Home » Featured » TRD Admin On The Ransom DDoS That Is Hitting The Dark Net Markets
Click Here To Hide Tor

TRD Admin On The Ransom DDoS That Is Hitting The Dark Net Markets

The admin of Therealdeal market (http://trdealmgn4uvm42g.onion.rent/) provided us with some insights about the recent  DDo’s attacks that are hitting all the major DNM’s in the past week:

In the past few days, it seems like almost every DN market is being hit by DDoS attacks. Our logs show huge amounts of basic http requests aiming for dynamic pages, probably in attempt to (ab)use as many resources as possible on the server side, for example by requesting for pages that execute many sql queries or generate captcha codes.

As we are security oriented we manged to halt the attack on our servers the moment it showed up in the logs. Although this required fast thinking, due to the fact that dealing with this kind of attack over tor is not the same as dealing with such attack over clearnet. New addresses? Shifting Pages? Waiting? All these did not work for other markets…

Here you can see the beginning and failure, as caught by Dnstats:
failddosAs you can see, our market’s response time spiked to almost 70 seconds while our market’s usual response time is insanely fast, almost like most clearnet sites. But also, you can see that the response time was back to 2-3 seconds a little after. Here is an example of a darknet market that didn’t know how to combat this problem:
gooddos
The flat line at 0 seconds meaning there was no response from the server.

The Problem

As opposed to cleanet attacks, where mitigation steps could be taken by simply blocking the offending IP addresses,when it comes to tor, the requests are coming from the localhost (127.0.0.1) IP address as everything is tunneled through tor.
screenshot

Another problem is the fact that the attackers are using the same user-agent of tor browser – hence we cannot drop packets based on UA strings.

The attackers are also aiming for critical pages of our site – for example the captcha generation page. Removing this page will not allow our users to login, or will open the site to bruteforce attempts. Renaming this page just made them aim for the new url (almost instantly, seems very much automated). One of the temporary solutions was to run a script that constantly renamed and re-wrote the login page after 1 successful request for a captcha… Attacks then turned into POST requests aiming for the login page.

Solutions

If you are a DNM owner or just the security admin, check your webserver logs. There is something unique in the HTTP requests, maybe a string asking you to pay to a specific address. (assuming these are the same offenders). Otherwise there might be something else … Hint: you might need to load tcpdump during an attack.

Hopefully, you are not using some kind of VPS and have your own dedicated servers and proxy servers. Or if you are using some shit VPS, then hopefully you are using KVM or XEN. (first reason being the memory is leakable and accessible by any other user of the same service).

The other reason is – control on the kernel level. You can drop packets containing specific strings by using iptables, or use regex too. This is one example of a commad that we executed (amongst others) to get rid of the offenders, we cannot specify all of them, so be creative! iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string “(RANSOM_BITCOIN_ADDRESS)” -j DROP Where (RANSOM_BITCOIN_ADDRESS) is the unique part of the request…

To Other Market Admins:

There are additional things to be done, but if we expose them, this will only start a cat and mouse game with these attackers. If you are a DNM admin feel free to sign up as a buyer at TheRealDeal Market and send us a message (including your commonly used PGP), since at the end of the day even though you might see us a competitor in a way, there are some things (like people stuck without their pain medication from mexico) that are priceless…

Thanks to Therealdeal market admin (http://trdealmgn4uvm42g.onion.rent/) for providing us with this info!

29 comments

  1. LOVE TRD admins and love their system, especially this:

    (14:50:14) [email protected]/Market: You have a new order.
    (14:55:37) [email protected]/Market: You have a new order.

    Keep up the good work!

  2. I am so fucking blown away at what I just read and utterly impressed with this realdealguy’s attitude that I am going to check out his market. This is absolutely the first time I have EVER seen a site actively trying to help other markets instead of actually doing the attacks like those faggots at SR2. I have been around since day one and this story is remarkable in just how fucking bizarre the notion seems. Maybe there are some site owners out there finally that “get it”.

