Taking on an Online Extortionist

An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"

oblig Churchill

"We will fight them in the CAT5, on the routers, in the packets. We will never surrender"

Or however he said it :)

Re:oblig Churchill

"We shall not flag nor fail. We shall go on to the end. We shall fight in France and on the seas and oceans; we shall fight with growing confidence and growing strength in the air. We shall defend our island whatever the cost may be; we shall fight on beaches, landing grounds, in fields, in streets and on the hills. We shall never surrender and even if, which I do not for the moment believe, this island or a large part of it were subjugated and starving, then our empire beyond the seas, armed and guarded by the British Fleet, will carry on the struggle until in God's good time the New World with all its power and might, sets forth to the liberation and rescue of the Old."

Even Slashdot?

"They threw everything they had at us. I was just in shock."

I guess that includes getting a mention on Slashdot?

Troc

Re:Even Slashdot?

Looks like you don't understand how DDOSs work. They get a whole lot of hijacked computers with DDOS trojans installed on them. MSIE makes this quite easy. Then they launch a DDOS at a website. You can't "block" the packets on the server because by the time your server gets them it's too late -- they have already clogged up your pipe. In fact, the traffic will probably overwhelm your ISP unless they are very large. The only place to block them would be on the ISPs main router, and that's pretty hard to do given that there could be thousands of different bots and they aren't that terribly different from ordinary users (other than the amount of traffic they generate).

So now we're gonna slashdot 'em?

Seems kinda brutal to hit them with another DDOS.

That's frightening

It's a brilliant story, and you've got to applaud the guys at the victim site for sticking up for themselves.

It makes me wonder if this new anti-DDoS company can somehow establish relationships with ISPs to track back the zombies and get them shut down more quickly? Seems that would be the sanest and most effective tool -- take away the bots. No bots -- no botnet -- no attacks.

Re:That's frightening

Or, the ISP's can do as the smart ones have done and deploy Tipping Point [tippingpoint.com] begin to mitigate these attacks the moment they are detetcted on the border routers. It's smart, fast, and really good at shutting down the traffic generated by these botnets by giving the admin the ability to apply vendor-supplied templates, or to create your own. However, you'd need additional deployments inside the network to avoid fratricide, but you can't beat the intelligence behind this aproach.

Never pay

If they actually get money, they'll do it again and again.
Any measure of success will encourage more of the same behaviour.

Good, some balls.

Glad to see someone standing up to these thugs. I remember a few years ago, the ISP that I admin'd hosted the connection for http://www.defcon.org/ [defcon.org]. We had someone start a Smurf attack from the Con, targetting our inbound T3's. We were able to track it down, and actually snatch him out of his seat right there at the con. He promptly apologized (I think, he only spoke german, IIRC). The look on his face was priceless. Oh, did I mentioned that me, and everyone else at the company carry Glock 19's? Yeah, we didn't have any more problems for the rest of the con. Everyone was on their best behaviour. A bunch of fine, upstanding individuals. :)

Re:Good, some balls.

>> and everyone else at the company carry Glock 19's?

Please excuse my asking, oh well-armed-one, but WTF for?

The glock is a fine weapon, and being an admin for an ISP is a fine job, but I can't quite see the relationship between the two things...

Just do what we do on IRC

Find out where they live and call their mom.

Extorting a gambling site?

Extorting a gambling site? That strikes me as a LLM (life limiting move, c.f. career limiting move).

Many gambling sites still have connections to, shall we say, respectible businessmen of the Italian or Asian pursuasion, who are used to handling such matters extra-legally.

You might just wake up one day with your computer's monitor (cables severed with an ax) in bed with you.

Or Guido and Nunzio standing over you, giving you tips on the finer points of extortion while they wait for the concrete to set.

fighting back with infrastructure

Some ISPs are doing customer-level ingres filtering -- e.g. if the "other end" of the cable modem gets a packet whose src address is not that of the cable modem, drop it on the floor, it's forged.

The ease of infecting home XP systems remotely means you sometimes find teenagers with tens of thousands of zombie computers at their control. They can sell them to spammers, too.

The ease of doing massive DDoS attacks is why I stopped running an IRC server, and also stopped a research project I was doing related to inter-protocol messaging. It wasn't worth the hassle.

Fighting back is hard if you don't know who to fight, but in the case of extortion, (1) document everything on paper, (2) keep timestamped printed IRC logs of all conversations, and full email printouts; (3) ask some other people to print copies of their IRC logs when appropriate. Then contact the RCMP (or if you are in the USA, the FBI, but in the USA you need to show financial damage of $5,000 or more). Don't wait until it's all over before contacting them.

Good luck!

Liam

No protection

The thing with these DOS extortionist is that unlike the mafia or other groups they do not protect you from other extortinist. If you pay them thay can stop their attact, but if someone else try to attack you they cannot do anyting.

Network admins! Prevent this from happening

This is an appeal to network admins working at ISPs, whether large or small. You have a responsibility to make sure that spam/attack zombies don't exist on your networks. These days it's a trivial task to check to make sure you're not part of the problem. This can be scripted so that you receive periodic reports of problem hosts on your system, which you can then firewall, disconnect, or restrict access to.

