DDoS Extortion Attempts On the Rise

John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.

Null routes?

[IversenX]

Sure, Null Routes are great for throwing away traffic, but they don't work against DDoS (notice the extra "D"!). The whole _point_ of DDoS is that the traffic comes from so many sources that the manual work involved in blocking it is huge.

Prolexic Technologies

[Flabasha]

Apparently, Prolexic Technologies [prolexic.com] is the company that's providing the DDoS Solution.

Re:Not all attacks can be blocked.

[Carnildo]

You can't block incoming referrals from a particular site? I know with my website tracking software at least, it displays the referring URL. I'd figure you could set a filter based on that info... Weird.

I know my web browser sets the referrer URL to that of the site I'm going to, and I suspect many other people do the same thing. It prevents blacklisting based on referrer, and it has the side benefit of allowing hotlinking from Geocities and other cheap hosting.

Clarify

[Kallahar]

Just to clarify for everyone, this is extortion against online *gambling* companies, not online gaming.

You can call gambling "gaming" in the offline world, but not the online -- "online gaming" is already taken :)

Re:Not knowledgable on topic but...

[radish]

The problem is that the bad traffic still has to get to your firewall, so your inbound bandwidth is still all used up. A DDoS isn't usually about overloading the app server, it's about saturating all your connections.

exactly

[bani]

for some reason people in many 2nd and 3rd world countries are raised on propaganda (often from their government) believing that every single american is a millionaire.

Re:Sounds like he learned a lot while in IRC...

[PitaBred]

It's an anti-protection 'racket' though. He learned a lot from his troubles, and is now starting a business with what he learned in order to help other people who may not have the same skills or opportunities. For a fee.
Sounds pretty much like standard capitalism to me... perhaps you're one of those people who thinks that everything should be free.
In short, yes, you are the only one who thinks it's hypocritical.

Re:Not knowledgable on topic but...

[Autonin]

There's a couple of problems with handling the issue on the victim-side. Generally, a DDOS attack is a flood of packets with spoofed IP's (thus my eariler comment). This makes back-tracking or attacker isolation next to impossible to do. And since most attackers aren't following RFC 3514 (http://slashdot.org/articles/03/04/01/133217.shtm l) the firewall can't inherently detect which packets are 'naughty' and which packets are 'nice'.

Firewalls sometimes deal with connection overload by proxying the TCP three-way handshake and only allowing the completed handshakes through to the end server. Under attack, however, the firewalls themselves can have these connection queues saturated and then they begin selectively dropping a percentage of the connection requests. Since it can't tell valid from hostile, real users experience connectivity issues.

For UDP-based protocols, used by many real-time online games, there's simply no way to stem the flood other than drop packets above a certain threshold, also causing a partial DOS for valid users.

All of these measures also cannot address the bandwidth consumption issue. This can *only* be addressed upstream.

With IP spoof protection in place at end points where hostiles live, or at gateways to foreign networks, we can at least keep attackers to real IP's that we can then isolate and prosecute.

Re:Firewalls are useless against DDoS

[Anonymous Coward]

These attacks work by consuming all your bandwidth, and possibly all your service provider's bandwidth as well. A firewall will prevent the packets from flooding your internal LAN, but won't help the internet connection one bit. If it were an attack that used a flaw in the system, such as a winnuke attack, then a firewall would help but firewalls are useless against bandwidth consumption attacks like these DDoS attacks.

Re:Null routes?

[tomstdenis]

Um you can easily do an hour ban on excessive hits from a given IP. Write a module for Apache that counts the hits from a given IP. If it hits a certain threshold [say > 100 hits a minute or >x KB per second] then it simply adds the ip to a firewall [ipchains, netfilter, etc].

By making the banning automated you can easily cope with a DDoS.

Some other things to help cope

- Make small pages, well compressed images

- Don't make highly detailed pages you can get to without loging in first [e.g. avoid server cpu load]

- Load balance ;-)

Tom

Money laundering services

[Animats]

Extortion scams like that require a money laundering service to process the payments. e-Gold is apparently popular.

Another is WebMoney [wmtransfer.com], mentioned on the spammer board SpamForum.biz [spamforum.biz]. It's a anonymous money transfer service in Moscow. Elaborate crypto. Special downloaded applications. Schemes for transferring money between customers, and finally out into the banking system. Accounts can be in euros, dollars, rubles, or hryvnias. Address is supposedly 71 Sadovnicheskaya Street, Moscow, Russia, 115035. Same address as the "Three Monkeys", which is a gay nightclub.

There are a number of services like this. They come and go. There's Gold-Cash [gold-cash.biz], in Latvia. There's EvoCash [evocash.com], at an undisclosed "offshore" location. (Well, there was EvoCash; they ceased operations on October 19th.) They even have a trade association [gdcaonline.org], which rates services as "Platinum", "Gold", "Silver", "Copper", "Carbon", or "Chlorine", which gives a hint of the problems in this area.

Then there are brokers who transfer money between these services. These can be used to perform the "rinse cycle" in money laundering. But that's another story.

random figures stated as fact - film at 11...

[cliveholloway]

Pull your head out of your ass and check before you state a wild guess as a fact:

"The average Russian salary is about $245 a month, but most state sector workers earn only a little more than a half of that."

So an average Russian earns $1470 in 6 months. Well, you were only out by a factor of 15 - source [smh.com.au].

