DDoS Extortion Attempts On the Rise 277
John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.
They get rather annoying... (Score:5, Interesting)
I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...
DDOS and 2nd and 3rd world countries (Score:5, Interesting)
I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.
Re:Send money, or else. (Score:5, Interesting)
They invariably open the browser and attempt to open the site.
Its natural human instinct, they open it, say "Yup, its still down" and either click refresh a few times, or close it.
Watching how slash/fark folks handle flooding a site is similar.
IP Spoof Filtering... (Score:5, Interesting)
It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.
Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.
Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.
Sounds like he learned a lot while in IRC... (Score:2, Interesting)
But that's good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year.
"Pay us and we'll save you from DDoS". Where have I heard that before?
I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?
Time for a 'retrovirus' ? (Score:5, Interesting)
It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).
At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.
The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...
I'm not a very good network admin (Score:5, Interesting)
My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"
I like to respond, "Nothing."
But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?
I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --
I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.
I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.
I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.
I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.
Is there any way to win?
Is there any way I can tell my boss something other than "nothing?"
Save me Slashdot! Pleeeeease!?
Re:I'm not a very good network admin (Score:3, Interesting)
Strange game, The only way to win is to not play.
DDoS Heart Attack (Score:2, Interesting)
It could be a Denial of Denial of Service Attack, or DoDos. I confess I might be simplifying the issue too much.
In this case, you'd have to:
1. Identify a DDoS is in progress.
2. Pick one of the zombie IP addresses.
3. Identify the type of DDoS it is performing, by trying all known ones (if it is out there in quantity, it is likely known).
4. Find it's IRC channel and spam it with poweroff commands.
5. DDoS stops happening.
Re:Time for a 'retrovirus' ? (Score:5, Interesting)
Instead of polluting the net even more with "retrovirus" traffic, this would be a surgical strike, although timing would be critical. I assume they shift IRC servers and channels fairly frequently, and the IRC servers might be well hardened.
Solution (Score:2, Interesting)
2) Expoit zombie using the same exploit used to 'zombify' it in the first place.
3) Patch zombie machine.
4) Repeat.
Is this feasible?
Re:They get rather annoying... (Score:2, Interesting)
But even then CIS was stupid... Nothing's changed there!
Last I heard they were planning on getting a 10 Gbit pipe to the "regular" Internet and another 10 Gbit pipe to Internet2. Makes a DoS of one server on campus a large threat with that much incoming bandwidth.
Re:This is the reason why we cant get world peace. (Score:3, Interesting)
Yes, but instead of being held in the town square we'll setup a webcam and webcast it around the world.
Re:Null routing vs intelligent DDoS defense (Score:1, Interesting)
Ultimately TCP/IP needs to be updated to have something like ANI in the telco system. I can remember before ANI there were no concerns doing war dialing. Once it came out....everyone got a little timid.
Also, from my experience spoofed IP attacks really aren't as common. With zombies...they don't really care because they know tracing all of them will be a severe headache.
Authorize.Net is getting HAMMERED (Score:3, Interesting)
Re:Authorize.Net is getting HAMMERED (Score:4, Interesting)
Re:They get rather annoying... (Score:5, Interesting)
Filtering on your router doesn't work, because it's usually your pipe that's overloaded. (Though schools often have huge pipes.) Having your provider filter can be effective, but not all attacks are easy to filter. Buying more bandwidth and faster routers is usually effective -- I'm sure you won't mind your tuition going up to cover the costs? Turning off the campus resnet completely would probably be effective ...
You got any better ideas?
No, I don't work for your school's CIS. But I certainly understand their position.