    Great job bringing this article here ddw and thanks mr. realdeal. I don’t know a god damn thing about you or your market, but that’s gonna change tonight.

  3. Admin seem like good people, going to open a vendor account tomorrow (if and when I can get my coins out of another market)

  4. Haha your poor try to block DDOS, and what when attackers do not even use a “unique part of the request”, then you may be lost.

    • TheRealDeal

      Inspector – I don’t know who you represent or what market you own but you have been here since day 1 criticizing each and every post related to us.

      In case your English skills or concentration level doesn’t allow you to put together a few words on a page, I’ll quote the article for you again:
      “…This is one example of a commad that we executed (amongst others)…”

      Or perhaps you are here to try and fish more information?

    • TheRealDeal

      I’ve got a feeling you are LE, Inspector.

      • inspector

        You are too sensitive. I have only lot of suspicious thought. I got some English skills but I do not find in article another method only with unique string.
        So calm down, you are calling yourself as expert – and I only asking or pointing to interesting things.

      • inspector

        I am sure about you only public method find by Google. So you are do not know any other method – because You using a demagogic answer (in other words you still talk same shits).
        If you are an security expert then I am LE, LOL.

  5. Thank you for the kind words everybody.

  6. Can confirm, inspector works for us.

    • inspector

      And what when attackers comes with more sophistic kind of attack? I am talking about another methods how to secure markets – like CloudFlare … (not about this simple solution which can be easy find by Google and most of admins already knows that …).

      So RDM what about another working method, when yours publicized with unique string fails ? Hmm.

  7. Inspector is the guy that sent the ransomware DDOS and is just bitter he didn’t get his 10 BTC. Now he is just whining like a child saying that he will get you with a more sophisticated attack.

    • That is a possibility, seeing that he is trying to be manipulative in a very childish manner, along the lines of getting someone to say something like “But that’s not all we did! we did a, b, c, d and e too!” – even though the end of the article makes it quite clear that 1 simple command is not all that was needed to stop this particular attack on this particular market.

  8. I make no claim to be any kind of expert in these type of attacks but I have many years of experience in dealing with card and payment related matters.

    Great post from TRD, never reveal more than is absolutely required in terms of combating the current MO. It is standard practice to only use the bare minimum of what is required to carry out whatever fraud / attack.

    Once this MO has been thwarted it will be be changed and other options will come into play.

    Whilst these attacks are clearly a pain in the rear such things force better security and resilience, things that are clearly somewhat lacking in soem quarters ATM.

    Fight the power ;-)

  9. If you are expert then why you using a free opensource code and asking lots of money for it?
    Even you are putting this opensource code for sale … which is very stupid.
    So expert why You do not have own source code ?
    I do not trust to any comment of you – you are another big cheater on scene – maybe you have also conection with Hades, Absolem, Havana or EVO (because yours behaviour is very similar).

    • TheRealDeal

      Did we or someone else touch a nerve Inspector/Officer/DDoSer?

      We are using OSS because it works (after heavy modification) and because when it does it serves our purposes greatly – we have answered all these questions that you ask in every single post related to us.

      It is not stupid since the code is a lot different than the original, not only does it work now but it is also very safe and secure.
      If you manage to read the license it is released under, you would see that it is perfectly fine to do so and this is also stated by the original creators too.

      You don’t have to trust any of our comments and you don’t have to sit around refreshing DDW waiting for anything related to TRD either.

      As to your other comment about the admins of DDW listing an untrusted market, we have way over 1000 satisfied orders, the order counter does not reflect anything…but hey, even you placed an order with us. Who ever is paying you is wasting their money :)

      We wish you the best,
      TheRealDeal Market

      • inspector

        Expert might know DDOS over TOR can not be produced by one person. You can be sure I have nothing with it.
        I am only pissed because on scene there is too many markets which looks very similar (anarchia knv7gttjupj66hak.onion.rent, RDM, …) and more comes …
        So more markets than trusted vendors on it …
        That is annoying (and nothing personally).

