Forgot your password?
typodupeerror
The Internet Security The Almighty Buck IT

DDoS Extortion Attempts On the Rise 277

Posted by michael
from the pay-to-play dept.
John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.
This discussion has been archived. No new comments can be posted.

DDoS Extortion Attempts On the Rise

Comments Filter:
  • Null routes? (Score:4, Informative)

    by IversenX (713302) on Tuesday October 26, 2004 @01:21PM (#10632402) Homepage
    Sure, Null Routes are great for throwing away traffic, but they don't work against DDoS (notice the extra "D"!). The whole _point_ of DDoS is that the traffic comes from so many sources that the manual work involved in blocking it is huge.
    • Re:Null routes? (Score:5, Insightful)

      by antifoidulus (807088) on Tuesday October 26, 2004 @01:23PM (#10632423) Homepage Journal
      Not to mention that the zombies you are blocking may very well be potential customers(note that they are attacking gambling sites), never a good idea to block your customers.....though educating them might not hurt.
    • Re:Null routes? (Score:4, Informative)

      by tomstdenis (446163) <tomstdenis@gmail.TIGERcom minus cat> on Tuesday October 26, 2004 @01:53PM (#10632761) Homepage
      Um you can easily do an hour ban on excessive hits from a given IP. Write a module for Apache that counts the hits from a given IP. If it hits a certain threshold [say > 100 hits a minute or >x KB per second] then it simply adds the ip to a firewall [ipchains, netfilter, etc].

      By making the banning automated you can easily cope with a DDoS.

      Some other things to help cope

      - Make small pages, well compressed images

      - Don't make highly detailed pages you can get to without loging in first [e.g. avoid server cpu load]

      - Load balance ;-)

      Tom
      • Some other things to help cope

        Make small pages, well compressed images

        Don't make highly detailed pages you can get to without loging in first [e.g. avoid server cpu load]

        ...

        That sounds more like a lesson in how to survive a slashdotting then a DDoS. Or are they one in the same?

      • Two problems:

        1. A full fledged ddos attack will likely saturate your switch-port (if it's 100mbit) so your webserver will not receive a lot of legitimate requests anymore.

        2. Your ISP is going to bill the ddos packets to you if you don't tell them to cut it off. 400 zombies sending at 25k/s each would suffice to deliver 10M/s to your front door. Given a few big pipes (office or *shudder* university lines) on the zombie network drastically reduce the number of zombies required to plug up a 100mbit-link but
      • That's not quite understanding the scale of the problem.

        A DDOS will also cause most loadbalancers and firewalls to fall over even if you have the machines numbers to deal with it. But all this is irrelevant as your line will be saturated.

        If you are hosted at a small ISP they may also be totally saturated to their upstream provider and they will need to contact them.

        If your on a tier 1 backbone your uplink will saturate quickly particularly if you are only on a 100MB/s burstable line and probably the netw
      • Which is fine and dandy if you live in the magical world of unlimited bandwidth. Lets say hypothetical situation:

        Site has 100mbit of bandwidth
        Site only allows packets from the ip 1.2.3.4, rest is silently dropped (not even sending a RST or anything)
        200mbit worth of packets are flying towards site.

        What happens when 1.2.3.4 tries to connect to the site?
  • Pay up (Score:5, Funny)

    by Anonymous Coward on Tuesday October 26, 2004 @01:22PM (#10632409)
    Pay up or I'll suggest a /. article about you, and you know the editors will accept it too!
  • by Kenja (541830) on Tuesday October 26, 2004 @01:23PM (#10632415)
    If you dont send 1,500$ to the following PayPal acount I will post an article about your company on Slashdot.
  • How long... (Score:5, Funny)

    by Tyndmyr (811713) * on Tuesday October 26, 2004 @01:23PM (#10632428)
    Ever been tempted to track the random people who attempt to hack/spam you, and beat them senseless? If only we could network this...I'll beat the people that live near me, and we can all post our catches on a forum somewhere...

    If only it were that simple.

