Taking on an Online Extortionist 784
An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"
Mirror of article (Score:4, Informative)
Re:Even Slashdot? (Score:4, Informative)
I have determined that my personal website would stand for less than 4 seconds if it were to receive a propper slashdotting.
Needless to say I don't take threats like this very seriously. Here are the options I see:
1. Give in and pay up like a good pansy
2. Form a team of cyber attack monkeys to do your bidding
3. Launch a counter offensive with a team of script kiddies and their IRC Bots
4. Contact the authorities and report the threat, block the IPs delivering said packets, carefully monitor your servers like a good admin, and prevent the traffic that you deem as harmful.
If they really threw all that much at you, it would take a very sophisticated attack to not leave a large enough trail to figure out where it came from and actually do something about it.
Re:Interesting article (Score:5, Informative)
Re:oblig Churchill (Score:5, Informative)
Re:Curious (Score:5, Informative)
But when you're running your own server, and it normally gets 50 hits/day, and then suddenly a Slashdot listing hits it with millions of hits in one day, well, that's harder to prepare for, because 1) you often don't know you're going to be on /. until it's already happened, and 2) is it even worth preparing for? It's just one or two days, and then things will go back to normal. More hardware and bandwidth may cost lots of money, money that you're not going to spend just so people can see pictures of whatever neat thing you did.
Really, the only sites that get /.ed are the smaller ones. The larger ones already have the hardware and bandwidth needed to handle it. Sure, a /.ing probably shows up on their mrtg reports, but it's probably just a 20% or so increase in traffic, not a 1000x fold increase.
Re:Even Slashdot? (Score:5, Informative)
Network admins! Prevent this from happening (Score:5, Informative)
There are so many blacklists these days, so just use rsync to grab fresh copies of AHBL, CBL, DSBL, SORBS, whatever. Then run through grepcidr [pc-tools.net] to see if any IPs from your network(s) are on the blacklists. So easy, and you'll be protecting both yourself and others from malicious zombies.
Re:Even Slashdot? (Score:1, Informative)
Not really.
a) 0wn a bunch of zombie machines. This is what they do in their free time while chatting on irc.
b) Go to college computer lab.
c) Initiate attack.
From a victim's standpoint, you're not going to be able to track much more than the zombies. The zombies aren't going to be keeping logs of who spurs them into action (which is often via a non-standard method... you're not going to find someone making a TCP connection to those machines). Even if, somehow, you were able to actually figure out the initiating machine, the individual doing it could go through any number of proxies (these people generally 0wn several shell accounts also). And on top of that, like I said, they can log in from a lab or whatever with little to no accountability or identification whatsoever.
Re:Curious (Score:3, Informative)
Remember that the site in this article was getting hit with over 3 gigabits of traffic a second under the pressure of a DDoS composed of an estimated 35k bots. Now imagine that your average dedicated server account comes with a 10 megabit pipe. It would take a lot fewer consistent requests to slow everything to a crawl. And often these sites are on shared servers, competing with anywhere from 5-200 other sites for the pipe and the processing power.
And in most cases they don't need it. Why would a site used to getting 20,000 hits a day put out the money for capacity 200,000 hits in a few minutes? They try to keep enough capacity to handle 20-50% daily usage spikes, sometimes maybe even 100%, but not a gazillion percent.
Slashdot has big pipes, multiple servers, load balancing and various optimizations that your average site doesn't. They even shut down certain functions under really heavy load (ever notice that sometimes the site search is theirs and sometimes it routes you to Google?). But except when being slashdotted, the average site doesn't need those.
- Greg
Re:fighting back with infrastructure (Score:3, Informative)
If your not sure who you should report this kind of stuff too (local or RCMP), you can make use RECOL.ca [recol.ca](Reporting Economic Crimes On-line). They can direct your complaint to the proper force/department.
In terms of the RCMP, it's usually the Commercial Crimes Division (they'll then bring the Tech. Crime guys in as needed).
Re:Even Slashdot? (Score:5, Informative)
HALF of the article -- anyone get mopre (Score:5, Informative)
and a Whiz Kid
Took On an Extortionist
and Won Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this. Saturday, Nov. 22, 2003, 7:57 a.m.
Origins of an Onslaught
The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.
If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.
Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I saidGod, in hindsight, what an idiotI said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.
That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's officeshe had no interest in baby-sitting infrastructure in Costa Ricabut he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.
When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.
At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.
The Extortion Problem
We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatene
Article (Score:3, Informative)
and a Whiz Kid
Took On an Extortionist --
and Won
Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this.
CSO Magazine
May 2005
By Scott Berinato
Saturday, Nov. 22, 2003, 7:57 a.m.
Origins of an Onslaught
The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.
If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.
Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I said--God, in hindsight, what an idiot--I said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.
That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's offices--he had no interest in baby-sitting infrastructure in Costa Rica--but he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.
When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.
At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.
The Extortion Problem
We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 1
Re:No protection (Score:3, Informative)
Re:Here's a tip (Score:4, Informative)
Granted: a raw bandwidth attack can use UDP, ICMP, or a TCP SYN, ACK, SYN-ACK or RST packet, and could be usefully forged.
There's a fairly riviting thread on the Intrusions list about a DDoS attack in Jan-Feb (may still be going on) that eventually involved some 80,000+ bots. It was defeated with Squid (on OBSD), as well as active upstream providers. The bots repeatedly went to load a file via http, which tied up the web server. Since the tcp connection was actually made, the src ip was known. The bots were apparently installed via drive-by download, rather than worm or email.
these guys are hardcore (Score:3, Informative)
2 years ago one of our customers recieved a DDOS email and he called me and asked me what he should do.
I told him to ignore it and honestly I found it quite amusing, thinking it was script kiddies.
I wasn't laughing 24hrs later as they completely saturated our pipes and our border routers (7206 VXR's at the time) were locked at 100% cpu.
I've taken serious steps since then to be ready. it wasnt a pleasant experience though and happened right in middle of business day.
Re:That's frightening (Score:4, Informative)
I don't think we can every take away the bots (it would be nice), because we are seeing P2P bots that run encrypted communications between each other. The attacker guy just tosses his instructions into the P2P stream and they distribute over the entire network - creating a nearly headless command less network that can (once started) operate decentralized. These easy IRC bots are almost a thing of the past now. The point being, as the code base for bot networks grows they will get more complicated and more difficult to shut down.
If a blackhat geek can download source code and knows how to hack it up, he/she can do anything they want. Then it's down to just finding open machines to install their goods on. Policing the Terabits-per-second of backbone traffic for odd-ball P2P traffic like that is a bad idea.
Prolexic also gets attacks now that may not have any botnet, some Ixia (packet generator) connected in Asia-Pac blasting 600 Mbps of generated packets does the same as a 10-20k botnet. We believe to have been attacked by something similar to that at least twice.
The main problem is, there are just bad people out there and you need to create security policy that protects your business. If your revenue stream comes from your online business, then you should protect your online business and not hope your ISP will do that for you.
-Barrett
Re:Network admins! Prevent this from happening (Score:5, Informative)
It depends on the type of the attack. "Traffic" is quite unspecific, but it's not necessarily ICMP echo-request (a.k.a. "ping"). For DoS ping is rather uninteresting, because there are enough sites that don't allow ping to their servers and filter it out some hops before the servers anyway. At least I was recommending to customers to allow ping only from monitoring and maintenance sites. (As a side note: A lot of IPs for servers are not coupled with a specified hardware address anyway, but handled and distributed by loadbalancers and serverfarms, so there is no point in having those virtual servers respond on anything else than the service they are supposed to provide.)
So if you have a site that only allows a very limited number of packet types through, attacking it with something outside of the scope of the firewall is somewhat pointless, except you manage to muster such an high bandwidth that it clogs up the pipe at some hops way before the original site. And traffic that is easily to distinguish from legitimate traffic is also easily filtered directly at the backbone routers of the really big ISPs or exchange points ("drop anything not TPC to the site in question").
To make your attack more effective you have at least to mimick the legitimate traffic a little. Your DoS-requests thus should be at least formally correct (or being incorrect in a quite sophisticated manner to trigger complex fault and exception handling.) If you manage to cause the service to calculate a long or data intensive response, it's even better, because then you are clogging up CPU time now missing to handle requests that generate business for the site ("Give me all betting quotes which are either between 1:1 and 1:5 or between 1:4 and 1:10 or between 1:8 and 1:100 or are better than 1:75" forces the site to answer with a large sheet containing all quotes, but the answer set consists of several subsets to be calculated separately. Not every site has middleware in place to change this to "give me all quotes"). If you manage to make your request variable, so filtering out the DoS request with a single pattern doesn't work, it's much better. If you change your attacking pattern during the attack, so the filters in place have to be changed the whole time by the defending site, your DoS will be further more effective.
In the end for an effective DoS you should a) fill all available bandwidth with traffic indistinguishable from legitimate traffic b) use up as much CPU time on the servers as possible to handle your request c) try to generate an asymmetric pattern (your request should use up much less bandwidth for you than the answer of the site is using) d) make it as variable as possible to avoid static filtering.
Re:oblig Churchill (Score:3, Informative)
Hitler wasted time putting down a silly uprising in the Balkans when he should have been invading, thereby delaying operations for a crucial six weeks and ensuring the Russian winter played a decisive role.
Re:Even Slashdot? (Score:3, Informative)
In this case, boneheaded admins should've received the mother of all wakeup calls.
Re:Curious (Score:3, Informative)
1) If /. has linked to your site, that means your site still needs to serve up the main page. You could coralize your images and such and save some bandwidth that way, but if your web server can't even serve that first page under the load, you're screwed. And if you do find yourself /.ed, and go and coralize your site real quick, then it'll be a while before the traffic slacks off enough for the coral servers to even reach your site to get the images that you've coralized.
Many sites do replace their fancy dynamic pages with a `hi slashdotters!' page after getting /.ed ... saves a lot of cpu on the box. But if what's special about your site is the dynamic aspect of it, well, that won't work.
2) Coral won't do files over 50 or 100 MB. So if you've got some large download, you'd better set up a Bit Torrent instead ... and fast.
3) Currently, Coral uses some non-standard ports that some places may not be able to access due to restrictive firewalls. I understand that this is to change.
4) Coral uses some DNS tricks that don't work with the entire world. Specially, Windows DNS servers tend to have problems with it.
But still, mentioning coral as a way of reducing the /. effect is an excellent idea. It's not the perfect solution, but it's pretty good.
Lebumfacil (Score:3, Informative)
He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I said--God, in hindsight, what an idiot--I said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
Is this guy's last name really 'The Easy Bum'? Wow, lol.
Re:oblig Churchill (Score:4, Informative)
"we shall fight on beaches, landing grounds, in fields, in streets and on the hills. We shall throw bottles on them if that is what we have"
The sentence about bottles was actualy cut out by the BBC censor because the humor was too black. (UK had very few heavy arms left after fiasco in France.)
Re:oblig Churchill (Score:5, Informative)
Re:Here's a tip (Score:1, Informative)
Free and it does stateful inspection.
Re:oblig Churchill (Score:3, Informative)
Certainly, he was no saint...not even close. Nor was he trying to be. He was simply trying to save his country and he was the perfect man for the job at the time.
Re:Good, some balls. (Score:2, Informative)
A majority of the time spent in CCW classes is for studying the laws that apply in these situations.
Re:wrong (Score:3, Informative)
Texas Penal Code 9.42 B (when deadly force is allowed)
to prevent the other who is fleeing immediately after committing burglary, robbery, aggravated robbery, or theft during the nighttime from escaping with the property;
Try reading the law sometime. I won't quote the whole law, but it really means what it looks like. Shooting them in the back is ok based on the way the law is written.
Despite what the press would have you believe, most of us in TX are just like you and me.
I was born and raised in TX and lived 26 years there. What the people are like there is irrelevant to what the law says.
Running away is a capital offense? (Score:2, Informative)
Aside from that, your philosophy leaves a huge gaping hole in the murder laws. Suppose you want someone dead. You give them a nice gift. As they are walking away, you shoot them in the back of the head and kill them. You are arrested and claim they were running away with your property.
That is why the law doesn't work the way you claim. When someone claims self-defense, they are generally prosecuted anyway. In most states, if you claim self-defense the burdon of proof is on you to prove that your life was in immediate danger (the prosecution only has to prove that you killed the person, which you will confess to in order to claim self-defense). If you fail to prove that your life was in danger, you will be convicted of murder.
Re:oblig Churchill (Score:4, Informative)