Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Businesses Security IT

Ask Slashdot: How To Deal With a DDoS Attack? 303

First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How To Deal With a DDoS Attack?

Comments Filter:
  • by Anonymous Coward on Saturday November 03, 2012 @02:21PM (#41866615)

    You just gave him $400 more than he had before, and he knows you're good for it.

    What were you thinking?

    • by Anonymous Coward on Saturday November 03, 2012 @03:35PM (#41867235)
      Pay someone in Lebanon to DDoS his face :)
    • by v1 ( 525388 ) on Saturday November 03, 2012 @04:05PM (#41867447) Homepage Journal

      What were you thinking?

      Apparently something along the lines of "I wonder how much more they'll demand next month?"

      NEVER negotiate with criminals. If you do, they'll always come back for more.

      • by Existential Wombat ( 1701124 ) on Saturday November 03, 2012 @07:06PM (#41868667)

        It is always a temptation to an armed and agile nation
            To call upon a neighbour and to say: --
        "We invaded you last night--we are quite prepared to fight,
            Unless you pay us cash to go away."

        And that is called asking for Dane-geld,
            And the people who ask it explain
        That you've only to pay 'em the Dane-geld
            And then you'll get rid of the Dane!

        It is always a temptation for a rich and lazy nation,
            To puff and look important and to say: --
        "Though we know we should defeat you, we have not the time to meet you.
            We will therefore pay you cash to go away."

        And that is called paying the Dane-geld;
            But we've proved it again and again,
        That if once you have paid him the Dane-geld
            You never get rid of the Dane.

        It is wrong to put temptation in the path of any nation,
            For fear they should succumb and go astray;
        So when you are requested to pay up or be molested,
            You will find it better policy to say: --

        "We never pay any-one Dane-geld,
            No matter how trifling the cost;
        For the end of that game is oppression and shame,
            And the nation that pays it is lost!"

    • by khallow ( 566160 )
      The danegeld doesn't get rid of the Dane? Who knew?
    • by Patch86 ( 1465427 ) on Sunday November 04, 2012 @06:14AM (#41871457)

      I suspect they were thinking "we need to get our website back up or we'll lose business, and $400 is cheaper than the $6000 that Rackspace are asking for". They know they did wrong- hence why they're asking us here for better ways to deal with it next time. But unfortunately, it's a "you can't start from here" situation- if your site is down and you're under sustained attack and you don't already have something in place to deal with it, you don't really have many options.

      So do you have a suggestion as to what they could have done differently / can do differently next time, or are you just here to make easy quips?

      • by jeandebogue ( 2767661 ) <jean@wedebugyou.com> on Monday November 05, 2012 @07:35AM (#41879223) Homepage
        The best way to mitigate a DDoS is to first understand it. Do they want to bring down one of your website, network, application, service or they want to just DDoS the whole thing.

        The most important thing is to become invisible.
        In short don't allow icmp in and out.

        The second most important thing is to make sure you still have enough bandwidth.
        If all of your internet connections are full then you need to find a way to have bandwidth in and out again. For this step then you have to deal with your ISP if you don't have BGP routers. If you have those BGP routers then you can tell your router to tell the ISP to stop sending traffic from those few ip addresses. Usually not much ip are sending huge amount of UDP or crap.

        The third thing is to temporarily apply some aggressive firewall filtering at the border.
        Black list all suspicious ip. This mean you should have some list of countries to block. If all your internet partners are in the US, you can safely block the rest of the world. Then you should start to grey-list some abusive ip for 1 hour. An efficient grey-list that fit your business model is very important. It will probably not be perfect the first time, but after 2 or 3 DDoS, it will catch a lot of crappy traffic.

        It will let your clients and coworkers use your onlines services.
        There are so many things that can be done, that you should hire some experts if this become a concern for your business. But with the steps above you can survive many DDoS.
  • Cloudflare (Score:3, Informative)

    by Anonymous Coward on Saturday November 03, 2012 @02:25PM (#41866647)

    Cloudflare are great, I use them on my sites and they can handle the traffic w/o issue.

  • Next time (Score:5, Interesting)

    by Progman3K ( 515744 ) on Saturday November 03, 2012 @02:27PM (#41866669)

    Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.

    • Re:Next time (Score:5, Interesting)

      by Nyder ( 754090 ) on Saturday November 03, 2012 @02:32PM (#41866719) Journal

      Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.

      Dude was in Lebannon, I'm sure the local police would be happy to pick him up.