    • by YankeeInExile (577704) * on Tuesday October 26, 2004 @01:30PM (#10632509) Homepage Journal

      While fantasizing about vigilanteism is entertaining, it really is not a good idea, just because of the lack of control.... to-wit:

      Hey, HeadCrackers Ltd. I was recently DDoSed by a group of hackers, led by someone who uses the slashdot handle Tyndmyr. I don't know anything else about him, but I would really appreciate it if someone would lop off a few fingers. Not only did he totally scrag my website "e-My-pretty-pony", costing me millions of dollars in lost sales revenue overnight, but he sent henchmen to my house who dyed my cat blue! I really hate him! MURDER! DEATH! KILL!
      I think this should illustrate the potential for abuse.

      HAND

      • by eln (21727) on Tuesday October 26, 2004 @01:44PM (#10632651) Homepage
        Oh that's it, Tyndmyr is totally dead. I'm so sick of that bastard pulling this crap. Your wish is my command. Tomorrow Tyndmyr's cat will be purple with pink polka dots.
      • In all seriousness, being a vigilante may be the only answer for this. The traits of this e-commerce extortion are indicative of organized crime behaviour. Really, this guy just needed to hire a couple security gurus to track the the guys doing the work. Then a couple of tough guys to go over and rough up the guy doing the work to find out who his bosses are. Then, confirm their involvement in it and take them out of the picture with a silenced 9mm. When this kind of crap happens in Russia or former Soviet
    • by multiplexo (27356) *
      Ever been tempted to track the random people who attempt to hack/spam you, and beat them senseless?

      Yes, and I've thought of doing more than that. I wonder how the cracking community would respond if one of their members, such as the Russian guy mentioned in this article, were slowly tortured on a video that was then distributed over the net. I think if you were to take one of these guys and cut his fingers off with a pair of bolt cutters, and then burn his eyes out with a torch, and then deafen him by pl

    • by red floyd (220712) on Tuesday October 26, 2004 @01:47PM (#10632684)
      So that would be a DBSOT Attack? (Distributed Beat the Shit Out of Them)
    • by Ced_Ex (789138)
      Nothing funnier than computer nerds threatening other computer nerds!

      But good idea though. I can video tape it and we solve two problems. 1. We get rid of hacks/spam. 2. We profit on the videos!

      Sidenote: Wasn't there a video clip with some guy getting his buddy to hit him in the face with a keyboard?
  • by Carnildo (712617) on Tuesday October 26, 2004 @01:24PM (#10632441) Homepage Journal
    You can't null-route a slashdotting.
  • by Anonymous Coward on Tuesday October 26, 2004 @01:24PM (#10632445)
    Noone's going to blackmail me into using DOS again...

    was that MS-DOS TRS-DOS, or Apple DOS?
  • by mc_wilson (619464) on Tuesday October 26, 2004 @01:26PM (#10632465) Homepage
    The school network here has been getting attacked about once a week for the last month. I am really tired of the internet going down and getting 60% packet loss this often.

    I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...
    • oh man... It was great when I was in school there (where you are)... It was about 2 years after they started wiring the dorms for student network access (ethernet anyway -- prior to that there were serial terminals...) So few people had computers in the dorms, coupled with the fact that the campus had not yet "shaped" all dorm traffic to a 100 Mbit virtual pipe. Student printing was not limited -- I printed over a dozen 500+ page programming books straight from the dorm to the Teague building without quest
      • Student printing was not limited -- I printed over a dozen 500+ page programming books straight from the dorm to the Teague building without question from those in charge. (I might be a small part of the reason they did impose print limits, though.)

        Well, I started there back before we had Internet email. "Why do I have to change my email from bitnet to that new-fangled Internet thingey?" And the students were the biggest problem. There weren't any connections to the dorms, but I'd get on Gopher or Lynx
    • You sure it's not coming from viruses? If your campus is anything like ours, probably 1/3 of the students will still not have patched the LSASS vulnerability that's been known about for over 4 months. Computers then infected with Sasser or Korgo will happily spew out packets to random IP's whenever they have a connection. We've been trying to educate and entice students to run windows update, but they play dumb (Some, on being told have actually said "We shouldn't have to be computer wizzes to use the inter
    • by dougmc (70836) <dougmc+slashdot@frenzied.us> on Tuesday October 26, 2004 @04:42PM (#10634897) Homepage
      I am not sure why we would be getting DoS attacks at a major university.
      It's probably aimed at one individual. I get packeted at home on my cable modem because people want the nick I use on IRC, for example. Typically if they can flood me badly enough, it only takes 10 minutes to kick me off and get my nick, but sometimes they'll leave the flood going for hours or even days, I guess to `teach me a lesson' or something. What lesson have I learned? To log everything, and make phone calls while it happens, and emails to all the IP addresses involved when it's done. I've nailed one guy already that I know of (in Romania no less -- visited by the local police. I don't know how it turned out, however.) -- it's rarely effective, but if you keep at it, it'll eventually work.