        • TheRealDeal

          Anarchia is a joke .. they have clearnet domains and cloudflare, you will probably see the operators on the news soon… It is in fact based on the old BitWasp and I can show you some bugs that do not exist @ TRD.

          Here is an example of something that exists at “Anarchia” but not at TRD:

          http://knv7gttjupj66hak.onion.rent/application/views/admin/users.php

          I can understand your frustration but not sure why you follow our posts in particular…

          And when it comes to DDoS – All it takes is 1 person with resources, its nothing special.

  10. Asking myself – Why admin add any new untested market which have under 1000 sales …
    Is marketplace list not big enough ? Why you are filling list with suspicious marketplaces.
    Admin: I hope you will change this ASAP.

  11. ItsOkToBeOverlyCautious

    TRD has made a good job of making himself look technically adept at providing security, which as you can tell by comments in this thread has acted as an efficient lure to get vendors to sign up at his site and send “and send us a message (including your commonly used PGP)”.

    Thats great. It also appears to be a great trick for LE to use, no? Provide a false sense of security?

    Im not saying TRD is or isnt anything, and hopefully he does turn out to be a good guy, but people shouldnt be talked down to just for keeping an open mind, and Inspector is right that the DDOS mitigation TRD specified is very simple to bypass.

    • We did not ask for any vendors to sign up, we have many of new vendors joining every day.

      We only wrote that if other market admins need help, they can sign up as a buyer for free and send us a message, including their public pgp key which is advertised on their markets, to prove it is actually them and not the offenders seeking to gain information – and we will provide them with more complex and effective solutions to tackle these specific offenders. Things we cannot publish here otherwise they will just figure out ways to bypass these techniques.

      We are very much in favor of freedom of speech, but Inspector here has followed every posted related to us just to leave, mostly baseless, negative comments about us.

      I would love to see at least 1 of the 4 market admins that we helped comment here with a signed message. We didn’t ask for anything in return but this would be a nice “thank you” :)

  12. I signed up as a vendor being a reputable vendor from Agora and BBM….it’s had over 36 confirmations and yet when I sign into my vendor account it says pay into the address I’ve already paid into. Please check your records.

    • TheRealDeal

      Leave us a message at support please, but this has already been fixed.
      We had a minor issue for 24 hours, lost track of some transactions and had to sign and approve everything manually .. but everything is back to normal now!

      Sorry for this inconvenience,
      TRD Admin

  13. FaithInHumanityRestored

    I think the comments were a better read, than the Article..
    Nah, reading this page gave me the same feeling I got when I first started using ME. The admins there really gave me a sense of Security, and that they really Cared about other people, not just the money they bring.
    I get that they are busy-busy, especially with the recent avalanche of Evo users migrating, but the Admins at ME seem to have lost there way in the last few weeks before these recent attacks. This is a shame, and if they continue down this road, you will surely be finding me on TRD.
    For now though, I will stay faithful, and hopeful.
    You’re definitely doing it right!
    Stay safe, Good luck

  14. I just found bug on your site .. Am pretty sure it is not last one.

    trdealmgn4uvm42g.onion.rent/bip32

    Also search function for product look very unprofessional you should close your shit before someone take down yours pathetic attempt to an shop.

    • clucker

      Which site is the most secured according to you?

      • inspector

        Currently alphabay, but I do not like online wallet options – It is space for exit scam. Also I do not trust to their owner – he can be one of EVO admins for sure. So I only trust to trusted vendors which have their profile located on GRAMS.

  15. Currently alphabay, but I do not like online wallet options – It is space for exit scam. Also I do not trust to their owner – he can be one of EVO admins for sure. So I only trust to trusted vendors which have their profile located on GRAMS.

  16. I am a vendor on THEREALDEAL and I think the site is bullshit, I sold something, the buyer received it and tried to release the money and the admin has not released the money. The admin keeps telling myself and the buyer that they are trying to work it out, but I think it is bullshit. I would be careful becoming a vendor on TRD!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *