I accidentally made law enforcement shut down their stresser honeypot
I accidentally made law enforcement shut down their stresser honeypot
我不小心让执法部门关掉了他们的压力测试蜜罐
What is Operation PowerOFF? Before we get into the funny part, you need a quick summary. Operation PowerOFF is a massive international effort to stop DDoS for hire services. While it includes agencies like the FBI, the UK National Crime Agency, and Europol, the whole thing seems to be heavily coordinated by the Dutch Politie. The Dutch police appear to run the actual infrastructure for these operations. They have been active for quite some time now, and over the years, they have managed to seize a maybe around one hundred domains and make a few arrests here and there.
什么是“PowerOFF行动”(Operation PowerOFF)?在进入有趣的部分之前,你需要先了解一下背景。PowerOFF行动是一项旨在打击“雇佣式DDoS攻击”服务的全球性大规模行动。虽然参与机构包括美国联邦调查局(FBI)、英国国家犯罪调查局(NCA)和欧洲刑警组织(Europol),但整个行动似乎主要由荷兰警方(Dutch Politie)协调。荷兰警方似乎负责运营这些行动的实际基础设施。他们已经活跃了相当长一段时间,多年来,他们成功查封了大约一百个域名,并进行了一些零星的逮捕。
Digging into “Cyberzap”: I have been looking around Operation PowerOFF for a bit, and whilst digging around, I stumbled across a website called https://cyberzap.fun/. It did not look flawlessly professional, but it definitely looked legit enough. It perfectly mirrored the thousands of skidded booter sites floating around the internet. It was not perfect, but there was absolutely a solid effort put into it. They even set up robots.txt files, sitemaps, SEO friendly meta tags, and everything else a real website needs to rank on search engines.
深入挖掘“Cyberzap”:我研究PowerOFF行动有一段时间了,在挖掘过程中,我偶然发现了一个名为 https://cyberzap.fun/ 的网站。它看起来虽然算不上完美专业,但绝对足够逼真。它完美地模仿了互联网上成千上万个现成的“压力测试”(booter)网站。虽然不够完美,但看得出投入了相当大的精力。他们甚至设置了 robots.txt 文件、网站地图、SEO 友好的元标签,以及真实网站在搜索引擎中排名所需的一切要素。
However, there was a massive giveaway if you even slightly started looking. The Dutch police absolutely love using bit.nl as their server host. And when you check the MX DNS records, Cyberzap used bit.nl for their mail servers. I decided to sign up to see how deep this went. I just wanted to let them know that I’m just researching, and not an active cyberterrorist™. So I registered with the email conducting-research-hello-operation-poweroff@lina.sh. (I sadly didn’t take any screenshots of the registration page, but it had a turnstile captcha and everything).
然而,只要你稍微仔细观察,就会发现一个巨大的破绽。荷兰警方非常喜欢使用 bit.nl 作为他们的服务器托管商。当你检查 MX DNS 记录时,会发现 Cyberzap 使用了 bit.nl 作为其邮件服务器。我决定注册账号看看这背后到底有多深。我只是想让他们知道我是在进行研究,而不是一个活跃的“网络恐怖分子”。于是,我用 conducting-research-hello-operation-poweroff@lina.sh 这个邮箱进行了注册。(遗憾的是我没截到注册页面的图,但它确实有 Turnstile 验证码等各种功能)。
Surprisingly, they even sent a real activation email! With an activation link that had a token embedded, and manual code you could enter. The dashboard looked maybe a little empty, but still believable. It had fake network speed graphs that updated on the current time, and a fake counter of connected bots. I wanted to see what happened if I “ordered an attack”. Again, I didn’t want them to think I am an evil hacker, so I entered a silly domain. You could choose Bitcoin, Monero, PayPal, or Credit Card. But no matter what you picked, it would just load around for a few seconds, and then present you with the message “Payment Error - There was an error processing your payment. Please try again or contact support.”
令人惊讶的是,他们甚至发送了一封真实的激活邮件!邮件里包含一个嵌入了令牌的激活链接,以及可以手动输入的验证码。仪表盘看起来虽然有点空,但仍然可信。它有随当前时间更新的虚假网络速度图表,以及一个虚假的连接僵尸网络计数器。我想看看如果我“下单攻击”会发生什么。同样,我不想让他们认为我是个邪恶的黑客,所以我输入了一个愚蠢的域名。你可以选择比特币、门罗币、PayPal 或信用卡支付。但无论你选哪种,它都会加载几秒钟,然后向你显示:“支付错误 - 处理您的付款时出错。请重试或联系支持人员。”
They really just let you prove your criminal intent, grab your IP address and email, and they probably plan to use that as “evidence” if it ever comes to it.