There are so many blacklists these days, so just use rsync to grab fresh copies of AHBL, CBL, DSBL, SORBS, whatever. Then run through grepcidr [pc-tools.net] to see if any IPs from your network(s) are on the blacklists. So easy, and you'll be protecting both yourself and others from malicious zombies.

EVIL!

Okay, I first read that as "Online Exorcist." I'm thinking, how does THAT work? TO: Satan@littlegirlshead.com
From: Father Mayai (Yes, you may!)
Subject: Notice of Eviction

Re:Here's a tip

I would think in the situation that the e-mail was ignored, it would enrage the extortionist into firing a warning shot, one that would for SURE get the guy's attention. In fact, from the article, it looks like that is sort of what happened. He didn't respond, just first sought consultation and alerted his ISP. Then the extortionist sent a second threat, but not until he had crashed a few ISP servers to get some attention.

Re:Here's a tip

Actually, in relation to that, what happens when your spamfilter marks such an email as spam. I guess you can say that's a major false positive.

Re:Interesting article

They prefer to use cracked ICQ accounts because it adds some misdirection to point to an existing entity, an older account may be less likely to be instantly shut off by automatic processes, and well, they're L33T H4X0RZ and cracking is what they like to do (at least the kids working for the extortionists -- the folks running the show are probably pretty rational organized crime types).

Re:Fight!

Presumably, they will give you some way to pay them (else what is the point?). Point the cops and or feds at that contact, and see what happens.

This is where R'ingTFA comes in...

If no joy from the authorities, I'm sure your local newsrag would be glad to shame the cops into doing something. Of course, if the extortionist is overseas, things might be a little difficult.

Again, this is where R'ingTFA comes in. I'd also add that one downside of moving your business to an unregulated third world country is that neither the local journalists nor the local cops are especially interested in your gringo problems. I don't understand why Scotland Yard bothered with him.

Re:Curious

Wormholes.

Re:Curious

I've always wondered...when a site is slashdotted, it implies that the site has been hit by high referrals from slashdot, causing it to become slow or go down totally. But how does slashdot itself cope with the high traffic?

It's quite simple, really - Slashdot just doesn't link to itself.

Re:Curious

But how does slashdot itself cope with the high traffic?

Lots of bandwidth, lots of hardware. Since it gets `slashdotted' every single day, it'll be pretty easy to predict how much traffic you'll get tomorrow -- approximately the same as you got yesterday, perhaps a bit more.

But when you're running your own server, and it normally gets 50 hits/day, and then suddenly a Slashdot listing hits it with millions of hits in one day, well, that's harder to prepare for, because 1) you often don't know you're going to be on /. until it's already happened, and 2) is it even worth preparing for? It's just one or two days, and then things will go back to normal. More hardware and bandwidth may cost lots of money, money that you're not going to spend just so people can see pictures of whatever neat thing you did.

Really, the only sites that get /.ed are the smaller ones. The larger ones already have the hardware and bandwidth needed to handle it. Sure, a /.ing probably shows up on their mrtg reports, but it's probably just a 20% or so increase in traffic, not a 1000x fold increase.

Re:Curious

That's the trick. Most people would say "bigger servers" and "bigger bandwidth". But I know the real reason. Notice how you get 'Service Unavailable'? Every so often? I found that if more than 50 people are accessing Slashdot at the same time, that their database cannot handle it. In reality, this site is hosted on an Amiga. Only 50 users you say? That can't be.... just look at my User ID!

All the 813,621 users before you don't really exist. These messages are randomly generated geek buzzwords. "Users" are given personalities, ranging from "Linux lover" to "Windows loser", from "I'm just a troll" to "IAARS", from "Funny" to "I take myself serious, but no one else does".

Those "personalities" alter the pre-populated phrase list according to topic (actually, I am not even sure the topic matters). Think of it as an advanced Turing simulation.

I was fooled for my first three months. Then, I saw the predictable responses, and realized that there was no actual intellegence here. Just the occassional real life person who wanders in and is fooled for a while. The auto-misspell feature was a nice addition, I have to admit.

Want proof? Pick a user id. Peruse messge list. Notice the lack of variety? Notice the lack of real meaning behind each message? And when there is real content, try browsing earlier messages. You will find phrases ripped verbatim from an earlier post.

Of course, you may also be a bot. CommanderTaco is always making tweaks to the message generation algorithm (though his posts, too, are mostly generated by code). I will have to peruse your message history when I am done posting here.

Re:Question

I don't have a beef with Mr. Piquepalle anymore, but if suggest you dig through some of his early submissions for an answer. As of late, Mr. Piquepalle has been going the full-disclosure route--that is, he makes no secret of the fact that he's affiliated with the sites he submits to Slashdot. Early on, though, Mr. Piquepalle regularly pretended to be "just some guy" who found sites like Engadget interesting. That's not good; if you're affiliated with what you're plugging, you should be candid and open about that fact. Failure to provide full disclosure puts you in the same boat as the likes of Armstrong Williams, who conveniently forgot to mention that he was being paid off by the administration to plug No Child Left Behind in what were ostensibly opinion pieces. It's a dishonest and unethical practice, to say the least.

But like I said, he's cleaned up his act in recent months, so I no longer have a beef with him. Some folks, on the other hand, still hold this against him--which isn't an entirely unreasonable position to take.