Taking on an Online Extortionist 784
An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"
Fight! (Score:2, Insightful)
Presumably, they will give you some way to pay them (else what is the point?). Point the cops and or feds at that contact, and see what happens.
Extortion is extortion, be it physical or bandwidth.
If no joy from the authorities, I'm sure your local newsrag would be glad to shame the cops into doing something. Of course, if the extortionist is overseas, things might be a little difficult.
Never pay (Score:5, Insightful)
Any measure of success will encourage more of the same behaviour.
Re:Question (Score:2, Insightful)
How is that different from the entire rest of the internet? An awful lot of blogs link news stories with a bit of commentary and want people to read them. Slashdot submitters are free to submit their own sites. The problem is with slashdot editors accepting fairly dumb submissions. That seems to be the problem. Not that Roland Piquepaille is acting scandalously.
Re:Here's a tip (Score:5, Insightful)
Re:Fight! (Score:2, Insightful)
That of course, is predicated on your business being 100% legitimate. I'm not sure about this individual case, but I'm sure not all the online gambling sites are uh, trustworthy. That would be a major roadblock to involving the authorities.
Re:Fight! (Score:5, Insightful)
This is where R'ingTFA comes in...
If no joy from the authorities, I'm sure your local newsrag would be glad to shame the cops into doing something. Of course, if the extortionist is overseas, things might be a little difficult.
Again, this is where R'ingTFA comes in. I'd also add that one downside of moving your business to an unregulated third world country is that neither the local journalists nor the local cops are especially interested in your gringo problems. I don't understand why Scotland Yard bothered with him.
I for one... (Score:3, Insightful)
Re:Question (Score:1, Insightful)
When the slashdotting began, he made a lot off all the ads on his site.
People were cross that they were pointed to a 'version' of the story when they could have been pointed to the actual story itself, and that someone was profitting off that style of journalism (rightly or wrongly).
Re:Good, some balls. (Score:5, Insightful)
Please excuse my asking, oh well-armed-one, but WTF for?
The glock is a fine weapon, and being an admin for an ISP is a fine job, but I can't quite see the relationship between the two things...
Re:oblig Churchill (Score:1, Insightful)
Heck... I used lines from Maiden and Judas Priest in my Junior Presentation in Arts and Lit... the teacher missed them but some of the kids in class picked up on them...
Re:Catching them (Score:2, Insightful)
Chicks dig it... (Score:3, Insightful)
Makes you look less geeky.
Good story (Score:3, Insightful)
Terrible Article (Score:1, Insightful)
Re:And the lesson is... (Score:3, Insightful)
There's a point where they keep coming back with higher numbers. If you look, they only guaranteed the protection for a year.
Re:Question (Score:2, Insightful)
stoopid question but:
what law did they break?
if they used their own bandwidth, then they just sent packets to your public website, right?
This is kind of like some spammer emailing me saying "i currently spam you lots and lots and lots, if you give me *money* i'll stop spamming". Ironically, this is just one more piece of spam in my inbox. Why would this spam be criminal, and the thousands of XXX VIAGRA CIALIS XXX be fine?
Re:Never pay (Score:3, Insightful)
Uhm. And when you're robbed on the street, never give them your wallet. Get beaten, raped, killed. Just don't give them your wallet - they might just get tempted to do it again.
Moral is nice. Getting phucked is not. We can't expect every single person or company to act in public interest if that means they might get killed doing so.
What is really needed, is serious money being pushed into Interpol, and hiring whitehats there. Online criminals aren't going to spend much time in countries with strong federal police, like the US.
Who's at fault? The software vendors... (Score:1, Insightful)
When are governments going to step in and start placing reasonable requirements for software security? When are they going to start punishing the companies that ship the buggy software that is entirely responsible for the existence of the online extortionist industry?
Fix bugs, no zombies.
No zombies, no botnet.
No botnet, no DDoS.
No DDoS, no extortion.
Re:Even Slashdot? (Score:5, Insightful)
I don't know... I found the last paragraph grated against his super-hero image:
That's right. Lyon is one of the good guys. Still, Lyon's heroics weren't possible without Mickey Richardson's resolve. It's easy to forget that as Lyon worked to save him, Richardson considered paying off the extortionists. Now Richardson has a better option. Pay Lyon $50,000 a year and he's protected. He doesn't have to worry about paying extortionist's protection fees.