      I wish they would try something that would prevent them. Stupid CIS...
      Tell us, how should they prevent them? Since you've labeled them as stupid, I'm sure you have the answer all figured out? We'd love to hear what the victim of a DDoS attack can do to prevent an arbitrary DDoS attack.

      Filtering on your router doesn't work, because it's usually your pipe that's overloaded. (Though schools often have huge pipes.) Having your provider filter can be effective, but not all attacks are easy to filter. Buying more bandwidth and faster routers is usually effective -- I'm sure you won't mind your tuition going up to cover the costs? Turning off the campus resnet completely would probably be effective ...

      You got any better ideas?

      No, I don't work for your school's CIS. But I certainly understand their position.

  • by centauri (217890) on Tuesday October 26, 2004 @01:27PM (#10632477) Homepage
    "That's a nice StarCraft server you have set up there. Be a shame if anything happened to it."

    Honestly, that's what I thought when I read "extortion" and "online gaming."
    • For centralized servers like battle.net that would be very possible. Not quite so for games like battlefield wherein the server daemons are available to the public.
  • well (Score:2, Insightful)

    by Fiddy Cent (823482)
    Sooner or later they're gonna try to extort the wrong people, and then Luca Brasi shows up at their doorstep.
  • by Flabasha (18195) on Tuesday October 26, 2004 @01:33PM (#10632548)
    Apparently, Prolexic Technologies [prolexic.com] is the company that's providing the DDoS Solution.
  • by Monkelectric (546685) <slashdot@monkelectri c . c om> on Tuesday October 26, 2004 @01:35PM (#10632561)
    Criminials in 2nd and 3rd world countries *LOVE* the internet because it gives them *ACCESS* to first world country victims. If a russian guy can steal 100$, thats less then a days pay for me, but 6 months salary to him.

    I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.

    • exactly (Score:3, Informative)

      by bani (467531)
      for some reason people in many 2nd and 3rd world countries are raised on propaganda (often from their government) believing that every single american is a millionaire.
      • Re:exactly (Score:2, Insightful)

        by Monkelectric (546685)
        Oh they are actually -- and thats the reason for a lot of the animosity towards us right now (in addition to our screwups as of late). They are grown up being told we are this wealthy and technologically advanced country (true and true) and that if we *WANTED* to we could solve the problems of their country easily (not true), and it is only because we are too selfish (half true) and too busy with our luxury to notice their suffering (not true) to beset upon them with our benevolence.
        • well you also get shit like iranian mullahs telling their people that theres government operated brothels in every american city and that americans still own slaves.

          nigerian criminals justify their scams today because of slavery hundreds of years ago. or because it's ok to rip off christians because "they're persecuting muslims".

          and that if we *WANTED* to we could solve the problems of their country easily (not true), and it is only because we are too selfish (half true) and too busy with our luxury to n
    • by cliveholloway (132299) on Tuesday October 26, 2004 @02:15PM (#10633027) Homepage Journal

      Pull your head out of your ass and check before you state a wild guess as a fact:

      "The average Russian salary is about $245 a month, but most state sector workers earn only a little more than a half of that."

      So an average Russian earns $1470 in 6 months. Well, you were only out by a factor of 15 - source [smh.com.au].

      You don't have anything to do with elections in Florida by any chance?

      cLive ;-)


    • Who the Cyber-Godfathers are?
  • by Autonin (322765) on Tuesday October 26, 2004 @01:36PM (#10632577)
    I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.

    It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.

    Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.

    Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.
    • by dnoyeb (547705)
      Zombies don't spoof.
    • I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.

      A lot of attacks come from completely legitimate sources. Some malware reads the local subnet address and subnet mask and spoofs from that range, revealing the origin of the packets. Other attacks are higher up in the protocol stack and require (among other things) a complete TCP handshake, so spoofing is no longer poss
      • So... can you split up IP addresses into multiple paths to go through multiple filters?
        ie, all IPs from ISP X, Y, Z, etc are routed through FilterA, while others are routed through FilterB, and that way you can break up the IP drop lits a little. Could that work?
    • Here's an idea.

      We watch the incoming traffic. If we see X number of hits over Y period (usually 5 seconds) we drop all the traffic from them for a 1/2 hour. After a half our if we're their still sending, they get put on a 24hr block list.

      what you could go is write a program that would do this on a linux box that would have an out of band connection to the router at the head of the network and configure the acls to drop the IP at that level. Granted this isn't going to get any of your bandwidth back, bu
  • by Psychotext (262644) on Tuesday October 26, 2004 @01:36PM (#10632578)
    ...aren't there firewalls that can handle this yet? Ok, so you probably can't stop it initially but surely we have equipment capable of detecting which clients are hitting the site in an abnormal manner and ignoring their traffic - at least in the short term (Hours / Days).

    That should realistically mean that whilst you might lose the site for half an hour you shouldn't be losing it for days at a time. Anything like this exist? I would have thought that the bigger gambling sites would be all over it by now.
    • The problem is that the bad traffic still has to get to your firewall, so your inbound bandwidth is still all used up. A DDoS isn't usually about overloading the app server, it's about saturating all your connections.
    • by Autonin (322765) on Tuesday October 26, 2004 @01:52PM (#10632748)
      There's a couple of problems with handling the issue on the victim-side. Generally, a DDOS attack is a flood of packets with spoofed IP's (thus my eariler comment). This makes back-tracking or attacker isolation next to impossible to do. And since most attackers aren't following RFC 3514 (http://slashdot.org/articles/03/04/01/133217.shtm l) the firewall can't inherently detect which packets are 'naughty' and which packets are 'nice'.

      Firewalls sometimes deal with connection overload by proxying the TCP three-way handshake and only allowing the completed handshakes through to the end server. Under attack, however, the firewalls themselves can have these connection queues saturated and then they begin selectively dropping a percentage of the connection requests. Since it can't tell valid from hostile, real users experience connectivity issues.

      For UDP-based protocols, used by many real-time online games, there's simply no way to stem the flood other than drop packets above a certain threshold, also causing a partial DOS for valid users.

      All of these measures also cannot address the bandwidth consumption issue. This can *only* be addressed upstream.

      With IP spoof protection in place at end points where hostiles live, or at gateways to foreign networks, we can at least keep attackers to real IP's that we can then isolate and prosecute.
    • > ...aren't there firewalls that can handle this yet?

      Once upon a time (when I was an IRC user), I used to run a little forum in which people could post random stupod IRC quotes. Apparently someone got so mad about one of the quotes that they decided to hit me to death, so they distributed a worm which would simply resolve my domain and send me really huge fragmented UDP packets whose effect blocked my whole inbound traffic. I repeatedly asked my ISP to apply some QoS and lower the priority of that t
  • Clarify (Score:5, Informative)

    by Kallahar (227430) <kallahar@quickwired.com> on Tuesday October 26, 2004 @01:37PM (#10632589) Homepage
    Just to clarify for everyone, this is extortion against online *gambling* companies, not online gaming.

    You can call gambling "gaming" in the offline world, but not the online -- "online gaming" is already taken :)
    • I hear a faint echo in the room. "Hacker"..."Cracker"..."hacker"..."cracker"..."hac ..."..."crac..."......
  • From the article
    But that's good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year.

    "Pay us and we'll save you from DDoS". Where have I heard that before?

    I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?
    • by Anonymous Coward

      I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?

      How is it a protection racket?

      Comparing a security company which helps defend against DDOS attacks to the DDOS attackers themselves is like comparing a security guard whom you hire to guard your business to the local gang who shake you down for "fire insurance".