他们实际上只是让你证明你的犯罪意图,获取你的 IP 地址和邮箱,如果将来有必要,他们可能会把这些当作“证据”。
Scare tactics: Netcrashers. Cyberzap is meant to be a “secret” trap. But they also run another type of site. I found https://netcrashers.net/ around the same time. This site looks a lot faker, it gives us the promise to “crash all nets”. But the moment you click any button on the website, you immediately get redirected to a “scary” police warning page. That page literally says the domain is created and owned by the Dutch Police. “The Dutch Police has strong indications that you were looking for a DDoS-for-hire service. DDoS attacks are illegal and have serious consequences. You always leave traces online when committing cybercrime.” This is clearly designed for kids. A teenager looks up a DDoS site, clicks a button, and gets a huge jump scare with police badges. They get scared and close the tab.
恐吓策略:Netcrashers。Cyberzap 旨在作为一个“秘密”陷阱,但他们还运营着另一种类型的网站。我大约在同一时间发现了 https://netcrashers.net/。这个网站看起来假得多,它承诺能“摧毁所有网络”。但当你点击网站上的任何按钮时,你会被立即重定向到一个“可怕的”警方警告页面。该页面明确指出该域名由荷兰警方创建并拥有。“荷兰警方有充分迹象表明您正在寻找雇佣式 DDoS 服务。DDoS 攻击是非法的,会产生严重后果。在进行网络犯罪时,您总会留下痕迹。”这显然是为青少年设计的。一个青少年搜索 DDoS 网站,点击按钮,然后被带有警徽的页面吓一跳。他们会感到害怕并关闭标签页。
Oops, they shut the whole thing down because of me. While I was digging around Cyberzap, testing shit, and taking screenshots, something quite funny happened: The feds literally pulled the plug on the site. I tried to load the page again, and I got hit with a 401 Unauthorized prompt. The website was locked down. I guess they saw my email address that greeted them. They probably received logs of someone “falling for it”, and saw someone was poking around their secret website, and knew who was behind it. They completely panicked. They even shut down a completely unused domain called bytecannon.net with the exact same authorization message.
哎呀,他们因为我把整个网站关了。当我在 Cyberzap 挖掘、测试并截图时,发生了一件非常有趣的事:联邦调查人员直接拔掉了网站的插头。我再次尝试加载页面时,收到了 401 未经授权的提示。网站被锁定了。我猜他们看到了我那个“打招呼”的邮箱地址。他们可能收到了有人“上钩”的日志,发现有人在窥探他们的秘密网站,并知道了背后是谁。他们彻底慌了。他们甚至关掉了一个完全没用过的域名 bytecannon.net,并显示了完全相同的授权错误信息。
What is the actual goal here? This brings up a really good question. What is the point of all this? The banner on netcrashers.net mentions “Law enforcement combats cybercrime both overtly and covertly”. We essentially found both of those methods. Netcrashers is the overt one, and Cyberzap is the covert one. Catching people probably isn’t the only goal. By running these honeypots, the police create suspicion and paranoia in the community. If you want to buy a DDoS attack, you now have to wonder if the website is real or just a police honeypot logging your IP. They want people to stop trusting these services entirely. So yeah, those honeypots are real and out there, so the message clearly is: “you can’t trust DDoS services”.
真正的目标是什么?这引出了一个很好的问题。这一切的意义何在?netcrashers.net 上的横幅提到“执法部门通过公开和秘密两种方式打击网络犯罪”。我们本质上发现了这两种方法。Netcrashers 是公开的,而 Cyberzap 是秘密的。抓人可能不是唯一的目标。通过运营这些蜜罐,警方在社区中制造了怀疑和偏执。如果你想购买 DDoS 攻击,你现在必须怀疑该网站是真实的,还是仅仅是一个记录你 IP 的警方蜜罐。他们希望人们完全不再信任这些服务。所以,是的,这些蜜罐是真实存在的,其传达的信息很明确:“你不能信任 DDoS 服务”。