I've always found there to be a rather fine line between insurance and extortion. If the story is true, he probably is one of the good guys, but he's merely tapped into the revenue stream the extortionists created.
Re:Never pay (Score:3, Insightful)
Re:oblig Churchill (Score:4, Insightful)
Re:Good, some balls. (Score:3, Insightful)
I guess I could have been more clear. By having that equipment, and those type of customers, and that location, we had multiple reasons to be concerned for our lives. Just like any other time, being armed serves two purposes:
Re:That's frightening (Score:3, Insightful)
The sad thing is you could prevent 99% of the hijacking attempts against your (windows) machine by doing just two things:
- don't use IE; and
- install ZoneAlarm
This isn't exactly rocket science. And it doesn't require draconian legislation requiring that all communication from every machine be traced and logged.
Max
Re:I fought a DDoS and won - not! (Score:1, Insightful)
Good guys vs. bad guys (Score:5, Insightful)
From a purely economic standpoint, it makes me wonder who's the real "extortionist"...
Re:Interesting article (Score:4, Insightful)
I frequent these Russian forums frequently where they are giving away 5 digit ICQ# to the first person to read the post.
However, the most amazing thing is, if I had the ability to direct 10,000 zombie systems to attack websites for extortion money, you could bet that every type of online communication I engaged in would be done thru no less than 5 different proxies, for every type of service, with an excrypted tunnel between me and the first proxy, and with complete control of that first proxy to erase full logs afterward.
You think that these guys are brilliant, but they're really just a bunch of stupid script using kidhacks.
I would be interesting to know what percentage of the zombie machines were windows...
Re:Good, some balls. (Score:5, Insightful)
In Texas there is no lower limit. You can shoot someone in the back who is running away from you and is no longer on your property, as long as they stole from you and you can expect that you won't see it again if they make off with it and you would be at risk if you caught them. That's pretty much a blank check to shoot a robber in the back.
The very idea of killing someone over something so trivial as a router makes me sick.
I'm a raving liberal when it comes to most things, but I seem to be on the rabid conservative side for this one issue. Why is their right to steal from me greater than my right to stop them? I have the right to be secure in my person and property. They do not have the right to be secure in my property, only their own.
Using deadly force to stop a felony seems quite reasonable. Using deadly force to stop a car chase seems quite reasonable. Deadly force should be used to stop crimes in progress and to stop those after crimes are committed if failure to do so would result in them getting away. If you don't like it, quit committing felonies.
Re:That's frightening (Score:4, Insightful)
Along with IPS in general, I think a lot of the devices out there have some pretty good rate-limiting and SYN flood mitigation, however, they all seemed to miscalculate the sheer amount of processing power it takes to do deep packet inspections and protocol verification. Prolexic's network is currently representing about 10 Terahertz of processing ability just for the DPI, so hoping a single FPGA based hardware device will do the trick may be a bad idea. Also, most devices can not handle out-of-state TCP based attacks (see: Riverhead), so keep your eyes out on that too.
Prolexic often gets new customers when the TopLayer, Tipping Point, and Riverhead gear fails, so I don't see how anyone could be comfortable with just a single unit to save the day when there are people out there that will take down DNS servers, router serial interfaces, carriers, do long lived TCP sessions to slow down web servers, HTTP connection floods, and anything else they can think of to just hurt the network (75k machines all doing random searche quries on a cgi, etc.)
Further, a box does not have much of a turn-around time, so just call Tipping Point at 2 AM on sunday when the network failed and nobody has any clue with what is going on. Then wait for their one good programmer to fix the FPGA issue and a week later cross their fingers that whatever they did can stop the botnet that is causing someone's business to fail.
I may just be a little beat up from all the traffic we deal with, but it's a little isane to say things like, "we have box X, its magic will fix everything."
-Barrett
Re:Never pay (Score:3, Insightful)
So let's try the inverse of your suggestion and see what we get:
Always give them your wallet, without question, without a fight. Therefore they know all they have to do is mildly threaten you and they get free cash. Not much a solution you're proposing there. Sounds more like a welfare system for hoodlums.
Here's a funny solution you seem to have ignored: arm yourself, take defensive shooting classes, and blow the fucker away when he tries to threaten you. True, dealing with the police paperwork after the fact is a bit tedious, but you can rest easy knowing you've rid the world of a lowlife scumbag who wasn't worth the oxygen he was consuming. Bernard Goetz [heroism.org] had it right.
The only way to answer threats is with the threat of something worse. Anything less is either impotent or encouraging more threats.
Re:Good, some balls. (Score:2, Insightful)
Re:That's frightening (Score:3, Insightful)
While that's a nice idea in concept, I don't think it would work in The Real World, for a couple of reasons:
1. A license is only required for driving on public property (ie roads). Most of (US) internet access traverses private utility lines (phone/cable), so there's a question of jurisdiction.
2. Risk to free speech - who defines what constitutes an "offense"? Ok, a zombie/spam-relay is against the rules, right? What about a mass-distributed opt-in mail list? What about a targeted marketing email sent to people a user has a "previous business relationship" with? What about P2P? Some P2P use is legal, some is not. Does Big Brother have to watch we're downloading? Or what about political activity? How do you prevent Big Brother from deciding that "questioning the President's decisions constitutes terrorism, hereby revoking your Internet License"?
3. The internet is a global network, so you have the same old issue of making a such in institution as "internet licensing" work across a multitude of laws & cultures. How do ensure that the Russians, British, or Italians enforce the same sort of internet-license policy that we'd create here in the states?
4. Finally, there's the question of efficiency. Plenty of things are already illegal (spam, hacking computers, etc.). That doesn't stop people from doing it, just like people don't stop speeding or driving drunk just because its illegal. It's a question of making policies, and having the resources to enforce them. Since we're talking about computers, there's a lot that can be automated which reduces the manual resource need, but it doesn't eliminate it. There's already a lot of issues regarding RBL's and trying to get legit mail lists off an RBL - scaling that up to accidently (aka based on a false positive) denying internet access to people randomly doesn't seem like a great idea, unless you have the resources in place to resolve those, and that costs $$.
Re:Good, some balls. (Score:4, Insightful)
I am myself a gun owner and a vocal proponent of the Second Amendment, and I have to say I could not disagree more with what you are saying. It's this kind of testosterone-driven false bravado and thoughtless remarks that give real firearm enthusiasts a bad name.
Deadly force is a last-resort measure that should be employed only when there is direct risk to your life or the lives of others. If someone else is threatening or attacking you with a gun, or if someone comes at you with a knife or something, or someone is subjecting another person to such a threat, you are justified in shooting them. But how can you justify taking someone's life because they're about to make off with your hubcaps or your computer?
The power to take a life carries a tremendous responsibility to use that power only when it is necessary in order to protect the lives of others. Anyone who says otherwise clearly does not understand the responsibility that comes with wielding deadly force, and the sooner the crackpots who kill some poor kid to save their property are hauled off to prison, the better.
Your post smacks of the attitude of a kid who's never actually held a gun, much less been in a situation where it was necessary to use it. I haven't had to fire upon another human being either, but I know people who have; my father's gun saved his life on several occasions, and a friend of mine is a police officer. Think before you speak, maybe.
P.S: I have to say I do agree that sometimes deadly force should be used to stop a car chase. If the suspect represents a direct threat to innocent life, or the moment they make an assault with their vehicle, any measure required to stop them should be employed. However, in a pursuit situation, the best option is to simply let the suspect get away - unless you know that they do in fact pose an immediate threat (say, they're an escaping murder, or they have a hostage, or something of that magnitude), it's simply not worth the risk to public safety that is involved in a high-speed pursuit. It's sad the number of times innocent people have been injured or killed because the cops didn't want to let a drug dealer or two-bit robber get away.
Re:Here's a tip (Score:4, Insightful)
Unless ISPs got off their asses and implemented egress filtering for packets leaving their networks. Cable modem in Florida spewing packets addressed from China? Holy shit, I think they're bogus! The closer you filter these bogus packets to the source, the less traffic any given filter has to deal with, PLUS the smaller network size it has to accept packets from, leading to a reduced chance of dropping or allowing the wrong packets.
Re:Good, some balls. (Score:3, Insightful)
So you trust the person who shoots you to determine your innocence or guilt? Last I checked that was for a judge and/or jury.
what if what they're "making off with" turns out to be theirs and only looks like something you own?
No, I think the use of deadly force should be restricted to when yourself or your family/friends come under attack directly. I do however think it's ridiculous that you can be charged and then sued for a burgular tripping over your rug in some places. Frankly I think if a burglar gets held by force (and suffers minor injuries) that's fair enough. If a burgular gets to go home in a coffin that's a bit too much.