn�t just going after poker, but rather gambling sites in general for the past week or so. Some were attacked for a few hours and others for a few days. Each attack is designed to overwhelm the websites with tons of bogus GET requests. The desired result of the attacker is to completely disrupt service to the website (hence denial of service). We do not know how many of the attacks succeeded since there�s no way for us to go back and tell. However, we do have a list of the gambling websites they attacked. From February 10, 2008 to February 18, 2008, the following gambling websites were targeted:

fontana88.com www.parimatch.com www2.parimatch.com favoritbet.com www.marathonbet.com www.sport-shans.com golpas.com www.buker.ru www.virgingames.com www.intercasino.co.uk www.shans777.com www.casino-versal.ru (does not currently resolve) overbetting.ru youcasino.ru (currently resolves to 127.0.0.1) onlinecasinos.ru (currently resolves to 127.0.0.1) onlinepokerinfo.ru fpclub.ru pokerlistings.ru goplayclub.com poker-online.ru raketracker.ru pokermoscow.ru pokerland.ru betcity.ru bet-at-home.com partycasino.com www.takewin.ru www.europacasino.com www.fulltiltpoker.com www.titanpoker.com www.cdpoker.com cachewww.titanpoker.com
This is a rather staggering list. Keep in mind this is just going back a week and each listed DNS entry was attacked for at least multiple hours if not days. Also, this is only the gambling related websites. Mixed in between are websites for dedicated hosting, financial earnings, advertising, e-payment and more. However, there is a quite obvious and consistent theme on attacking poker and gambling websites for the past week.

It would appear that most of the websites are Russian gambling websites. However, the most recent attacks have been against larger non-Russian websites and we can see they also attacked Party Gaming (one of the largest if not the largest) and Virgin Games in between. Why are they doing this? That we do not really know. This could be a range of tests that precedes an extortion attempt. Perhaps someone is paying to have the websites of the competition brought down? We do not have any real way to tell at this point. What is clear though is that several gambling websites are being brought down.

As of the writing of this post Titan Poker and Full Tilt Poker are still being attacked. It appears Full Tilt Poker has just started redirecting traffic to www2.fulltiltpoker.com which is on a new IP address. Titan Poker is currently fully unavailable for the last few hours as they have shifted their most recent attacks against cachewww.titanpoker.com. We have just recently sent the details of this command and control (C&C) server to Layered Technologies (the current location the bots phone into) for action. Hopefully they will be able to assist us in putting stop to some of these attacks.

Update: It appears the C&C server is now offline. We cannot confirm it but it appears Layered Tech took relatively swift action and has taken this server down.

=>Posted February 18, 2008, at 11:39 AM by Steven

Great post...moved to General Questions.[/b]

dumwaldo · Posted: Wed Feb 20, 2008 9:11 pm Post subject:

Excellent post, thank you very much for the info.

g_420man · Posted: Wed Feb 20, 2008 9:12 pm Post subject:

I saw this and copied and pasted from another forum. But I dont know what it means. so if someone knows what this means can you please help me out and explain?

ManilaDog · Posted: Wed Feb 20, 2008 9:20 pm Post subject:

	Full Tilt Poker is licensed by the Kahnawake Gaming Commission. © Copyright 2004 - 2005 FullTiltPoker.com., All Rights Reserved