      Honestly, this person is smart. Keep it small and low, and you probably will get away with it lot. Ramp it up, go after a big fish, and our government might start getting pissed, but they won't care about a bunch of small businesses.

    • Re:Next time (Score:5, Insightful)

      by nurb432 ( 527695 ) on Saturday November 03, 2012 @03:57PM (#41867405) Homepage Journal

      There are a few problems with this:

      1 - Often times they are out of the country ( its safer.. ), so no jurisdiction even if they are found. You want to deal with having to do this across country borders?
      2 - The cost of your business being down may far exceed the 'ransom' while this 'service' does its 'investigation'
      3 - $400 wont go far for an investigation.

      Not saying to pay ransom to every script kiddy that comes calling as that is an open invite to disaster, but i dont think what you suggest is a viable alternative either. At least not while the DoS is taking place.

  • by arthurpaliden ( 939626 ) on Saturday November 03, 2012 @02:28PM (#41866683)
    I don't know who you are. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my computerr go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you.
  • this may help you (Score:5, Informative)

    by Anonymous Coward on Saturday November 03, 2012 @02:30PM (#41866697)

    Hi first time accepted submitter!

    You may want to check this [slashdot.org] Ask Slashdot.

  • by AK Marc ( 707885 ) on Saturday November 03, 2012 @02:31PM (#41866715)
    There was a gambling site in Australia that got on the wrong side of a gambling gang (stealing customers, nothing they did specifically to attract ire). The DDoS took down Australia. Keeping your servers up when your link is flooded isn't too hard. Keeping your site up when the DDoS takes down your ISP and their ISP is a little harder. The "best" solution is to log all IPs and sue all local IPs for hacking. Get some old lady fined $1,000,000 for hacking and maybe people will figure out that they should secure it or turn it off. If there were no botnets, there would be fewer, if any, DDoS attacks.
    • Get some old lady fined $1,000,000 for hacking and maybe people will figure out that they should secure it or turn it off.

      Yeah, that's real workable. Courts love to hammer those old ladies.

    • by Bert64 ( 520050 )

      And if the source addresses are spoofed, then what?

      • by AK Marc ( 707885 )
        Then you do more forensics and take the ISPs to court for gross negligence and hacking. No ISP should allow from addresses that it does not own. I've worked for 4 ISPs and all have filters that block ranges it is not directly aware of to prevent spoofs from being sent. Do not do so is negligent.

        Though you are right, most are spoofed. Find two services you want to down. So a syn spoof on the first with the "from" address of the second. Your first target will be a participant in the attack against the
        • Depending on the design of the ISP network, the packet can be spoofed and pass egress filtering, as long as the source is spoofing another host in the ISP network.

    • Re:You can't win. (Score:4, Informative)

      by steveb3210 ( 962811 ) on Saturday November 03, 2012 @09:28PM (#41869551)
      I've dealt with similiar situations in my professional career. Rackspace's DDOS protection isn't worth it, after 3Mbps, they null routed our box because the size of the attack was so large that it was saturating their uplink capacity...

      Prolexic has a cool approach, you proxy your site through them (either web proxy or they can annouce BGP routes for you) and they have massive datacenters that do nothing but scrub packets for you.

      The downside is their service is very very expensive ($60k+ a year)
      • by AK Marc ( 707885 )
        And they are likely using an off-the-shelf solution. F5 got tired of being called a "really expensive load balancer" (especially since you can get good load balancers now for less than 1/10th the price) and is doing good things with security. I would guess that they are what a professional scrubber would use. So go buy some Big-IP and as much bandwidth as you can afford and you'll likely stay online as long as your upstream provider can stay up (so long as you hire an expert to configure/install them, th
  • Gouging Schmouging (Score:4, Insightful)

    by Anonymous Coward on Saturday November 03, 2012 @02:33PM (#41866725)

    Try buying fire insurance when your house is on fire. It's a risk pool. Duh.

    • by czth ( 454384 ) on Saturday November 03, 2012 @03:39PM (#41867267) Homepage

      Came here to say that; thank you, would have modded up if I had points.

      Absent threat of force to the contrary (*cough*), pre-existing conditions cost more to insure against than lower-risk customers, because your risk of having the thing happen is 100%—it's already happening! At that point you're asking the person to foot the bill for a cure, not insurance; why shouldn't they pass on their costs to you rather than everyone else?