      Yes, both are getting paid to prevent harm to your livelihood. But the DDOS attackers and the gang are the ones threatning that livelihood i

    • It's an anti-protection 'racket' though. He learned a lot from his troubles, and is now starting a business with what he learned in order to help other people who may not have the same skills or opportunities. For a fee.
      Sounds pretty much like standard capitalism to me... perhaps you're one of those people who thinks that everything should be free.
      In short, yes, you are the only one who thinks it's hypocritical.
  • by jellomizer (103300) * on Tuesday October 26, 2004 @01:40PM (#10632621)
    When ever we make someting available to the general public there is a matter of time until some jirk finds a way to cause problems. The internet has been around for about 30 years and has been popular for about 10 years. So after this short time we have turned a means of comunication ( And what a lot of people think as a step to peace ) into a complete war zone. And because no one directly (Indirectly some one may) gets hurt, and it is a lot harder to track someone down, they will attack sites and ingage in Mob beheavior much more esially then in real life. So a person who is on the outside will seem like an ordanry citizan when on the internet becomes a massive crime lord extrorting thousands of dollars from companies. They should bring back public flogging as a form of punishment, it seems a suitable punishment for a criminal who comits his crime in anonmity.
  • by MaineCoon (12585) on Tuesday October 26, 2004 @01:45PM (#10632659) Homepage
    As much as I hate to suggest it, it seems like underground vigilantism may be the only way to deal with the problem currently.

    It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).

    At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.

    The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...
    • by Croaker (10633) on Tuesday October 26, 2004 @02:12PM (#10632985)
      Actually, there might be an easier way to take down zombie networks than creating a roaming virus... As I understand it, most zombie networks take their marching orders by watching an IRC channel on some server someplace. If you can figure out where the channel is, and can manage to compromise it, you should be able to hijack the zombie network and make it patch itself and then uninstall the viruses.

      Instead of polluting the net even more with "retrovirus" traffic, this would be a surgical strike, although timing would be critical. I assume they shift IRC servers and channels fairly frequently, and the IRC servers might be well hardened.

  • by scribblej (195445) on Tuesday October 26, 2004 @01:45PM (#10632664)
    Or at least, I like to think I'm not very good. There's so much to know, and I only know a tiny part of it.

    My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"

    I like to respond, "Nothing."

    But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?

    I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --

    I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.

    I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.

    I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.

    I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.

    Is there any way to win?

    Is there any way I can tell my boss something other than "nothing?"

    Save me Slashdot! Pleeeeease!?

  • So most of these bots use IRC to get their marching orders- so why not disrupt that method of communication?
    This can be done on the ISP level, or at a personal level by blocking ports or what have you- or even by DDoS'ng known IRC servers themselves (a taste of their own meds?).

    Just a thought
  • by Animats (122034) on Tuesday October 26, 2004 @01:57PM (#10632800) Homepage
    Extortion scams like that require a money laundering service to process the payments. e-Gold is apparently popular.

    Another is WebMoney [wmtransfer.com], mentioned on the spammer board SpamForum.biz [spamforum.biz]. It's a anonymous money transfer service in Moscow. Elaborate crypto. Special downloaded applications. Schemes for transferring money between customers, and finally out into the banking system. Accounts can be in euros, dollars, rubles, or hryvnias. Address is supposedly 71 Sadovnicheskaya Street, Moscow, Russia, 115035. Same address as the "Three Monkeys", which is a gay nightclub.

    There are a number of services like this. They come and go. There's Gold-Cash [gold-cash.biz], in Latvia. There's EvoCash [evocash.com], at an undisclosed "offshore" location. (Well, there was EvoCash; they ceased operations on October 19th.) They even have a trade association [gdcaonline.org], which rates services as "Platinum", "Gold", "Silver", "Copper", "Carbon", or "Chlorine", which gives a hint of the problems in this area.

    Then there are brokers who transfer money between these services. These can be used to perform the "rinse cycle" in money laundering. But that's another story.

  • DDoS Heart Attack (Score:2, Interesting)

    by Grokko (193875)
    If one were to know the irc channel that a DDoSer uses to communicate with the zombie machines, is it possible to spam the channel with commands that will physically shut down the zombies, like a poweroff command in Linux, thus mitigating the effect?

