DDoS Extortion Attempts On the Rise 277
John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.
Null routes? (Score:4, Informative)
Prolexic Technologies (Score:3, Informative)
Re:Not all attacks can be blocked. (Score:4, Informative)
I know my web browser sets the referrer URL to that of the site I'm going to, and I suspect many other people do the same thing. It prevents blacklisting based on referrer, and it has the side benefit of allowing hotlinking from Geocities and other cheap hosting.
Clarify (Score:5, Informative)
You can call gambling "gaming" in the offline world, but not the online -- "online gaming" is already taken
Re:Not knowledgable on topic but... (Score:3, Informative)
exactly (Score:3, Informative)
Re:Sounds like he learned a lot while in IRC... (Score:3, Informative)
Sounds pretty much like standard capitalism to me... perhaps you're one of those people who thinks that everything should be free.
In short, yes, you are the only one who thinks it's hypocritical.
Re:Not knowledgable on topic but... (Score:4, Informative)
Firewalls sometimes deal with connection overload by proxying the TCP three-way handshake and only allowing the completed handshakes through to the end server. Under attack, however, the firewalls themselves can have these connection queues saturated and then they begin selectively dropping a percentage of the connection requests. Since it can't tell valid from hostile, real users experience connectivity issues.
For UDP-based protocols, used by many real-time online games, there's simply no way to stem the flood other than drop packets above a certain threshold, also causing a partial DOS for valid users.
All of these measures also cannot address the bandwidth consumption issue. This can *only* be addressed upstream.
With IP spoof protection in place at end points where hostiles live, or at gateways to foreign networks, we can at least keep attackers to real IP's that we can then isolate and prosecute.
Re:Firewalls are useless against DDoS (Score:1, Informative)
Re:Null routes? (Score:4, Informative)
By making the banning automated you can easily cope with a DDoS.
Some other things to help cope
- Make small pages, well compressed images
- Don't make highly detailed pages you can get to without loging in first [e.g. avoid server cpu load]
- Load balance
Tom
Money laundering services (Score:5, Informative)
Another is WebMoney [wmtransfer.com], mentioned on the spammer board SpamForum.biz [spamforum.biz]. It's a anonymous money transfer service in Moscow. Elaborate crypto. Special downloaded applications. Schemes for transferring money between customers, and finally out into the banking system. Accounts can be in euros, dollars, rubles, or hryvnias. Address is supposedly 71 Sadovnicheskaya Street, Moscow, Russia, 115035. Same address as the "Three Monkeys", which is a gay nightclub.
There are a number of services like this. They come and go. There's Gold-Cash [gold-cash.biz], in Latvia. There's EvoCash [evocash.com], at an undisclosed "offshore" location. (Well, there was EvoCash; they ceased operations on October 19th.) They even have a trade association [gdcaonline.org], which rates services as "Platinum", "Gold", "Silver", "Copper", "Carbon", or "Chlorine", which gives a hint of the problems in this area.
Then there are brokers who transfer money between these services. These can be used to perform the "rinse cycle" in money laundering. But that's another story.
random figures stated as fact - film at 11... (Score:5, Informative)
Pull your head out of your ass and check before you state a wild guess as a fact:
"The average Russian salary is about $245 a month, but most state sector workers earn only a little more than a half of that."
So an average Russian earns $1470 in 6 months. Well, you were only out by a factor of 15 - source [smh.com.au].
You don't have anything to do with elections in Florida by any chance?
cLive ;-)
Null routing vs intelligent DDoS defense (Score:5, Informative)
Basically they look for anomolies like the rate of traffic hitting a specific site, then they start to look for patterns in the traffic (source IP, packet size, packet interval, page requested, etc.). From there the detection boxes inform a second machine that "scrubs" the traffic, in other words drops all nefarious stuff. Some of these guys sit inline (inline=the packets must physically pass through them as light/electricity) or sit off the path, but send BGP Updates to the routers passing these packets. The BGP Update technique is interesting because it allows the normal routers to send traffic destined to the IP under attack through the scrubber because the router has a very specific route to that machine, while the rest of the subnet is routed normally. Anyone familiar with BGP knows that you advertise the biggest supernet possible (/20,
I'm sure some products use null routing at the end of this process, but it isn't some geek sitting at a keyboard typing in IPs. It's intelligent automation (at least one product actually checks to see if its remedy fixed the problem, and if it didn't it undoes the fix). I can tell you for a fact that AT&T is deploying a bunch of these attack mitigators (Riverhead - now part of Cisco) in their routing core.
As for writing an Apache module or taking steps on the actual target web site
Re:I'm not a very good network admin (Score:1, Informative)
Generally speaking, DDOS attacks aren't random. They specificly target people, so you should know if you're at risk. However, it's always good to have a backup dsl line for outbound (and select inbound) traffic. Especially if you have the sort of luck most of us admins have
Re:This is the reason why we cant get world peace. (Score:4, Informative)
Comment removed (Score:3, Informative)
Re:Null routes? (Score:2, Informative)
Re:Null routing vs intelligent DDoS defense (Score:1, Informative)
http://www.nanog.org/mtg-0410/pdf/battles.pdf
Re:Null routes? (Score:4, Informative)
Zombie software is usually smart enough to be set on a target domain name, not ip address. Once your hostname starts resolving to a new ip the zombies will attack the new target. If you change to a completely different domain you'll have to announce it to your customers - and the attacker will likely pick it up on the same channel.
Rush Limbaugh Coordinates Denial of Service Attack (Score:3, Informative)
Rush Limbaugh Coordinates Denial of Service Attack
Transcripts from Rush Limbaugh's own Web site from his show confirm that he coordinated a Denial of Service attack on a third party's Web site. This is a crime punishable by up to 5-10 years incarceration, according to one source[1]. The victim of this attack has elected to
not seek legal compensation, but that does not make the attack any
less illegal.
Rush Limbaugh, September 28, 2004:[2] "Let's shut this website down,
folks. Shall we? [...] I don't often suggest this kind of thing, but
this could be fun here. [...] And, you know, we've shut down the
server, folks. That's why you can't get through. Don't tell me the
address is wrong, that's what happens when you ask about five million
people to go to the same website at once, you shut it down, that was
the objective here. We want them to get all excited and say wow, our
website is taking off. Essentially in the computer world what we've
created here is a DOS, a denial of service attack, so many people
trying to get in at one time."
Rush Limbaugh, September 30, 2004:[3] "And so when I heard about this
I thought we'd have a little fun with it. [...] I said, 'Let's go shut
'em down, folks,' meaning not put 'em out of business, but let's just
flood them with activity knowing full well that that's always gonna
happen when I give a web address here and suggest people go look at
it. There are simply too many millions of people here, and this is
obviously a small website. Shut it down for awhile. "
[1] http://www.seifried.org/security/network/20020305
[2] http://www.rushlimbaugh.com/home/daily/site_09280
[3] http://www.rushlimbaugh.com/home/daily/site_09300