      If, instead, you were to join a pool of 100k individuals that (making up some numbers for an example) had a 1% fairly evenly distributed chance of a $10k loss every year, then, ignoring insurer overhead, the yearly expected cost would be $10M, meaning break-even by charging each person $100/year. That cost increases very quickly as you add people to the pool with a 100% chance of loss; and at that point, it's not insurance but subsidy and most people with a choice about it move to an actual insurer (increasing the individual cost even faster until it is same as the actual loss).

    • by Anonymous Coward on Saturday November 03, 2012 @04:02PM (#41867433)

      This isn't really insurance though. It's just a service rackspace provides.

  • by Anonymous Coward on Saturday November 03, 2012 @02:33PM (#41866731)

    With due respect, in my view, this is like trying to buy homeowner's insurance while your house is on fire, and complaining that they won't sell it to you.

    Why is it unreasonable for you to pay more for "OMG I NEED IT RIGHT NOW!" service?

    It's easier to do some prevention than to try to and figure out and control the problem WHILE it's happening. Also, why is it unreasonable for them to give someone who sees the need for some complicated traffic monitoring and filtering a discount for letting them set it up, y'know, during normal business hours with forethought and preparation and not as part of a crazy firedrill?

    (no, I don't work for Rackspace)

    • by NemosomeN ( 670035 ) on Saturday November 03, 2012 @02:59PM (#41866951) Journal

      I read it as "It is price x no matter what, while a DDoS is in progress, the price increases to y, even if you bought it ahead of time" which would be gouging. If it is, indeed, "Price x if you buy it ahead of time, and price y if you buy it during an attack" then that's just common sense. Ongoing protection that might not be needed is going to be cheaper than ongoing protection that is needed immediately.

      That said, it sounds like the guy had warning before the attack started, so this is more like buying homeowner's insurance after someone threatens to burn down your house.

      • So, if you pay $10 for line rental, yet the phone company charges you more when you actually use it to make a call, is that gouging too?

        These sort of services are really expensive to run while a site's under attack. You basically need to have a whole TON of extra capacity to divert all the requests to. So they charge a basic fee for monitory/setup/syncing/whatever - just keeping the service up and ready - and when you start getting millions of requests per second being thrown at it, the price bumps up.

  • Null route the ip being attacked, not the ip attacking. Of course this assumes you have a network consisting of more than a single ip. Anyway this is basically the best way to handle a DoS. Otherwise you basically need to have the bandwidth/resources to endure the attack. Many providers will allow either a remote-triggered black hole session to their BGP router or allow a burst rate above your committed bandwidth if the interface allows for it.
    • Null route the ip being attacked, not the ip attacking. Of course this assumes you have a network consisting of more than a single ip.
      Anyway this is basically the best way to handle a DoS. Otherwise you basically need to have the bandwidth/resources to endure the attack. Many providers will allow either a remote-triggered black hole session to their BGP router or allow a burst rate above your committed bandwidth if the interface allows for it.

      This is the simplest way to handle a DDoS, not the best. Well, might be best from the provider's point of view. The best solution is to scrub the attack and let legitimate traffic pass through, but they decided to pay $400 instead of $6000.

      @OP: a simple Google search gives you quite a few options on solving this problem. Just input "ddos protection" and hit Enter. You'll find that there are a lot of companies providing the exact service that you need, for less or more money than Rackspace, with "instant" se

      • We pay the 6000$ (ok, less with a bulk discount), but a lot of the time have to null route anyway as attacks just get bigger and bigger (up to 10gbps) and end up saturating the providers links.

        There's no winning in my opinion. The ddos shields do work, but they are prices for companies who really lose a lot of money with downtime. Your best chance would be trying to figure out who ordered it and get evidence if it happens multiple times.

    • Null route the ip being attacked

      So to protect against someone taking your website down, you effectively take your website down? I think I've missed some detail in your suggestion.

      • Null route the ip being attacked

        So to protect against someone taking your website down, you effectively take your website down? I think I've missed some detail in your suggestion.

        That way you disturb other services behind the link less.

  • Best solution... (Score:5, Insightful)

    by Dahamma ( 304068 ) on Saturday November 03, 2012 @02:36PM (#41866773)

    ...would have been to ask him how much to get the name of the competitor. Would probably cost a bit, but documenting that exchange and turning it over to the FBI instead of just the DDoS info might have meant one fewer competitor...

    • by Professr3 ( 670356 ) on Saturday November 03, 2012 @02:40PM (#41866811)
      I'm pretty sure the "competitor" bit was completely made up.
      • Yep, I see this as a variation of the hitman scam.