    It could be a Denial of Denial of Service Attack, or DoDos. I confess I might be simplifying the issue too much.

    In this case, you'd have to:

    1. Identify a DDoS is in progress.
    2. Pick one of the zombie IP addresses.
    3. Identify the type of DDoS it is performing,
  • by twigles (756194) on Tuesday October 26, 2004 @02:22PM (#10633088)
    Null routes are indeed a terrible way to defend against DDoS attacks. ISPs nowadays are investing up to millions of dollars in *intelligent* defenses. These are mostly anomaly-based Network Intrusion Detection Systems (NIDS) from companies like Riverhead Networks, Top Layer and Vsecure Technologies sometimes referred to as "attack mitigators". Instead of a full-fledged NIDS like Snort, these systems focus primarily on DDoS attacks, and while I haven't used one professionally I have spoken with several people who have (old-school, cynical networking/unix guys) and they say that they are very good at not blocking innocent traffic.

    Basically they look for anomolies like the rate of traffic hitting a specific site, then they start to look for patterns in the traffic (source IP, packet size, packet interval, page requested, etc.). From there the detection boxes inform a second machine that "scrubs" the traffic, in other words drops all nefarious stuff. Some of these guys sit inline (inline=the packets must physically pass through them as light/electricity) or sit off the path, but send BGP Updates to the routers passing these packets. The BGP Update technique is interesting because it allows the normal routers to send traffic destined to the IP under attack through the scrubber because the router has a very specific route to that machine, while the rest of the subnet is routed normally. Anyone familiar with BGP knows that you advertise the biggest supernet possible (/20, /22...) so this is nice in that it leaves your other stuff alone.

    I'm sure some products use null routing at the end of this process, but it isn't some geek sitting at a keyboard typing in IPs. It's intelligent automation (at least one product actually checks to see if its remedy fixed the problem, and if it didn't it undoes the fix). I can tell you for a fact that AT&T is deploying a bunch of these attack mitigators (Riverhead - now part of Cisco) in their routing core.

    As for writing an Apache module or taking steps on the actual target web site ... the success of those will always be limited by the fact that they can only reduce the load somewhat, and a bandwidth exhaustion attack won't care if your site requires a login.
  • Solution (Score:2, Interesting)

    by Anonymous Coward
    1) Log zombie IP.
    2) Expoit zombie using the same exploit used to 'zombify' it in the first place.
    3) Patch zombie machine.
    4) Repeat.

    Is this feasible?
    • Someone who exploits a machine will often patch it against that exploit so no one else can take it over. They keep their own trojan/application running that they use to remotely control it, but seal off the original route of infection.
  • Bah! (Score:2, Funny)

    by daishin (753851)
    Theres always DDOS extortion attempts on IRC, like this case...

    <h4ckrr> gimme opz or i fl00d u!
    <Daishi> no
    *h4ckrr has quit (Ping timeout)
  • by Greyfox (87712) on Tuesday October 26, 2004 @02:38PM (#10633251) Homepage Journal
    My regime would require an "internet license" which would be a card with a magstripe. The magstripe would contain your crypto key (passphrase required to unlock yadda yadda.) All computers would be outfitted with magstripe readers and to access the net you'd have to insert your license. All traffic from you would be signed with said license. Border routers would validate licenses and reject unsigned traffic.

    First license would be free if you can pass the multiple-choice test. If it's revoked, you have to take a class and pay $50 to have it reinstated. Reasons for revocation would include, among other things, having your system compromised and used to attack other systems. That'd take care of all those zombie systems in one easy step. Having your Internet license revoked more than three times would be grounds for revoking your breeding license (Which will have somewhat more stringent entry requirements to begin with.)

    Other countries which my regime has not yet assimilated will not be left out. They can either adopt my policies or have their traffic signed by a generic key when it enters my country. Of course, if the generic key gets revoked, everyone using it will be out of luck...

    • by the_weasel (323320) on Tuesday October 26, 2004 @02:55PM (#10633457) Homepage
      My regime plans to overthrow your regime using rhetoric and innuendo, and replace it with a mildly anarchistic commune run by warlords and charismatic pop idols. Then we will declare your supporters as non-humans, and hunt you through the streets.

