Taking on an Online Extortionist

An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"

Interesting article

[Nova1313]

Very long but very interesting. Glad to see they caught some of them. They mentioned a hacked icq account.. That just seemed odd to me since ICQ accounts are free.. Anyone know what they were talking about?

That's frightening

[plover]

It's a brilliant story, and you've got to applaud the guys at the victim site for sticking up for themselves.

It makes me wonder if this new anti-DDoS company can somehow establish relationships with ISPs to track back the zombies and get them shut down more quickly? Seems that would be the sanest and most effective tool -- take away the bots. No bots -- no botnet -- no attacks.

Good, some balls.

[vbrookslv]

Glad to see someone standing up to these thugs. I remember a few years ago, the ISP that I admin'd hosted the connection for http://www.defcon.org/ [defcon.org]. We had someone start a Smurf attack from the Con, targetting our inbound T3's. We were able to track it down, and actually snatch him out of his seat right there at the con. He promptly apologized (I think, he only spoke german, IIRC). The look on his face was priceless. Oh, did I mentioned that me, and everyone else at the company carry Glock 19's? Yeah, we didn't have any more problems for the rest of the con. Everyone was on their best behaviour. A bunch of fine, upstanding individuals. :)

Curious

[Dante Shamest]

I've always wondered...when a site is slashdotted, it implies that the site has been hit by high referrals from slashdot, causing it to become slow or go down totally.

But how does slashdot itself cope with the high traffic?

Re:Here's a tip

[suso]

Actually, in relation to that, what happens when your spamfilter marks such an email as spam. I guess you can say that's a major false positive.

fighting back with infrastructure

[Ankh]

Some ISPs are doing customer-level ingres filtering -- e.g. if the "other end" of the cable modem gets a packet whose src address is not that of the cable modem, drop it on the floor, it's forged.

The ease of infecting home XP systems remotely means you sometimes find teenagers with tens of thousands of zombie computers at their control. They can sell them to spammers, too.

The ease of doing massive DDoS attacks is why I stopped running an IRC server, and also stopped a research project I was doing related to inter-protocol messaging. It wasn't worth the hassle.

Fighting back is hard if you don't know who to fight, but in the case of extortion, (1) document everything on paper, (2) keep timestamped printed IRC logs of all conversations, and full email printouts; (3) ask some other people to print copies of their IRC logs when appropriate. Then contact the RCMP (or if you are in the USA, the FBI, but in the USA you need to show financial damage of $5,000 or more). Don't wait until it's all over before contacting them.

Good luck!

Liam

Re:Even Slashdot?

[MrAnnoyanceToYou]

Speaking of mentions on Slashdot, has anyone else ever seen an article wherein someone was portrayed as such a complete shining genius? Anybody else find this even slightly suspicious?

No protection

[McGiraf]

The thing with these DOS extortionist is that unlike the mafia or other groups they do not protect you from other extortinist. If you pay them thay can stop their attact, but if someone else try to attack you they cannot do anyting.

Re:That's frightening

[Talking Goat]

Or, the ISP's can do as the smart ones have done and deploy Tipping Point [tippingpoint.com] begin to mitigate these attacks the moment they are detetcted on the border routers. It's smart, fast, and really good at shutting down the traffic generated by these botnets by giving the admin the ability to apply vendor-supplied templates, or to create your own. However, you'd need additional deployments inside the network to avoid fratricide, but you can't beat the intelligence behind this aproach.

Re:Question

[American AC in Paris]

I don't have a beef with Mr. Piquepalle anymore, but if suggest you dig through some of his early submissions for an answer. As of late, Mr. Piquepalle has been going the full-disclosure route--that is, he makes no secret of the fact that he's affiliated with the sites he submits to Slashdot. Early on, though, Mr. Piquepalle regularly pretended to be "just some guy" who found sites like Engadget interesting. That's not good; if you're affiliated with what you're plugging, you should be candid and open about that fact. Failure to provide full disclosure puts you in the same boat as the likes of Armstrong Williams, who conveniently forgot to mention that he was being paid off by the administration to plug No Child Left Behind in what were ostensibly opinion pieces. It's a dishonest and unethical practice, to say the least.

But like I said, he's cleaned up his act in recent months, so I no longer have a beef with him. Some folks, on the other hand, still hold this against him--which isn't an entirely unreasonable position to take.

Re:Here's a tip

[ReverendLoki]

I can't help but wonder how the extortionist might have reacted to an error reply:

MAILSERVER: Error, mailbox does not exist

Not saying it would necessarily work, and as it was probably sent to a published address, would at best delay the threat while lowering the extortionist's expectation of your ability to defend your network.

Re:Good, some balls.

[vbrookslv]

Of course I have my CCW, as any upstanding, responsible, and capable citizen should. It's one of the things I love about Nevada, we still respect the 2nd Ammendment.

In any case, Nevada is actually an Open Carry state. Meaning, even without a CCW, as long as you carry openly in a holster (IOW, do not meet the criteria to be considered concealed), you are legal. No CCW needed. That doesn't mean someone can't ask you to leave their premises, but that's a different store entirely. That's what your CCW is for. :)

It's so exhilarating being so close to the PR of Commufornia, and still having my Civil Liberties intact. They may have the literal 'greener grass', but we have the more imporant metaphorical kind.

Rudyard Kipling's "Dane-geld" - extortion poem

[davidwr]

Dane-geld [newcastle.edu.au]
(A.D. 980-1016)

IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:--
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."

And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!

It is always a temptation to a rich and lazy nation,
To puff and look important and to say:--
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."

And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.

It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to says:--

"We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

- Rudyard Kipling

Anyone willing to try their hand at "updating" this to fit online extortion? This could be lots of fun :)

Re:Never pay

[Council]

From TFI:

To ensure a quick, quiet transaction, the extortionists did what all extortionists (in the physical or online world) do: They exploited the problem of the commons. An ecological principle, the problem of the commons states that people will act in self-interest if it profits them in the short term, even if that act will hurt everyone, including themselves, in the long term. Every act, every threat, every negotiation tactic, every single move extortionists make is designed to make paying the protection fee not only appealing, but in fact, the smartest business decision you can make in the short term, even if you know in the long run that you haven't stopped the problem at all.

Re:No protection

[Just Some Guy]

So, how does that actually work out in real life? If Syndicate Foo is "protecting" my business, and Syndicate Bar sends a couple of "salesmen" to offer me competing rates, how do I pick which policy to use? Do we all sit down with lasagna and compare market capitalization, research projects, and offensive/defensive capabilities? Do I have to weigh the relative likelihood of widowerhood if I switch from Foo to Bar, or reject Bar to stick with Foo?

Sorry, but I grew up in a decidedly non-ethnic area and am somewhat ignorant in the finer points of coercee etiquette.

Re:Interesting article

[Roofus]

Wow, 4 replies and not one of them understand why.

ICQ accounts aren't named, they're numbered (you can assign names, but they were always changeable). Low ICQ account numbers are like 2 or 3 digit Slashdot ids....a source of pride.

The hacker probably gave Lyon a low ID account, and to those fuckers it's a nice gift for status.

Re:Good, some balls.

[vbrookslv]

THe reason we carried, aside from the stock "Because we can" answer, is simple. We were in a building with a few hundred thousand dollars in routers, and customers such as banks and medical facilities. We were downtown on Fremont and 7th St in Las Vegas. For those who aren't familiar with the area, it's the hood. I regularly had to chase crackheads, as well as hookers with their Johns off of our back steps. We would regularly find people sleeping in our dumpster in the morning.

And to answer the obvious question, our office WAS there for a reason, we were a block from the ILEC's main CO. This made quite a difference in the cost and time to install of new circuits.

Insult?

[JadeNB]

Is it just me, or is the author none-too-subtly suggesting at the end of what seems a pretty flattering article that the one who engineered the defence is in collusion with the exortionists, and that paying him for help is essentially paying a protection fee? The turnabout in tone is so abrupt it seems like the last few paragraphs were written by a different person.

Hacked ICQ?

[SimonShine]

The only thing I'm reminded of is the telling of a guy who sought palindrome ICQ account numbers with email addresses from XS4ALL assigned to them, of which the email accounts had expired. Apparently he found a few, and through XS4ALL, he would re-create these expired email accounts, then have the old password sent to him. A weird collectible, and probably not the story you were looking for. :-)

a little outdated..

[Anonymous Coward]

did anyone else notice that this is a november 2003 article?

I fought a DDoS and won

[mikeswi]

Starting Feb 2004, my site was hit by a powerful DDoS attack. It knocked out my web server and it nearly took out my web host's switch in the data center. I never got any demands or letters or figured out who caused it.

Anonymizer.net tried to help me by putting my domain behind a series of rotating proxy servers. Their whole network crashed after 6 hours and they had to stop helping me.

Finally my web host hit on the right idea. I set up a half dozen virtual private servers (VPS) at Globalservers.com (same company that hosts about.com and freeservers) and my host installed a proxy server on each one called twhttpd and set them all to route traffic to and from my web server at his data center.

Then I set up an account at ZoneEdit and added all the IPs for the proxy servers with a failover system. Every time the bastards knocked out one of the proxy servers, ZoneEdit would detect that the server was borked and switch to another one. With the load reduced, the dead proxy came back on its own a few minutes later.

After about 6 months of this, they finally gave up and I won.

Re:That's frightening

[Anonymous Brave Guy]

"Sorry sir, no email for you until you reformat"...uhh huh. That'll happen.

Doubtful, but perhaps it should.

Consider another everyday activity, with a lot of benefits but some inherent risks, which works fine when people take care but goes wrong when they don't: driving. In most places, you don't get to drive without taking a simple test to prove you're reasonably safe and competent. Then if you're caught driving in a way that's hazardous or inconsiderate to others, a nice policeman pulls you over. Depending on the significance of the violation, you get a verbal warning, a formal sanction, or read your rights and your vehicle confiscated.

If a similar principle applied to the Internet, with minor offences attracting a polite warning up to running a grossly insecure system that causes widespread inconvenience to other netizens getting you completely blocked, people would soon learn to respect the technology and others using it. But first we have to get over this strange idea that because it's The Internet, everyone should be allowed to use it, without any traceability or responsibility for their actions whatsoever, regardless of the harm it may cause others. I doubt that'll be a popular viewpoint around these parts.

Re:Here's a tip

[bigberk]

When they fire that warning shot, you dump all the attacking IPs to a log and circulate the list to AHBL, Spamhaus, CBL etc so that the extortionist's zombie network is now worth half of what it was before. Zombies are only worth anything if they are novel. And you tell the extortionist that for each additional shot, their botnet monetary value will decrease by 10% or whatever.

Re:That's frightening

[halfelven]

I actually tested those appliances fairly thoroughly, and yes, they're good at killing SYN floods and stuff.
But what they don't solve and, indeed, what they cannot solve, no matter how smart, is the problem of sheer volume - the problem of bandwidth. If the attacker overwhelms your pipe, or your ISP's pipe, or your ISP's ISP's pipe, then mission accomplished.
You also have to have enough bandwidth to fight the attack, even if your servers can handle all those SYN packets per se.

Re:oblig Churchill

[flink]

And some pretty questionable ones:

"I do not agree that the dog in a manger has the final right to the manger even though he may have lain there for a very long time. I do not admit that right. I do not admit for instance, that a great wrong has been done to the Red Indians of America or the black people of Australia. I do not admit that a wrong has been done to these people by the fact that a stronger race, a higher-grade race, a more worldly wise race to put it that way, has come in and taken their place."

He also had no problem with using gas to put down uprisings by colonized indigenous peoples. I'm not saying he's a saint, just pointing out that popular leaders tend to get viewed through a rose colored filter.

Re:I fought a DDoS and won

[mikeswi]

Most of the filtering was done by globalservers. They have a bunch of very serious routers specifically designed to block DDoS attacks and they have more bandwidth than God.

Once the traffic passed through their routers, it went through the proxy and the proxy would pull the data from my webserver.

My host wrote a script that he installed somewhere (on his switch I think) that filtered out a specific type of HTTP GET. Whoever wrote the attack bot made a mistake because it generated some weird error (408 or 508 or something). His script filtered that out and then the webserver would return data to the proxy servers and from there to the end client.

It was a little glitchy and it nearly ruined my message board (all the users had the same 6 IP addresses and that played hell with session IDs), but it kept the site going despite the attacker's best efforts. He/they eventually moved on to attack other antispyware web sites with less resources.

Re:oblig Churchill

[shreevatsa]

"History will be kind to me, for I intend to write it"
--Winston Churchill

How to bring the FBI into the mix

[Cheeze]

What would happen if he had changed the dns of his website, to, i dunno, say the ip address of fbi.gov? The criminals would then be dossing fbi.gov and the fbi would immediately notice. If it wasn't a dns-based attack, it should be relatively easy to route all incoming traffic to another ip address.

I wonder if the guy that was originally being dossed would get in trouble for it.

Re:oblig Churchill

[mikeswi]

_Selling_ material was how we justified it to an isolationist Congress and population. Actually, we _lent_ most of what went over because England was running out of money. And we didn't want it back once the war was over.

Plus several squadrons worth of American figher pilots went over to help before we declared war.

Plus our navy was fighting an unofficial war with the German U-boats for about a year before we went to war while we escorted the convoys heading from Canada to England.

FYI, we're just as grateful to England for remaining a friend ever since. Although personally I wish your government would try to hold mine in check rather than just going along with everything Bush does. Your government may be our friend but I don't think your people like us very much at this point.

Re:oblig Churchill

[kalamazoo904]

Because he knew England didn't have the manpower for an amphibious landing in France or Germany. They'd sent troops to France, but the incompetency of the French High Command in the face of Blitzkreig forced the Dunkirk evacuation.

That's where the line about "the New World coming to rescue the Old" comes in -- Churchill knew he couldn't invade France until the US entered the war. He knew that was likely by early '42, i.e., about two years after that speech. If Pearl Harbor hadn't happen, Roosevelt was prepared to make German attacks on American shipping a casus belli.

Did they teach you the history of WW II, or are you just being obnoxious?

Re:How to bring the FBI into the mix

[Anonymous Coward]

This is the FBI. They'd go after the guy who changed his DNS first and foremost. That's how they operate. They don't go after the actual criminals. They shake down the most-easily-accessible person involved in the issue and try to follow the tree up to its source, which usually doesn't get them very far.

Re:Good, some balls.

[d474]

Some I'm pointing my Taser at your main Switch, you've got your Glock-19 drawn...

"I SWEAR I'll do it man! I'll fry this bitch right now if you don't put your gun down! I crazzzzzy - don't you know I'm loco!?!"

What are you going to do then, mister rent-an-adminCop?

Re:Good, some balls.

[vbrookslv]

Exercising lethal force, and being capable of exercising lethal force are two entireley different things.

If I had to chase crackheads off of our steps everyday, what's the chance that one of them might take offense to that, and decided to stick me with something, or worse? At first, when I was carrying concealed all the time, about once a week I would get some uppity (sp?) dealer that would decide that I was infringing on his urban pharmacuetical business, and give me some lip, get up in my face, as if he was going to start shit. So we put in some video cameras, and started open carrying. Very rarely did anyone give us a hard time after that. I did have one guy who tried to break into one of our cars, and I caught him and arrested him on the spot. Turned out he was a 3-time loser from CA. I actually performed a public service!

Nothing wrong with being prepared, right? It's the same reason I carry a rollover cable in my laptop bag, you just never know when you will need to reconfigure a Cisco router. :)

Can't read the article

[Mr Pippin]

How ironic that a story about fighting DDoS attacks can't be read due to the Slashdot effect.

Re:oblig Churchill

[king-manic]

The Russians were actually allied with Germany, and would have taken no significant part in the war if Hitler had not decided that he wantesd Russia as part of his empire, and decided to attack them.

Just a little historical note, both sides were going to renege on that alliance/truce. Except the germans though they could gain the upper hand by a decisive pre-emptive attack. Their intelligence reported russia was marshalling it's forces to attack germany.

They got bod down in russia in winter and they got crushed byt the combined might of the cold and the ruskies.

Re:Can't read the article

[KD5YPT]

That's because ALL traffics from the Slashdot effect are real and legitimate traffic. In another word, we're not attacking them so they don't filter us out.

Re:Good, some balls.

[radish]

Why is their right to steal from me greater than my right to stop them?

It's not. But their right to live is greater than your right to kill them. Stop != kill. It may well be perfectly possible to stop someone stealing your router without shooting them in the back, if so great. If not, well, call the police. That's their job. If they're not able to catch the thief, look to your democratic process to get them better funded or whatever.

IMHO the right to life trumps pretty much every other right there is.

I use OpenBSD's pf

[JimmytheGeek]

It's AMAZING, but you have to supply the electricity which will add up to a fair amount for a real pc vs. a little appliance thingy. Got a spare laptop with a borked screen or something? You could probably pick one up for a song at RePC or a similar outfit.