        Guy contacts you saying he's a hitman and has been hired to kill you.
        Offers to NOT kill you in exchange for beating the amount the person who hired him is paying.
        Generally speaking there is no actual hit involved, it's just a scam. That this guy backed up his threat actually makes him unusual.

        On the hitman scam - A lot of the time they're quite easy to 'negotiate' down - could justify it in that not doing a hit is easier than doing one, on the other hand, i

    • by DarkOx ( 621550 )

      Its never bad to gather all the information you possible can but most likely the caller was just lying. Chances are pretty good he just got off the phone with your competitor giving him the same business. Even if he did name names it would not mean much.

      Sadly its most likely the caller did not even have the capability to execute the attack he claimed to have.

    • by deroby ( 568773 )

      You (naively) assume he spoke the truth about there being a competitor who ordered this ?! More likely it's just a way to give the initial price more credibility.

    • by nurb432 ( 527695 )

      You assume that he was telling the truth in the first place. Even if he did give you a name, it doesnt mean boo. I could make someting up too for a few extra bucks.

  • Not many choices (Score:5, Interesting)

    by DarkOx ( 621550 ) on Saturday November 03, 2012 @02:49PM (#41866875) Journal

    Option a) Your best bet is go strait to law enforcement. The FBI is actually very interested in these sorts of things even if you are small fry. This might not be a such a hot idea though if the group extorting you actually has some capability. Usually they will set up a string, and track the money when you pay.

    Option b) Just shut up and pay up. Never taken this approach myself. I assume it makes the problem go away for a while anyway. I imagine said problems come back for another fix later, and I'd wonder if the attacker ever really had the capability.

    Option c) pay the back bone provider, ie ATT&T or whoever is your ISPs, ISP for their DDOS protection services. They actually DO have the resources to protect you from a DDOS. Everything else anyone else is selling is just snake oil because a large enough botnet can simply use all the bandwidth weather you attempt to ack tarpit, or not; They unanswered SYNs alone will consume your entire pipe. This option is terribly expensive, might be worthwhile if you are running a large and inadequately distributed eCommerce site or similar.

    Option d) Distribute the hell out of your site. This leads to all sorts of complexity around replication and have the big CDN providers host all your static content and resources. This may help depending on the type of attack. You will want make sure your DNS resources are also well distributed you will basically use fast-flux DNS yourself to stay ahead of your attackers. Essentially you keep changing IPs every 300 seconds or so. You will have challenges preserving sessions and for lots of services its not viable, for WWW it can be made to work. Again this is serious money and time. It might be cheaper than Option c, if you want you are trying to be available for is a small amount if high dollar transactions, as opposed to a higher volume smaller dollar situation.

    • by AmiMoJo ( 196126 ) *

      Option c) pay the back bone provider, ie ATT&T or whoever is your ISPs, ISP for their DDOS protection services. They actually DO have the resources to protect you from a DDOS. Everything else anyone else is selling is just snake oil because a large enough botnet can simply use all the bandwidth weather you attempt to ack tarpit, or not; They unanswered SYNs alone will consume your entire pipe. This option is terribly expensive, might be worthwhile if you are running a large and inadequately distributed eCommerce site or similar.

      It is in the interest of the people hosting your site/server to deal with DDOS attacks. After all, those packets are hitting their infrastructure. If you ignore it all the other sites on the same pipe will be DDOS'ed as well, and simply terminating your account is unlikely to stop the barrage.

    • by Teppy ( 105859 )
      I don't know if the FBI is interested in scams, but banks are not. This summer I noticed a "too good to be true" Craig's List ad (a pair of brand new jet skis for $3000) and decided to see how the scam worked. I baited the scammer who wrote back with a story about being shipped off to Afghanistan and needed to sell the jet skis right away. He suggested using an "escrow agent" and sent me details for a wire transfer.

      The bank for the "escrow agent" was a JP Morgan Chase branch in Petaluma (?) California. I

  • Your mistake (Score:5, Insightful)

    by Anonymous Coward on Saturday November 03, 2012 @02:50PM (#41866885)

    was RESPONDING to the guy. Even to say "no." It's like responding "unsubscribe" to a spammer.

    What you've done by replying is telling him a.) you GOT his e-mail (not by any means a sure bet with spam filters), b.) you ARE IN FACT the people who own the site in question, and c.) the REASON you're not paying is that you believe he can't carry out his threat.

