Here is the first article I have seen on this:
Monday, 18 February 2008
Gambling Websites Under Attack
As many of you know, we do a lot of work with internet relay chat (IRC)-based botnets. It was and for the most part still is the bread and butter of the botnet world. However, more and more new botnets are turning their backs on IRC and are moving to the web and embracing port 80. Well we haven’t just been sitting idle and twiddling our thumbs. We have been watching and monitoring HTTP-based botnets for quite some time now. Just yesterday one in particular managed to grab our attention, so we have decided to put it under the microscope.
Early yesterday morning I logged online to take a look at the live output of the distributed denial of service (DDoS) attacks that have been coming from HTTP botnets we are monitoring. It only took a moment for this becoming rather interesting. The word “poker” appeared a few times and quickly caught my eye. As it turns out, I was logged in from my hotel room in Las Vegas and had actually just returned from playing poker. The output I was presented with looked something like this (extraneous and other information have been removed/edited):
ddos_command=`flood http`, control_server=`
ddos_command=`flood http`, control_server=`
ddos_command=`flood http`, control_server=`
These are all familiar websites, especially the website for Full Tilt Poker. They are one of the bigger Poker websites on the Internet. Typing all three of these websites into a browser revealed that only one of them, CDPoker, was actually accessible. For the next hour or so that I checked, I could not reach Full Tilt's website at all and Titan Poker would load sporadically. Further review would later show that CDPoker may have some form of DDoS protection through Prolexic and that Titan Poker was using four different IP addresses. That might explain why CDPoker had no load issues and Titan Poker would periodically load, albeit usually rather slowly. It would appear that Internet poker websites were under attack. As a result we decided to dig a little deeper into the activities of this particular HTTP botnet.
It wouldn’t take long to find out this botnet wasn’t just going after poker, but rather gambling sites in general for the past week or so. Some were attacked for a few hours and others for a few days. Each attack is designed to overwhelm the websites with tons of bogus GET requests. The desired result of the attacker is to completely disrupt service to the website (hence denial of service). We do not know how many of the attacks succeeded since there’s no way for us to go back and tell. However, we do have a list of the gambling websites they attacked. From February 10, 2008 to February 18, 2008, the following gambling websites were targeted:
fontana88.com
www.parimatch.com
www2.parimatch.com
favoritbet.com
www.marathonbet.com
www.sport-shans.com
golpas.com
www.buker.ru
www.virgingames.com
www.intercasino.co.uk
www.shans777.com
www.casino-versal.ru (does not currently resolve)
overbetting.ru
youcasino.ru (currently resolves to 127.0.0.1)
onlinecasinos.ru (currently resolves to 127.0.0.1)
onlinepokerinfo.ru
fpclub.ru
pokerlistings.ru
goplayclub.com
poker-online.ru
raketracker.ru
pokermoscow.ru
pokerland.ru
betcity.ru
bet-at-home.com
partycasino.com
www.takewin.ru
www.europacasino.com
www.fulltiltpoker.com
www.titanpoker.com
www.cdpoker.com
cachewww.titanpoker.com
This is a rather staggering list. Keep in mind this is just going back a week and each listed DNS entry was attacked for at least multiple hours if not days. Also, this is only the gambling related websites. Mixed in between are websites for dedicated hosting, financial earnings, advertising, e-payment and more. However, there is a quite obvious and consistent theme on attacking poker and gambling websites for the past week.
It would appear that most of the websites are Russian gambling websites. However, the most recent attacks have been against larger non-Russian websites and we can see they also attacked Party Gaming (one of the largest if not the largest) and Virgin Games in between. Why are they doing this? That we do not really know. This could be a range of tests that precedes an extortion attempt. Perhaps someone is paying to have the websites of the competition brought down? We do not have any real way to tell at this point. What is clear though is that several gambling websites are being brought down.
As of the writing of this post Titan Poker and Full Tilt Poker are still being attacked. It appears Full Tilt Poker has just started redirecting traffic to www2.fulltiltpoker.com which is on a new IP address. Titan Poker is currently fully unavailable for the last few hours as they have shifted their most recent attacks against cachewww.titanpoker.com. We have just recently sent the details of this command and control (C&C) server to Layered Technologies (the current location the bots phone into) for action. Hopefully they will be able to assist us in putting stop to some of these attacks.
Update: It appears the C&C server is now offline. We cannot confirm it but it appears Layered Tech took relatively swift action and has taken this server down.
One of my site visitors e-mailed the following:
I used to browse and read different poker forums and it's true that the
last couple of weeks there was quite an unusual amount of posts from
people complaining that they were not able to log in on their favorite
poker room (especially Full Tilt), or were suffering some lags or even
being disconnected while playing online. I guess the information
from this website is just bringing some light on what may have really
happened then...especially when we just can't expect the poker rooms to
tell us what's really going on....
IN ANY EVENT, this is very interesting!