      I intend to make this country profitable by selling the right to watch the country on television to countries like Russia and China. This effectively combines their dislike of Americans with their youths addiction to our media.

      Just kidding. :->
  • by phorm (591458) on Tuesday October 26, 2004 @03:00PM (#10633545) Journal
    There can only be so many zombies out there. Sure, the number is growing, but one can probably pick them out of a crowd over time. Why not have an RBL for zombies... when X clients to the RBL report getting hit by the same zombie (before getting swamped, or after the DDOS finishes), add it to the RBL. Then perhaps we could start thinking about routering off IPs listed in the RBL, subnet blacklisting when a DDOS starts, or other countermeasures.

    Cutting an infected machine off from the net entirely isn't such a bad option... having an infected machine spewing out spam and DDOS is similar to an HIV patient in a bordello...
  • by adiposity (684943) on Tuesday October 26, 2004 @03:26PM (#10633833)
    Back when SCO was claiming they were being DDoSed, many experts made claims that resulted in stories like the following:

    The debate touches on more subjects than we could possibly cover here, but experts are claiming that SCO could have taken countless preventative measures to stop the attack affecting their services.

    (see here [itvibe.com])

    Groklaw had a bunch of "experts" claiming it was easily stopped, as well, and suggested it was faked by SCO.

    The truth is, as people here have pointed out, that it really doesn't matter what preventative action you take; if your pipe is full, your pipe is full, even if you drop all the packets when they hit your routers.

    You can't easily beat a bandwidth saturating attack.

    -Dan
  • by JohnnyGTO (102952) on Tuesday October 26, 2004 @03:48PM (#10634140) Homepage
    Our CC processing company is getting HAMMERED again today with a DDOS. Now how am I going to process those fraudulant Nigerian orders?

  • by tomwhore (10233) on Tuesday October 26, 2004 @05:36PM (#10635469) Homepage Journal
    The amazing Trevor Blake posted this fine news up to http://www.amsam.org/ recently..

    Rush Limbaugh Coordinates Denial of Service Attack

    Transcripts from Rush Limbaugh's own Web site from his show confirm that he coordinated a Denial of Service attack on a third party's Web site. This is a crime punishable by up to 5-10 years incarceration, according to one source[1]. The victim of this attack has elected to
    not seek legal compensation, but that does not make the attack any
    less illegal.

    Rush Limbaugh, September 28, 2004:[2] "Let's shut this website down,
    folks. Shall we? [...] I don't often suggest this kind of thing, but
    this could be fun here. [...] And, you know, we've shut down the
    server, folks. That's why you can't get through. Don't tell me the
    address is wrong, that's what happens when you ask about five million
    people to go to the same website at once, you shut it down, that was
    the objective here. We want them to get all excited and say wow, our
    website is taking off. Essentially in the computer world what we've
    created here is a DOS, a denial of service attack, so many people
    trying to get in at one time."

    Rush Limbaugh, September 30, 2004:[3] "And so when I heard about this
    I thought we'd have a little fun with it. [...] I said, 'Let's go shut
    'em down, folks,' meaning not put 'em out of business, but let's just
    flood them with activity knowing full well that that's always gonna
    happen when I give a web address here and suggest people go look at
    it. There are simply too many millions of people here, and this is
    obviously a small website. Shut it down for awhile. "

    [1] http://www.seifried.org/security/network/20020305- ddosfaq.html#3.0
    [2] http://www.rushlimbaugh.com/home/daily/site_092804 /content/cutting_edge.guest.html
    [3] http://www.rushlimbaugh.com/home/daily/site_093004 /content/cutting_edge.guest.html
  • From the article: [T]he extortion gangs control hundreds of thousands, often the personal computers of people with high-speed DSL lines or cable modems. Most of the PCs were compromised with a series of worms and viruses that began appearing last summer. They spread most easily to machines without firewalls and automated patching from security companies.

    Alas, the article doesn't give you a clue about what OS these mysterious PC are running. They are easily 0wnable, they are trojaned and zombified to deat

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...