    Let's say I'm this guy. I'm probably a script kiddie with a small botnet under control. I troll for small ecommerce sites (ones that are probably not profitable enough to have good defenses, but would be seriously impacted by a DDoS attack). I try to find some contact information. Again, I'm running some kind of script to troll for these, which means my sample isn't amazing and my data quality is probably questionable.

    Then I send out hundreds of e-mails. Like a spammer, I'm going for quantity. Most of these probably disappear into the ether. Whatever - I only need a few to hit a target to get paid. A few people will actually pay up from the e-mail (probably not many, but hey). Some will ignore me (and be impossible to tell from the "disappeared" group. Then there's the lunkheads like you who confirm I sent the threat to the right person and I do feel vulnerable, but I doubt your ability to follow through.

    Perfect! I train my botnet on that guy. I'm pretty much guaranteed money. The "someone offered me $600" is a bluff, of course - no one offered him anything, and it's all profit to him. But it sets a nice mental scale for you, so that you'll foolishly think you "got off easy" giving him $400 (when you could have given him $0).

    Again, this is a VOLUME play. He has enough bots to DDoS SOMEONE, but not to DDoS EVERYONE. You were attacked for one reason - because you responded.

    Sure, there was network engineering involved, but make no mistake - you got SOCIAL engineered here, first and foremost. Fix THAT, not your network.

  • by jayhawk88 ( 160512 ) <jayhawk88@gmail.com> on Saturday November 03, 2012 @02:53PM (#41866897)

    ...but to be honest, Kuro5hin is paying us $1000 not to tell you. Perhaps if you would be willing to pony up $1500 we could do business.

  • by rabtech ( 223758 ) on Saturday November 03, 2012 @02:54PM (#41866905) Homepage

    There isn't much you can really do against a determined foe. There are just too many bot computers out there ready and willing to flood your servers with traffic. Huge companies with lots of staff, racks upon racks of servers, and really fat pipes have been hit with these attacks and failed to stop them.

    Now there are a few things you can do to help... You'll note that these things are all extremely important for high-volume sites or major legit traffic spikes:

    Have a switch in your website app that turns off all dynamic access, logins, session state, content generation, Ajax loading, etc and just serves static pages. This should also disable any kind of downloads unless you are already serving them from a CDN. If you are under attack (or just get featured on slashdot) throw the switch. Your website won't be terribly functional, but it will still be up. If you want to get fancy, have several levels of degradation where you can progressively turn features off to lighten database loads, etc. but without throwing up error pages or just having the site completely fall down. (ex if your sidebar typically shows recent comments via a database query, then just show a cached set of comments only updated once per day. Now every page access is using one less database query.) This is super critical because the first resource to be exhausted will be your database's ability to answer queries. The second will be your web server's ability to track session state and process requests. Especially if your site does anything even mildly complicated.

    If your OS/Webserver/app support it, turn on kernel caching, install a cache plugin, etc. Especially make sure the parts of your pages, images, etc that can be cached are cached. If the under attack flag is set, vastly increase the cache timeouts. Make sure proxy caching is enabled too so any clients behind ISP proxies, etc don't hit your systems. Serve jQuery, fonts, etc from Google's CDN. That's just good practice anyway and free.

    If possible, use a CDN for images and other content. CloudFlare is a good one. Companies like Dediserve offer cheap CDN. There are thousands of others. If the panic switch is set, you can even serve the static pages off the CDN if you structure things correctly. These help offset bandwidth saturation.

    Take the time to setup a VM of at least your basic site and keep it on standby at Amazon/Azure. If you are under attack or heavy load, spin up a bunch of nodes using that VM image. If you leave your load balancing running on their systems 24/7 then it is trivial to add nodes to the pool. Running a bunch of extra servers for just a few minutes or hours shouldn't cost a ton and will encourage all but the most determined script kiddies to find an easier target once they see your site is still up.

    The most common resources exhausted during an attack (in order):

    1. Database servers
    2. Web server CPU load or memory
    3. Bandwidth
    4. Load balancers

    Again, like I said, none of this will stop a determined attacker with a million node DDoS botnet... But it will make you a less vulnerable target.

    • That's actually the best advice I've read on this topic. Nice.

    • by Mullen ( 14656 )

      I will also agree, Rabtech pretty much nailed it.

      When you have a really determined foe against you and they have a shit ton of computers in a Botnet and you are not a company willing to invest in it, forget it, you are screwed. However, if you have guy renting a part of a botnet from a criminal gang, then you can survive a small or medium sized DDoS and they will go away once their cost exceeds the amount of money they will get from you.

  • You were blackmailed by someone claiming to be represent your competition and then by your service provider. Correct? There are two things you should consider, and do so quickly before you've completely hosed your server logs: Contact your local FBI field office and then contact US-CERT. Yes, I know - it's DHS, but they track this stuff and have access to tools/training they can provide.
  • by LoadWB ( 592248 ) on Saturday November 03, 2012 @02:55PM (#41866919) Journal

    So you never bothered with DDoS prevention services for what is apparently a critical company web site, which would allow the provider to work pro-actively on protecting your assets. Then when your assets come under attack you expect your provider will just drop everything and tend to your immediate emergency without additional costs? Sounds like car insurance after the accident, or health insurance after you develop cancer.

    It's 2012. DDoS are a real and credible threat today. 10 years ago, perhaps a passing thing, but today... do you not read the news?

    Stipulating that your lack of preparedness is not your fault and over-sight, I want to address RackSpace's mitigation fees and perhaps defend your position at least a little. Being that it is 2012 and DDoS are a real and credible threat, depending on the costs of such protection, perhaps RackSpace (or another provider, free market thingie and all) could provide these mitigation services as standard for a bumped-up cost. Perhaps 400% mark-up is a little steep for immediate service when 200-300% might cover the costs of getting someone involved.

    Nonetheless, my inclination is to side with RackSpace. When you work proactively, your provider can have technology in place and ready to go so that a DDoS doesn't affect you. But calling in when it's going on: first off, they have to deal with the increase in bandwidth, the abuse of the server, virtual service, or multi-hosted box you occupy and hence affects on other customers, getting someone or a team of someones involved to start the mitigation process and move your incoming traffic to the systems which perform this protection, amongst other issues.

    No, you need to bite the bullet on this one and count it as a learning experience. And call your local and/or state authorities and start an investigation, since your costs will most likely be well over the threshold of damages necessary to start such an investigation.

    • But calling in when it's going on: first off, they have to deal with the increase in bandwidth, the abuse of the server, virtual service, or multi-hosted box you occupy and hence affects on other customers, getting someone or a team of someones involved to start the mitigation process and move your incoming traffic to the systems which perform this protection, amongst other issues.

      Yes, but they're going to have to do this anyway. The DDoS won't affect just one customer, it'll affect lots of people at Rackspace, and will cost Rackspace money. Whether this one customer pays Rackspace or not won't make any difference to Rackspace's costs.

      That's what makes Rackspace's behaviour here so dubious. Your example of it being like car insurance after the accident is invalid. It's more like a car accident that blocks the road. (Yes, yes, a car analogy on Slashdot, just deal with it, okay?) Whe

      • by LoadWB ( 592248 )

        I posit that the car analogy is valid for the part of his question in which he denigrates RackSpace for charging for immediate service. In the sense that returning his web site (car) to a usable state (repair service) which would have normally incurred a nominal cost (insurance) but instead he addressed it after the DDoS (wreck) and wanted the mitigation to happen at a lower rate (paying the body shop for next-day service out-of-pocket versus letting the insurance cover it and pay for a rental.)

        I like your

    • by c ( 8461 )

      Nonetheless, my inclination is to side with RackSpace. When you work proactively, your provider can have technology in place and ready to go so that a DDoS doesn't affect you.

      I imagine it's a bit like fire-suppression systems. They're way, way cheaper to have installed before your building catches on fire.

  • Depending on the severity of the attack, CloudFlare may your cheapest option, but be aware that they are not interested in mitigating severe attacks.

    A client of mine was DDOSed last year, and my ISP's (shall stay nameless) DDOS Mitigation service could not cope with the size of the attack.
    I have briefly tried CloudFlare, but they turned us off within 20 minutes without any notice, and promptly refunded all the money.
    Luckily, I had an old contact with DOS Arrest. It was a bit expensive to setup, but the
  • by david.given ( 6740 ) <dg@cowlark.com> on Saturday November 03, 2012 @03:04PM (#41866985) Homepage Journal

    What makes you think they're going to keep their word? You're not signing a contract here, these are criminals! All you're doing is showing you're a soft touch. They'll be back, and they'll demand more money. They'll probably tell their friends, too. Not to mention the moral aspect that by giving in to these people you are directly funding crime.

