Forgot your password?
typodupeerror
Security The Almighty Buck IT

Taking on an Online Extortionist 784

Posted by timothy
from the and-shove-it dept.
An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"
This discussion has been archived. No new comments can be posted.

Taking on an Online Extortionist

Comments Filter:
  • by isecore (132059) <isecore AT isecore DOT net> on Wednesday May 04, 2005 @12:14PM (#12432550) Homepage
    "We will fight them in the CAT5, on the routers, in the packets. We will never surrender"

    Or however he said it :)
    • Re:oblig Churchill (Score:5, Informative)

      by sqlgeek (168433) on Wednesday May 04, 2005 @12:27PM (#12432713)
      "We shall not flag nor fail. We shall go on to the end. We shall fight in France and on the seas and oceans; we shall fight with growing confidence and growing strength in the air. We shall defend our island whatever the cost may be; we shall fight on beaches, landing grounds, in fields, in streets and on the hills. We shall never surrender and even if, which I do not for the moment believe, this island or a large part of it were subjugated and starving, then our empire beyond the seas, armed and guarded by the British Fleet, will carry on the struggle until in God's good time the New World with all its power and might, sets forth to the liberation and rescue of the Old."
      • by ShaniaTwain (197446) on Wednesday May 04, 2005 @12:35PM (#12432806) Homepage
        "I may be drunk, Miss, but in the morning I will be sober and you will still be ugly."

        • by Anonymous Coward on Wednesday May 04, 2005 @12:52PM (#12432985)
          Online Extortion How a Bookmaker
          and a Whiz Kid
          Took On an Extortionist
          and Won Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this. Saturday, Nov. 22, 2003, 7:57 a.m.
          Origins of an Onslaught

          The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."

          Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.

          If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.

          Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I saidGod, in hindsight, what an idiotI said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.

          As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.

          That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's officeshe had no interest in baby-sitting infrastructure in Costa Ricabut he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.

          When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.

          At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.

          The Extortion Problem

          We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatene

        • by Pig Hogger (10379) <pig,hogger&gmail,com> on Wednesday May 04, 2005 @01:42PM (#12433434) Journal

          Lady Astor, first woman elected to the House of Commons, to Winston Churchill:

          -- If you were my husband, I would poison your coffee.

          -- If you were my wife, I would drink it.

      • by Knara (9377) on Wednesday May 04, 2005 @12:44PM (#12432910)
        The sad thing is that I remember that speech entirely because its used as an intro to the Iron Maiden song "Aces High"
      • by donutello (88309) on Wednesday May 04, 2005 @02:15PM (#12433733) Homepage
        We shall fight in France and on the seas and oceans; we shall fight on beaches, landing grounds, in fields, in streets and on the hills.

        Hey, sounds like our last family vacation!
  • by dtfinch (661405) * on Wednesday May 04, 2005 @12:14PM (#12432556) Journal
    Don't respond. They'll think you didn't see their email.
    • Re:Here's a tip (Score:5, Insightful)

      by frikazoyd (845667) on Wednesday May 04, 2005 @12:22PM (#12432653)
      I would think in the situation that the e-mail was ignored, it would enrage the extortionist into firing a warning shot, one that would for SURE get the guy's attention. In fact, from the article, it looks like that is sort of what happened. He didn't respond, just first sought consultation and alerted his ISP. Then the extortionist sent a second threat, but not until he had crashed a few ISP servers to get some attention.
      • Re:Here's a tip (Score:3, Interesting)

        by ReverendLoki (663861)
        I can't help but wonder how the extortionist might have reacted to an error reply:

        MAILSERVER: Error, mailbox does not exist

        Not saying it would necessarily work, and as it was probably sent to a published address, would at best delay the threat while lowering the extortionist's expectation of your ability to defend your network.

      • Re:Here's a tip (Score:5, Interesting)

        by bigberk (547360) <bigberk@users.pc9.org> on Wednesday May 04, 2005 @01:26PM (#12433324)
        When they fire that warning shot, you dump all the attacking IPs to a log and circulate the list to AHBL, Spamhaus, CBL etc so that the extortionist's zombie network is now worth half of what it was before. Zombies are only worth anything if they are novel. And you tell the extortionist that for each additional shot, their botnet monetary value will decrease by 10% or whatever.
    • Re:Here's a tip (Score:5, Interesting)

      by suso (153703) * on Wednesday May 04, 2005 @12:27PM (#12432701) Homepage Journal
      Actually, in relation to that, what happens when your spamfilter marks such an email as spam. I guess you can say that's a major false positive.
  • Interesting article (Score:3, Interesting)

    by Nova1313 (630547) * on Wednesday May 04, 2005 @12:14PM (#12432557)
    Very long but very interesting. Glad to see they caught some of them. They mentioned a hacked icq account.. That just seemed odd to me since ICQ accounts are free.. Anyone know what they were talking about?
    • by snorklewacker (836663) on Wednesday May 04, 2005 @12:24PM (#12432670)
      They prefer to use cracked ICQ accounts because it adds some misdirection to point to an existing entity, an older account may be less likely to be instantly shut off by automatic processes, and well, they're L33T H4X0RZ and cracking is what they like to do (at least the kids working for the extortionists -- the folks running the show are probably pretty rational organized crime types).
      • by golgotha007 (62687) on Wednesday May 04, 2005 @03:51PM (#12434656)
        No no no, Russians sell stolen hacked ICQ accounts because everyone wants either an easy to remember ICQ# or a really low ICQ#.

        I frequent these Russian forums frequently where they are giving away 5 digit ICQ# to the first person to read the post.

        However, the most amazing thing is, if I had the ability to direct 10,000 zombie systems to attack websites for extortion money, you could bet that every type of online communication I engaged in would be done thru no less than 5 different proxies, for every type of service, with an excrypted tunnel between me and the first proxy, and with complete control of that first proxy to erase full logs afterward.

        You think that these guys are brilliant, but they're really just a bunch of stupid script using kidhacks.

        I would be interesting to know what percentage of the zombie machines were windows...
    • by Roofus (15591) on Wednesday May 04, 2005 @01:01PM (#12433069) Homepage
      Wow, 4 replies and not one of them understand why.

      ICQ accounts aren't named, they're numbered (you can assign names, but they were always changeable). Low ICQ account numbers are like 2 or 3 digit Slashdot ids....a source of pride.

      The hacker probably gave Lyon a low ID account, and to those fuckers it's a nice gift for status.
    • Hacked ICQ? (Score:3, Interesting)

      by SimonShine (795915)
      The only thing I'm reminded of is the telling of a guy who sought palindrome ICQ account numbers with email addresses from XS4ALL assigned to them, of which the email accounts had expired. Apparently he found a few, and through XS4ALL, he would re-create these expired email accounts, then have the old password sent to him. A weird collectible, and probably not the story you were looking for. :-)
  • by troc (3606) <troc AT mac DOT com> on Wednesday May 04, 2005 @12:14PM (#12432561) Homepage Journal
    "They threw everything they had at us. I was just in shock."

    I guess that includes getting a mention on Slashdot?

    Troc
    • Re:Even Slashdot? (Score:4, Informative)

      by kpwoodr (306527) <{moc.liamg} {ta} {ffurdoow.p.htennek}> on Wednesday May 04, 2005 @12:20PM (#12432631) Homepage Journal
      Very true, this post could have much worse consequences than they could ever throw at you.

      I have determined that my personal website would stand for less than 4 seconds if it were to receive a propper slashdotting.

      Needless to say I don't take threats like this very seriously. Here are the options I see:

      1. Give in and pay up like a good pansy
      2. Form a team of cyber attack monkeys to do your bidding
      3. Launch a counter offensive with a team of script kiddies and their IRC Bots
      4. Contact the authorities and report the threat, block the IPs delivering said packets, carefully monitor your servers like a good admin, and prevent the traffic that you deem as harmful.