You don't have anything to do with elections in Florida by any chance?

cLive ;-)

Null routing vs intelligent DDoS defense

[twigles]

Null routes are indeed a terrible way to defend against DDoS attacks. ISPs nowadays are investing up to millions of dollars in *intelligent* defenses. These are mostly anomaly-based Network Intrusion Detection Systems (NIDS) from companies like Riverhead Networks, Top Layer and Vsecure Technologies sometimes referred to as "attack mitigators". Instead of a full-fledged NIDS like Snort, these systems focus primarily on DDoS attacks, and while I haven't used one professionally I have spoken with several people who have (old-school, cynical networking/unix guys) and they say that they are very good at not blocking innocent traffic.

Basically they look for anomolies like the rate of traffic hitting a specific site, then they start to look for patterns in the traffic (source IP, packet size, packet interval, page requested, etc.). From there the detection boxes inform a second machine that "scrubs" the traffic, in other words drops all nefarious stuff. Some of these guys sit inline (inline=the packets must physically pass through them as light/electricity) or sit off the path, but send BGP Updates to the routers passing these packets. The BGP Update technique is interesting because it allows the normal routers to send traffic destined to the IP under attack through the scrubber because the router has a very specific route to that machine, while the rest of the subnet is routed normally. Anyone familiar with BGP knows that you advertise the biggest supernet possible (/20, /22...) so this is nice in that it leaves your other stuff alone.

I'm sure some products use null routing at the end of this process, but it isn't some geek sitting at a keyboard typing in IPs. It's intelligent automation (at least one product actually checks to see if its remedy fixed the problem, and if it didn't it undoes the fix). I can tell you for a fact that AT&T is deploying a bunch of these attack mitigators (Riverhead - now part of Cisco) in their routing core.

As for writing an Apache module or taking steps on the actual target web site ... the success of those will always be limited by the fact that they can only reduce the load somewhat, and a bandwidth exhaustion attack won't care if your site requires a login.

Re:I'm not a very good network admin

[Anonymous Coward]

The war games quote was (for the most part) a joke, if you're seriously worried about being DDOSed the *best* solution is to get a backup DSL line (from a different provider), and be ready to switch your outbound routing as needed. If you truly need to have your website up 24/7 then you'll also want to have the ability to switch your DNS info over to the dsl line, but honestly. 9 times out of 10, all you (the net admin) need to be able to guarantee is that productivity is not hurt, and as long as you have a backup outbound connection you should be fine. Or at least it'll get your boss off your ass.

Generally speaking, DDOS attacks aren't random. They specificly target people, so you should know if you're at risk. However, it's always good to have a backup dsl line for outbound (and select inbound) traffic. Especially if you have the sort of luck most of us admins have ;-)

Re:This is the reason why we cant get world peace.

[jhagler]

Yep, it's commonly referred to as the tragedy of the commons [wikipedia.org] and the Internet is a perfect example.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Null routes?

[Cramer]

It doesn't work like that. BGP doesn't specify a destination for a prefix -- it's more a "give me X" type thing; the destination is the peer announcing the prefix. Likewise, you cannot easily punch a hole in the middle of your netblock with a null route. (in fact, the null route is how you ensure the netblock is always announced.) Add to that all the peering filters and the minimum prefix length (/20, btw), and "it's just not gonna happen". That traffic is going to show up at the ISP along with all the traffic you really do want. There's no way to get the entire internet to filter it for you. That's why the DDoS is such an annoying bugger.

Re:Null routing vs intelligent DDoS defense

[Anonymous Coward]

I think someone was at NANOG last week.

http://www.nanog.org/mtg-0410/pdf/battles.pdf

Re:Null routes?

[Kent Recal]

Unfornationally this doesn't really work.
Zombie software is usually smart enough to be set on a target domain name, not ip address. Once your hostname starts resolving to a new ip the zombies will attack the new target. If you change to a completely different domain you'll have to announce it to your customers - and the attacker will likely pick it up on the same channel.

Rush Limbaugh Coordinates Denial of Service Attack

[tomwhore]

The amazing Trevor Blake posted this fine news up to http://www.amsam.org/ recently..

Rush Limbaugh Coordinates Denial of Service Attack

Transcripts from Rush Limbaugh's own Web site from his show confirm that he coordinated a Denial of Service attack on a third party's Web site. This is a crime punishable by up to 5-10 years incarceration, according to one source[1]. The victim of this attack has elected to
not seek legal compensation, but that does not make the attack any
less illegal.

Rush Limbaugh, September 28, 2004:[2] "Let's shut this website down,
folks. Shall we? [...] I don't often suggest this kind of thing, but
this could be fun here. [...] And, you know, we've shut down the
server, folks. That's why you can't get through. Don't tell me the
address is wrong, that's what happens when you ask about five million
people to go to the same website at once, you shut it down, that was
the objective here. We want them to get all excited and say wow, our
website is taking off. Essentially in the computer world what we've
created here is a DOS, a denial of service attack, so many people
trying to get in at one time."

Rush Limbaugh, September 30, 2004:[3] "And so when I heard about this
I thought we'd have a little fun with it. [...] I said, 'Let's go shut
'em down, folks,' meaning not put 'em out of business, but let's just
flood them with activity knowing full well that that's always gonna
happen when I give a web address here and suggest people go look at
it. There are simply too many millions of people here, and this is
obviously a small website. Shut it down for awhile. "

[1] http://www.seifried.org/security/network/20020305- ddosfaq.html#3.0
[2] http://www.rushlimbaugh.com/home/daily/site_092804 /content/cutting_edge.guest.html
[3] http://www.rushlimbaugh.com/home/daily/site_093004 /content/cutting_edge.guest.html