    No, you ignore them entirely. Don't even reply to the emails (but keep them safe). If they DDoS you, live with it. Remember that these guys rent their botnet from other criminals, so every second they're DDoSing you is costing them money. As soon as they realise that they're not going to get anything out of you they'll give up and move on to the next target. Yes, you'll probably be knocked offline for a while but (a) with a bit of marketing nous you can make this work for you, by issuing thundering press releases going on about not giving in the terrorist demands, issuing 'apologies' to your customers and giving them discounts to make up for it so driving sales, etc --- basically, free PR, make the most of it; and (b) your internet-facing servers should be coping anyway. Of course, given that they aren't, that last doesn't help right now. But beef them up because it'll help next time.

    Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.

    • I'm with you, I didn't like the idea of paying them either. The problem is, it's much cheaper for the business to pay it and have him go away then let the site sit DDoS'd for ages...it's a hard decision. Feels like negotiating with terrorists though.
    • by rogueippacket ( 1977626 ) on Saturday November 03, 2012 @03:32PM (#41867209)

      Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.

      I'm not convinced - putting an order in for a service which you don't immediately need means that the provider (Rackspace) has time to plan and implement the change at their leisure. It may only take one or two people a couple of minutes, but it is undoubtedly a change on an appliance somewhere, or maybe even a physical network change if you're just "wired in" to their Internet feed. There may be an outage for you as well, meaning it has to be coordinated amongst yourself and someone doing the work. Then the whole thing needs to be tested as functional, which is very easy to do when you aren't being attacked. So the base price of $1500 seems justified.
      In contrast, when you're under attack, you're basically asking your provider to "assemble the troops" on your behalf - it's an emergency change, which needs to be performed the moment you request it regardless of which other customers are being worked on. Not to mention it is significantly more complex to do this while you are being attacked.
      So I think Rackspace is perfectly justified. If you want your provider to be at your beck and call 24/7 for complex changes, you're going to pay a premium. At least they have this as an option - most other hosting providers would just terminate your contract because you are now a "high risk" (expensive) customer.

  • In turn, never negotiate with terrorists. You'll only encourage more acts against you.

  • by Animats ( 122034 ) on Saturday November 03, 2012 @03:40PM (#41867277) Homepage

    If they actually contacted you, report that to the FBI. They're probably contacting other people, too. A pattern will emerge.

    A useful technical solution that seems not to be used much is to make web site services "fair", rather than first-in, first out. If something has a queue, and you're handling an request from source X, take the next work item from a source other than X. The result is the volume of attacks coming from an individual IP address doesn't matter. Only the number of attacking IP addresses matters. Your real users will still get through, although there will be degradation in proportion to the number of hostile IP addresses.That really should be a feature in Apache.

    We use this for a free API service we offer. If you make a request, it may either be satisfied immediately if we have the data available, or the request is queued for processing (this involves examining and rating a web site) and the caller gets a "try again later" status. The processing queue is "fair", so no single source can overwhelm it. (Once we rate a domain, we won't look at it again for 30 days, so our system can't be used to DDOS other web sites.)

    We once had a user from an Italian university who was trying to request info on a huge number of web sites. He put over 100,000 requests into the queue, and it didn't hurt performance for other users. After a few days, though, we looked at the logs, and noticed that the requests that returned "try again later" were never being followed up with requests for the actual info. So it was all wasted work. I sent a note to the department chair of the university involved, indicating that we had no objection to their using our service, but that their client program was poorly written and wasn't doing anything useful. The traffic stopped.

    • If they actually contacted you, report that to the FBI. They're probably contacting other people, too. A pattern will emerge.

      In addition, they have more evidence if/when the authorities do catch up with these criminals.

      Another idea could be to offer a bounty to the hacker community to whoever turns in or exposes the hacker (with evidence). Might be competing hacking groups who have an idea who these guys are. If some companies clubbed together and paid toward bounties instead of 'DDoS protection', the bou

    • by Bert64 ( 520050 )

      If this guy truly was located in Lebanon, then the FBI have no jurisdiction over him.
      And while the Lebanese authorities have jurisdiction, it's unlikely they have the expertise to track down such a criminal, nor are they likely to care.

    • I would have some small concern that, having paid off the extortionist in Lebanon, someone at the FBI might decide it's a good idea to investigate and charge this victim for transferring money to a presumed terrorist. Stranger things have happened. Granted there's no way that the FBI can actually help his business now, so I'm dubious as to where the upside is for that contact with law enforcement.

  • Dig out the older thread for some useful insight.
  • Never reward criminials by paying ransom. Your site is not worth what whatever your money could potentially be used for.

    If it were me I would be polite but dumb, gullable and slow. Social engineer as much information you can out of your advasary then contact the authorities.

    Separatly use technical means to analyze the nature of DDOS and implement countermeasure. It could be as simple as changing IP/DNS records or adding http redirect servers. If your link is being saturated with unacknowledged traffic c

  • 1) characterise the traffic. could be from a range of ip, targeting specific ip, targeting protocol x or y or having some id characteristic you can 'lock' onto.

    2) install filter for such traffic UPSTREAM of you, at the isp. blocking once its crossed the wan to your site is obviously useless

    that's it. block at the isp. get an isp that lets you install filters 'up there'.

    can't help more than that. the devil is in the details.

  • I just looked this up, but Amazon EC2 does not charge for INCOMING traffic. With a properly configured Webserver with security modules, the traffic comes in, but never goes out.

    And no one is going to flood Amazon.com off the 'net.

  • by EmperorOfCanada ( 1332175 ) on Saturday November 03, 2012 @06:28PM (#41868419)
    I have been happy with cloudflare but I am pretty unhappy with slashdot today. Other than cloudflare (which is free and pretty good but not the best) I have seen not one easily implementable solution. I am shocked that nobody here has much of a suggestion.
  • Did they use a botnet that was scattered all over the world, or just a specific set of systems? I would recommend going through your logs to see what you can find out about the attack, there may be some patterns there that you can learn from.

    That said, a lot of people suggest you contact the authorities. I would suggest that those people have probably never tried that themselves. The authorities - local or federal - generally don't give a shit about cyber crime. They give it some (virtual) lip service on their websites but when presented with actual cyber crime they always find something more interesting to do with their time. After all, you said the criminal was in Lebanon, and the FBI has no jurisdiction there. Even if you found an FBI agent who cared, he wouldn't be able to get interpol working on it before the (electronic) check is cashed and the culprit has cleaned up his tracks.

    In other words, you have to do the work yourself. Maybe you can learn something from the logs, or maybe you'll need to look at distributed hosting to better prepare yourself for a potential future attack.
  • by pushf popf ( 741049 ) on Saturday November 03, 2012 @09:11PM (#41869485)

    Before I found that there was a lot more money and a lost less hours and stress doing consulting than being a cubicle drone, I worked for a large hosting company.

    Handling a DDOS attack is a piece of cake. We handled a few a week and this was in the early 2000s. We would watch the router traffic graphs and see a spike that might be eating 5% or 10% of our capacity and just grin. All you need is money. Your ISP needs giant pipes, spare server capacity distributed around the world and sharp network guys, and for the right price, they'll simply make the problem go away for you.

    However the cost of doing this means that if $1500 to Rackspace sounds like a lot of money, you're not in this league.

    If you're at the "less than $200/month" level for hosting, your best course of action is to not piss people off, and if you're attacked just hope you can wait it out.

    The "up side" of having a small site with cheap hosting is that it probably won't actually do much damage to your business if it's down for a few days.

  • by drolli ( 522659 ) on Sunday November 04, 2012 @06:59AM (#41871547) Journal

    >They proceeded to tell me that they have 'DDoS mitigation services,'
    >but they cost $6,000 if your site is under attack at the time you use the
    >service. Once the attack was over, the price dropped to $1500. (Nice
    >touch there Rackspace, so much for Fanatical support; price gouging
    >at its worst).

    a) Ok. so now you could get it for $1500. The buy it. $1500 are roughly 18h of my time (as a consultant), so even the smalles action you coud do exceeds this. IFF you believe that this solves the problem then just do it and dont touch the rest. The advertisement on their web site sounds promising, bu did not test it.

    b) Price gouging? No, it is reasonable, for several reasons. Doing the DDoS protection uses resources, which are allocated, but (according to your definition unsused). Why on earth should customers wise enough to see the necessity of a immediate reaction, which pay for this service provide the support, upkeep and unallocated ressources for the others? Such a service is like an insurance. In average you can offer it for a certain price, but if you know the risk hits, its not an insurance any more. Moreover: The service seems to be based on detecting deviations in the traffic patterns. If the attack is ongoing there is no way to detect the "ground truth" = the normal operation automatically. Which in turn will require *much* more human attention.

Pascal is not a high-level language. -- Steven Feiner

Working...