      If they really threw all that much at you, it would take a very sophisticated attack to not leave a large enough trail to figure out where it came from and actually do something about it.
      • Re:Even Slashdot? (Score:5, Informative)

        by alienw (585907) <alienw...slashdot@@@gmail...com> on Wednesday May 04, 2005 @12:37PM (#12432832)
        Looks like you don't understand how DDOSs work. They get a whole lot of hijacked computers with DDOS trojans installed on them. MSIE makes this quite easy. Then they launch a DDOS at a website. You can't "block" the packets on the server because by the time your server gets them it's too late -- they have already clogged up your pipe. In fact, the traffic will probably overwhelm your ISP unless they are very large. The only place to block them would be on the ISPs main router, and that's pretty hard to do given that there could be thousands of different bots and they aren't that terribly different from ordinary users (other than the amount of traffic they generate).
        • Re:Even Slashdot? (Score:5, Informative)

          by Martin Blank (154261) on Wednesday May 04, 2005 @12:48PM (#12432955) Journal
          I've had some experience with this, having worked at an ISP, and we got assistance from our own upstream provider (telco with terabits of connectivity) to start putting blocks in place. This filtered out a several-hundred-megabit flood on one occasion, and was demonstrated later again when Slammer hit (done on their own starting about an hour or so after the ISP world was so harshly awakened by it).
  • by LordByronStyrofoam (587954) on Wednesday May 04, 2005 @12:14PM (#12432564)
    Seems kinda brutal to hit them with another DDOS.
  • by Anonymous Coward on Wednesday May 04, 2005 @12:16PM (#12432582)
    Or maybe it was planned this way. Nothing says offline like a link from slashdot.
  • That's frightening (Score:5, Interesting)

    by plover (150551) * on Wednesday May 04, 2005 @12:16PM (#12432584) Homepage Journal
    It's a brilliant story, and you've got to applaud the guys at the victim site for sticking up for themselves.

    It makes me wonder if this new anti-DDoS company can somehow establish relationships with ISPs to track back the zombies and get them shut down more quickly? Seems that would be the sanest and most effective tool -- take away the bots. No bots -- no botnet -- no attacks.

    • by KiloByte (825081) on Wednesday May 04, 2005 @12:18PM (#12432606)
      Uhm, to take away the bots, you would have to cut them at the root. And the root is a certain mega-corporation that's a bit difficult to be rooted out.
    • by Talking Goat (645295) on Wednesday May 04, 2005 @12:40PM (#12432867)
      Or, the ISP's can do as the smart ones have done and deploy Tipping Point [tippingpoint.com] begin to mitigate these attacks the moment they are detetcted on the border routers. It's smart, fast, and really good at shutting down the traffic generated by these botnets by giving the admin the ability to apply vendor-supplied templates, or to create your own. However, you'd need additional deployments inside the network to avoid fratricide, but you can't beat the intelligence behind this aproach.
      • by halfelven (207781) on Wednesday May 04, 2005 @01:43PM (#12433446)
        I actually tested those appliances fairly thoroughly, and yes, they're good at killing SYN floods and stuff.
        But what they don't solve and, indeed, what they cannot solve, no matter how smart, is the problem of sheer volume - the problem of bandwidth. If the attacker overwhelms your pipe, or your ISP's pipe, or your ISP's ISP's pipe, then mission accomplished.
        You also have to have enough bandwidth to fight the attack, even if your servers can handle all those SYN packets per se.
      • by blyon_prolexic (881382) on Wednesday May 04, 2005 @04:07PM (#12434840)
        A "box" to fight multi-gig DDoS attacks is just a bad way to go about it. Ask Tipping Point what their box can do when there is 50,000 SSL TCP sessions (real TCP sessions) with real HTTP headers in there. If their hardware performed as well as marketing engines that TopLayer, Tipping Point, and Cisco have, then everyone in the security industry would all have to go find a new job.

        Along with IPS in general, I think a lot of the devices out there have some pretty good rate-limiting and SYN flood mitigation, however, they all seemed to miscalculate the sheer amount of processing power it takes to do deep packet inspections and protocol verification. Prolexic's network is currently representing about 10 Terahertz of processing ability just for the DPI, so hoping a single FPGA based hardware device will do the trick may be a bad idea. Also, most devices can not handle out-of-state TCP based attacks (see: Riverhead), so keep your eyes out on that too.

        Prolexic often gets new customers when the TopLayer, Tipping Point, and Riverhead gear fails, so I don't see how anyone could be comfortable with just a single unit to save the day when there are people out there that will take down DNS servers, router serial interfaces, carriers, do long lived TCP sessions to slow down web servers, HTTP connection floods, and anything else they can think of to just hurt the network (75k machines all doing random searche quries on a cgi, etc.)

        Further, a box does not have much of a turn-around time, so just call Tipping Point at 2 AM on sunday when the network failed and nobody has any clue with what is going on. Then wait for their one good programmer to fix the FPGA issue and a week later cross their fingers that whatever they did can stop the botnet that is causing someone's business to fail.

        I may just be a little beat up from all the traffic we deal with, but it's a little isane to say things like, "we have box X, its magic will fix everything."

        -Barrett

    • by blyon_prolexic (881382) on Wednesday May 04, 2005 @02:24PM (#12433813)
      The story is kinda odd to read when you lived it. Glad you enjoyed it, we have had a lot more attacks since the one in the story.

      I don't think we can every take away the bots (it would be nice), because we are seeing P2P bots that run encrypted communications between each other. The attacker guy just tosses his instructions into the P2P stream and they distribute over the entire network - creating a nearly headless command less network that can (once started) operate decentralized. These easy IRC bots are almost a thing of the past now. The point being, as the code base for bot networks grows they will get more complicated and more difficult to shut down.

      If a blackhat geek can download source code and knows how to hack it up, he/she can do anything they want. Then it's down to just finding open machines to install their goods on. Policing the Terabits-per-second of backbone traffic for odd-ball P2P traffic like that is a bad idea.

      Prolexic also gets attacks now that may not have any botnet, some Ixia (packet generator) connected in Asia-Pac blasting 600 Mbps of generated packets does the same as a 10-20k botnet. We believe to have been attacked by something similar to that at least twice.

      The main problem is, there are just bad people out there and you need to create security policy that protects your business. If your revenue stream comes from your online business, then you should protect your online business and not hope your ISP will do that for you.

      -Barrett

  • Mirror of article (Score:4, Informative)

    by apparently (756613) on Wednesday May 04, 2005 @12:19PM (#12432619)
    Mirror here. [mirrordot.org]
  • by superwiz (655733) on Wednesday May 04, 2005 @12:19PM (#12432621) Journal
    First time those 2 go hand in hand....
  • Never pay (Score:5, Insightful)

    by nuggz (69912) on Wednesday May 04, 2005 @12:22PM (#12432647) Homepage
    If they actually get money, they'll do it again and again.
    Any measure of success will encourage more of the same behaviour.
    • Re:Never pay (Score:5, Interesting)

      by Council (514577) <rmunroe@gmai[ ]om ['l.c' in gap]> on Wednesday May 04, 2005 @12:57PM (#12433031) Homepage
      From TFI:
      To ensure a quick, quiet transaction, the extortionists did what all extortionists (in the physical or online world) do: They exploited the problem of the commons. An ecological principle, the problem of the commons states that people will act in self-interest if it profits them in the short term, even if that act will hurt everyone, including themselves, in the long term. Every act, every threat, every negotiation tactic, every single move extortionists make is designed to make paying the protection fee not only appealing, but in fact, the smartest business decision you can make in the short term, even if you know in the long run that you haven't stopped the problem at all.
    • Re:Never pay (Score:3, Insightful)

      by say (191220)

      Uhm. And when you're robbed on the street, never give them your wallet. Get beaten, raped, killed. Just don't give them your wallet - they might just get tempted to do it again.

      Moral is nice. Getting phucked is not. We can't expect every single person or company to act in public interest if that means they might get killed doing so.

      What is really needed, is serious money being pushed into Interpol, and hiring whitehats there. Online criminals aren't going to spend much time in countries with strong fede

  • Good, some balls. (Score:5, Interesting)

    by vbrookslv (634009) on Wednesday May 04, 2005 @12:22PM (#12432649)
    Glad to see someone standing up to these thugs. I remember a few years ago, the ISP that I admin'd hosted the connection for http://www.defcon.org/ [defcon.org]. We had someone start a Smurf attack from the Con, targetting our inbound T3's. We were able to track it down, and actually snatch him out of his seat right there at the con. He promptly apologized (I think, he only spoke german, IIRC). The look on his face was priceless. Oh, did I mentioned that me, and everyone else at the company carry Glock 19's? Yeah, we didn't have any more problems for the rest of the con. Everyone was on their best behaviour. A bunch of fine, upstanding individuals. :)
    • by Anonymous Coward
      Oh, did I mentioned that me, and everyone else at the company carry Glock 19's?


      What about the interns?
    • by Anonymous Luddite (808273) on Wednesday May 04, 2005 @12:38PM (#12432846)
      >> and everyone else at the company carry Glock 19's?

      Please excuse my asking, oh well-armed-one, but WTF for?

      The glock is a fine weapon, and being an admin for an ISP is a fine job, but I can't quite see the relationship between the two things...
      • Re:Good, some balls. (Score:5, Interesting)

        by vbrookslv (634009) on Wednesday May 04, 2005 @01:02PM (#12433083)
        THe reason we carried, aside from the stock "Because we can" answer, is simple. We were in a building with a few hundred thousand dollars in routers, and customers such as banks and medical facilities. We were downtown on Fremont and 7th St in Las Vegas. For those who aren't familiar with the area, it's the hood. I regularly had to chase crackheads, as well as hookers with their Johns off of our back steps. We would regularly find people sleeping in our dumpster in the morning.

        And to answer the obvious question, our office WAS there for a reason, we were a block from the ILEC's main CO. This made quite a difference in the cost and time to install of new circuits.
        • Re:Good, some balls. (Score:4, Interesting)

          by d474 (695126) on Wednesday May 04, 2005 @02:27PM (#12433848)
          Some I'm pointing my Taser at your main Switch, you've got your Glock-19 drawn...

          "I SWEAR I'll do it man! I'll fry this bitch right now if you don't put your gun down! I crazzzzzy - don't you know I'm loco!?!"

          What are you going to do then, mister rent-an-adminCop?
      • Chicks dig it... (Score:3, Insightful)

        Makes you look less geeky.

      • by ReverendLoki (663861) on Wednesday May 04, 2005 @01:03PM (#12433097)
        I can't quite see the relationship between the two things...

        Because, sometimes that Windows box crashes one time to many...

  • by Anonymous Coward on Wednesday May 04, 2005 @12:24PM (#12432674)
    Find out where they live and call their mom.
  • Curious (Score:3, Interesting)

    by Dante Shamest (813622) on Wednesday May 04, 2005 @12:25PM (#12432680)

    I've always wondered...when a site is slashdotted, it implies that the site has been hit by high referrals from slashdot, causing it to become slow or go down totally.

    But how does slashdot itself cope with the high traffic?

    • Re:Curious (Score:5, Funny)

      by Secrity (742221) on Wednesday May 04, 2005 @12:31PM (#12432757)
      Wormholes.
    • Re:Curious (Score:5, Funny)

      by Gzip Christ (683175) on Wednesday May 04, 2005 @12:34PM (#12432801) Homepage
      I've always wondered...when a site is slashdotted, it implies that the site has been hit by high referrals from slashdot, causing it to become slow or go down totally. But how does slashdot itself cope with the high traffic?
      It's quite simple, really - Slashdot just doesn't link to itself.
    • Re:Curious (Score:5, Informative)

      by dougmc (70836) <dougmc+slashdot@frenzied.us> on Wednesday May 04, 2005 @12:37PM (#12432831) Homepage
      But how does slashdot itself cope with the high traffic?
      Lots of bandwidth, lots of hardware. Since it gets `slashdotted' every single day, it'll be pretty easy to predict how much traffic you'll get tomorrow -- approximately the same as you got yesterday, perhaps a bit more.

      But when you're running your own server, and it normally gets 50 hits/day, and then suddenly a Slashdot listing hits it with millions of hits in one day, well, that's harder to prepare for, because 1) you often don't know you're going to be on /. until it's already happened, and 2) is it even worth preparing for? It's just one or two days, and then things will go back to normal. More hardware and bandwidth may cost lots of money, money that you're not going to spend just so people can see pictures of whatever neat thing you did.

      Really, the only sites that get /.ed are the smaller ones. The larger ones already have the hardware and bandwidth needed to handle it. Sure, a /.ing probably shows up on their mrtg reports, but it's probably just a 20% or so increase in traffic, not a 1000x fold increase.

    • Re:Curious (Score:5, Funny)

      by MyLongNickName (822545) on Wednesday May 04, 2005 @12:39PM (#12432852) Journal
      That's the trick. Most people would say "bigger servers" and "bigger bandwidth". But I know the real reason. Notice how you get 'Service Unavailable'? Every so often? I found that if more than 50 people are accessing Slashdot at the same time, that their database cannot handle it. In reality, this site is hosted on an Amiga. Only 50 users you say? That can't be.... just look at my User ID!

      All the 813,621 users before you don't really exist. These messages are randomly generated geek buzzwords. "Users" are given personalities, ranging from "Linux lover" to "Windows loser", from "I'm just a troll" to "IAARS", from "Funny" to "I take myself serious, but no one else does".

      Those "personalities" alter the pre-populated phrase list according to topic (actually, I am not even sure the topic matters). Think of it as an advanced Turing simulation.

      I was fooled for my first three months. Then, I saw the predictable responses, and realized that there was no actual intellegence here. Just the occassional real life person who wanders in and is fooled for a while. The auto-misspell feature was a nice addition, I have to admit.

      Want proof? Pick a user id. Peruse messge list. Notice the lack of variety? Notice the lack of real meaning behind each message? And when there is real content, try browsing earlier messages. You will find phrases ripped verbatim from an earlier post.

      Of course, you may also be a bot. CommanderTaco is always making tweaks to the message generation algorithm (though his posts, too, are mostly generated by code). I will have to peruse your message history when I am done posting here.
    • Re:Curious (Score:3, Informative)

      by gbulmash (688770) *
      I've always wondered...when a site is slashdotted, it implies that the site has been hit by high referrals from slashdot, causing it to become slow or go down totally. But how does slashdot itself cope with the high traffic?

      Remember that the site in this article was getting hit with over 3 gigabits of traffic a second under the pressure of a DDoS composed of an estimated 35k bots. Now imagine that your average dedicated server account comes with a 10 megabit pipe. It would take a lot fewer consistent

  • by wowbagger (69688) on Wednesday May 04, 2005 @12:26PM (#12432699) Homepage Journal
    Extorting a gambling site? That strikes me as a LLM (life limiting move, c.f. career limiting move).

    Many gambling sites still have connections to, shall we say, respectible businessmen of the Italian or Asian pursuasion, who are used to handling such matters extra-legally.

    You might just wake up one day with your computer's monitor (cables severed with an ax) in bed with you.

    Or Guido and Nunzio standing over you, giving you tips on the finer points of extortion while they wait for the concrete to set.
    • by daniel_mcl (77919) on Wednesday May 04, 2005 @03:11PM (#12434252) Homepage
      I was just suggesting this as a solution to spamming awhile back; if it's really that expensive to businesses, wouldn't it be more economical for them to arrange to have spammers assasinated? I'm serious about this -- if people are cool with paying Mafia kickbacks to their sanitation company, wouldn't they be willing to pay for something which will save them quite a lot more money?

      If such a job were available I'd personally be going through sharpshooter training right now.
  • I for one... (Score:3, Insightful)

    by Spy der Mann (805235) <spydermann.slashdot@gmai l . c om> on Wednesday May 04, 2005 @12:27PM (#12432707) Homepage Journal
    welcome our Windows zombie machines overlords. (food for thought).
  • by Ankh (19084) * on Wednesday May 04, 2005 @12:28PM (#12432727) Homepage
    Some ISPs are doing customer-level ingres filtering -- e.g. if the "other end" of the cable modem gets a packet whose src address is not that of the cable modem, drop it on the floor, it's forged.

    The ease of infecting home XP systems remotely means you sometimes find teenagers with tens of thousands of zombie computers at their control. They can sell them to spammers, too.

    The ease of doing massive DDoS attacks is why I stopped running an IRC server, and also stopped a research project I was doing related to inter-protocol messaging. It wasn't worth the hassle.

    Fighting back is hard if you don't know who to fight, but in the case of extortion, (1) document everything on paper, (2) keep timestamped printed IRC logs of all conversations, and full email printouts; (3) ask some other people to print copies of their IRC logs when appropriate. Then contact the RCMP (or if you are in the USA, the FBI, but in the USA you need to show financial damage of $5,000 or more). Don't wait until it's all over before contacting them.

    Good luck!

    Liam
    • Just a little more info for all you Canadians.

      If your not sure who you should report this kind of stuff too (local or RCMP), you can make use RECOL.ca [recol.ca](Reporting Economic Crimes On-line). They can direct your complaint to the proper force/department.

      In terms of the RCMP, it's usually the Commercial Crimes Division (they'll then bring the Tech. Crime guys in as needed).

  • by kniLnamiJ-neB (754894) on Wednesday May 04, 2005 @12:33PM (#12432784)
    "How CSO Online took on Slashdot... and LOST."

    I'm glad that somebody's standing up to the jerk though... people who do stuff like that are wasting perfectly good matter.
  • No protection (Score:5, Interesting)

    by McGiraf (196030) on Wednesday May 04, 2005 @12:34PM (#12432794) Homepage
    The thing with these DOS extortionist is that unlike the mafia or other groups they do not protect you from other extortinist. If you pay them thay can stop their attact, but if someone else try to attack you they cannot do anyting.
    • Re:No protection (Score:3, Interesting)

      by Just Some Guy (3352)
      So, how does that actually work out in real life? If Syndicate Foo is "protecting" my business, and Syndicate Bar sends a couple of "salesmen" to offer me competing rates, how do I pick which policy to use? Do we all sit down with lasagna and compare market capitalization, research projects, and offensive/defensive capabilities? Do I have to weigh the relative likelihood of widowerhood if I switch from Foo to Bar, or reject Bar to stick with Foo?

      Sorry, but I grew up in a decidedly non-ethnic area and a

      • Re:No protection (Score:3, Informative)

        Protection rackets have territories. You pay whoever currently controls your territory. If a competing salesman comes by, you let your current "protector" know, and they duke it out. You keep paying the winner.
  • by bigberk (547360) <bigberk@users.pc9.org> on Wednesday May 04, 2005 @12:38PM (#12432843)
    This is an appeal to network admins working at ISPs, whether large or small. You have a responsibility to make sure that spam/attack zombies don't exist on your networks. These days it's a trivial task to check to make sure you're not part of the problem. This can be scripted so that you receive periodic reports of problem hosts on your system, which you can then firewall, disconnect, or restrict access to.

    There are so many blacklists these days, so just use rsync to grab fresh copies of AHBL, CBL, DSBL, SORBS, whatever. Then run through grepcidr [pc-tools.net] to see if any IPs from your network(s) are on the blacklists. So easy, and you'll be protecting both yourself and others from malicious zombies.
  • EVIL! (Score:5, Funny)

    by jav1231 (539129) on Wednesday May 04, 2005 @12:39PM (#12432853)
    Okay, I first read that as "Online Exorcist." I'm thinking, how does THAT work? TO: Satan@littlegirlshead.com
    From: Father Mayai (Yes, you may!)
    Subject: Notice of Eviction
  • by davidwr (791652) on Wednesday May 04, 2005 @12:50PM (#12432972) Homepage Journal
    Dane-geld [newcastle.edu.au]
    (A.D. 980-1016)

    IT IS always a temptation to an armed and agile nation,
    To call upon a neighbour and to say:--
    "We invaded you last night--we are quite prepared to fight,
    Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
    And the people who ask it explain
    That you've only to pay 'em the Dane-geld
    And then you'll get rid of the Dane!

    It is always a temptation to a rich and lazy nation,
    To puff and look important and to say:--
    "Though we know we should defeat you, we have not the time to meet you.
    We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;
    But we've proved it again and again,
    That if once you have paid him the Dane-geld
    You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,
    For fear they should succumb and go astray,
    So when you are requested to pay up or be molested,
    You will find it better policy to says:--

    "We never pay any one Dane-geld,
    No matter how trifling the cost,
    For the end of that game is oppression and shame,
    And the nation that plays it is lost!"

    - Rudyard Kipling

    Anyone willing to try their hand at "updating" this to fit online extortion? This could be lots of fun :)
    • by howlinmonkey (548055) on Wednesday May 04, 2005 @02:54PM (#12434113)

      It seems a good idea to sit in Eastern Europea
      And mail out missives with a threat
      "We know that you have gold, and if I may be so bold
      If you send me some I will not be a threat"

      And that is called running protection
      And the scum who demand it defend
      That you only have to pay them protection
      And your enterprise won't have to end.

      It is a real temptation to avoid a confrontation
      And pay off the bottom sucking filth
      Then the business you created won't be immolated
      By the bandwidth sucking zombies and their ilk

      And that is called paying protection
      But after you've paid up today
      They'll come calling for more protection
      There will never be an end to what you pay

      It's a shame to whimper quietly and meet with their demand
      To keep the money flowing fast and free
      So when they do demand the little money in your hand
      I would suggest that you repeat slowly after me.

      "We never pay any scum protection
      No matter how hard they may lean
      For tomorrow you'll be back threatening to hack
      Using any zombies you can glean "

      I am no Rudyard Kipling, but I think this captures the essence of it :)
  • Article (Score:3, Informative)

    by Peter_Pork (627313) on Wednesday May 04, 2005 @12:55PM (#12433013)
    How a Bookmaker
    and a Whiz Kid
    Took On an Extortionist --
    and Won

    Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this.

    CSO Magazine
    May 2005
    By Scott Berinato

    Saturday, Nov. 22, 2003, 7:57 a.m.
    Origins of an Onslaught
    The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."

    Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.

    If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.

    Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I said--God, in hindsight, what an idiot--I said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.

    As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.

    That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's offices--he had no interest in baby-sitting infrastructure in Costa Rica--but he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.

    When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.

    At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.

    The Extortion Problem
    We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 1
  • Good story (Score:3, Insightful)

    by KZigurs (638781) on Wednesday May 04, 2005 @01:05PM (#12433111)
    I especially liked the ending. Finally a legal criminal that really delivers :P
  • by mikeswi (658619) * on Wednesday May 04, 2005 @01:09PM (#12433167) Homepage Journal
    Starting Feb 2004, my site was hit by a powerful DDoS attack. It knocked out my web server and it nearly took out my web host's switch in the data center. I never got any demands or letters or figured out who caused it.

    Anonymizer.net tried to help me by putting my domain behind a series of rotating proxy servers. Their whole network crashed after 6 hours and they had to stop helping me.

    Finally my web host hit on the right idea. I set up a half dozen virtual private servers (VPS) at Globalservers.com (same company that hosts about.com and freeservers) and my host installed a proxy server on each one called twhttpd and set them all to route traffic to and from my web server at his data center.

    Then I set up an account at ZoneEdit and added all the IPs for the proxy servers with a failover system. Every time the bastards knocked out one of the proxy servers, ZoneEdit would detect that the server was borked and switch to another one. With the load reduced, the dead proxy came back on its own a few minutes later.

    After about 6 months of this, they finally gave up and I won.
  • So... (Score:5, Funny)

    by Theatetus (521747) on Wednesday May 04, 2005 @01:45PM (#12433452) Journal

    ...is submitting a story to /. the last revenge of the DDOS extortioner?

  • by dmccarty (152630) on Wednesday May 04, 2005 @03:19PM (#12434335)
    That's right. Lyon is one of the good guys. Still, Lyon's heroics weren't possible without Mickey Richardson's resolve. It's easy to forget that as Lyon worked to save him, Richardson considered paying off the extortionists. Now Richardson has a better option. Pay Lyon $50,000 a year and he's protected. He doesn't have to worry about paying extortionist's protection fees.

    From a purely economic standpoint, it makes me wonder who's the real "extortionist"...

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...