Ask Slashdot: How To Deal With a DDoS Attack? 303
First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"
Don't negotiate with cyber criminals? (Score:5, Insightful)
You just gave him $400 more than he had before, and he knows you're good for it.
What were you thinking?
Gouging Schmouging (Score:4, Insightful)
Try buying fire insurance when your house is on fire. It's a risk pool. Duh.
Regarding price "gouging"... (Score:5, Insightful)
With due respect, in my view, this is like trying to buy homeowner's insurance while your house is on fire, and complaining that they won't sell it to you.
Why is it unreasonable for you to pay more for "OMG I NEED IT RIGHT NOW!" service?
It's easier to do some prevention than to try to and figure out and control the problem WHILE it's happening. Also, why is it unreasonable for them to give someone who sees the need for some complicated traffic monitoring and filtering a discount for letting them set it up, y'know, during normal business hours with forethought and preparation and not as part of a crazy firedrill?
(no, I don't work for Rackspace)
Best solution... (Score:5, Insightful)
...would have been to ask him how much to get the name of the competitor. Would probably cost a bit, but documenting that exchange and turning it over to the FBI instead of just the DDoS info might have meant one fewer competitor...
Re:Best solution... (Score:5, Insightful)
Re:Rackspace IDS (Score:5, Insightful)
Judging from your post, you've never been the target of a DDoS as none of what you said would have any affect on a real attack.
If I wasn't even really trying, I'd just use your IDS against you and have you end up effectively firewalling yourself off the Internet.
Save my bandwidth for someone with skills while you try to figure out what's going on
Your mistake (Score:5, Insightful)
was RESPONDING to the guy. Even to say "no." It's like responding "unsubscribe" to a spammer.
What you've done by replying is telling him a.) you GOT his e-mail (not by any means a sure bet with spam filters), b.) you ARE IN FACT the people who own the site in question, and c.) the REASON you're not paying is that you believe he can't carry out his threat.
Let's say I'm this guy. I'm probably a script kiddie with a small botnet under control. I troll for small ecommerce sites (ones that are probably not profitable enough to have good defenses, but would be seriously impacted by a DDoS attack). I try to find some contact information. Again, I'm running some kind of script to troll for these, which means my sample isn't amazing and my data quality is probably questionable.
Then I send out hundreds of e-mails. Like a spammer, I'm going for quantity. Most of these probably disappear into the ether. Whatever - I only need a few to hit a target to get paid. A few people will actually pay up from the e-mail (probably not many, but hey). Some will ignore me (and be impossible to tell from the "disappeared" group. Then there's the lunkheads like you who confirm I sent the threat to the right person and I do feel vulnerable, but I doubt your ability to follow through.
Perfect! I train my botnet on that guy. I'm pretty much guaranteed money. The "someone offered me $600" is a bluff, of course - no one offered him anything, and it's all profit to him. But it sets a nice mental scale for you, so that you'll foolishly think you "got off easy" giving him $400 (when you could have given him $0).
Again, this is a VOLUME play. He has enough bots to DDoS SOMEONE, but not to DDoS EVERYONE. You were attacked for one reason - because you responded.
Sure, there was network engineering involved, but make no mistake - you got SOCIAL engineered here, first and foremost. Fix THAT, not your network.
For gods' sake, don't *pay* them (Score:5, Insightful)
What makes you think they're going to keep their word? You're not signing a contract here, these are criminals! All you're doing is showing you're a soft touch. They'll be back, and they'll demand more money. They'll probably tell their friends, too. Not to mention the moral aspect that by giving in to these people you are directly funding crime.
No, you ignore them entirely. Don't even reply to the emails (but keep them safe). If they DDoS you, live with it. Remember that these guys rent their botnet from other criminals, so every second they're DDoSing you is costing them money. As soon as they realise that they're not going to get anything out of you they'll give up and move on to the next target. Yes, you'll probably be knocked offline for a while but (a) with a bit of marketing nous you can make this work for you, by issuing thundering press releases going on about not giving in the terrorist demands, issuing 'apologies' to your customers and giving them discounts to make up for it so driving sales, etc --- basically, free PR, make the most of it; and (b) your internet-facing servers should be coping anyway. Of course, given that they aren't, that last doesn't help right now. But beef them up because it'll help next time.
Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.
Re:For gods' sake, don't *pay* them (Score:5, Insightful)
"Go away"? Who said he'd ever go away? Well, maybe he did, but, you know, people who extort often also lie. Shocking, I know. Next time he feels the need for a few hundred dollars (or maybe a little more...), he knows where to go.
Re:Gouging Schmouging (Score:5, Insightful)
Came here to say that; thank you, would have modded up if I had points.
Absent threat of force to the contrary (*cough*), pre-existing conditions cost more to insure against than lower-risk customers, because your risk of having the thing happen is 100%—it's already happening! At that point you're asking the person to foot the bill for a cure, not insurance; why shouldn't they pass on their costs to you rather than everyone else?
If, instead, you were to join a pool of 100k individuals that (making up some numbers for an example) had a 1% fairly evenly distributed chance of a $10k loss every year, then, ignoring insurer overhead, the yearly expected cost would be $10M, meaning break-even by charging each person $100/year. That cost increases very quickly as you add people to the pool with a 100% chance of loss; and at that point, it's not insurance but subsidy and most people with a choice about it move to an actual insurer (increasing the individual cost even faster until it is same as the actual loss).
If they contact you, contact the FBI (Score:4, Insightful)
If they actually contacted you, report that to the FBI. They're probably contacting other people, too. A pattern will emerge.
A useful technical solution that seems not to be used much is to make web site services "fair", rather than first-in, first out. If something has a queue, and you're handling an request from source X, take the next work item from a source other than X. The result is the volume of attacks coming from an individual IP address doesn't matter. Only the number of attacking IP addresses matters. Your real users will still get through, although there will be degradation in proportion to the number of hostile IP addresses.That really should be a feature in Apache.
We use this for a free API service we offer. If you make a request, it may either be satisfied immediately if we have the data available, or the request is queued for processing (this involves examining and rating a web site) and the caller gets a "try again later" status. The processing queue is "fair", so no single source can overwhelm it. (Once we rate a domain, we won't look at it again for 30 days, so our system can't be used to DDOS other web sites.)
We once had a user from an Italian university who was trying to request info on a huge number of web sites. He put over 100,000 requests into the queue, and it didn't hurt performance for other users. After a few days, though, we looked at the logs, and noticed that the requests that returned "try again later" were never being followed up with requests for the actual info. So it was all wasted work. I sent a note to the department chair of the university involved, indicating that we had no objection to their using our service, but that their client program was poorly written and wasn't doing anything useful. The traffic stopped.
Re:Next time (Score:5, Insightful)
There are a few problems with this:
1 - Often times they are out of the country ( its safer.. ), so no jurisdiction even if they are found. You want to deal with having to do this across country borders?
2 - The cost of your business being down may far exceed the 'ransom' while this 'service' does its 'investigation'
3 - $400 wont go far for an investigation.
Not saying to pay ransom to every script kiddy that comes calling as that is an open invite to disaster, but i dont think what you suggest is a viable alternative either. At least not while the DoS is taking place.
Re:Don't negotiate with cyber criminals? (Score:5, Insightful)
Apparently something along the lines of "I wonder how much more they'll demand next month?"
NEVER negotiate with criminals. If you do, they'll always come back for more.
Re:Don't negotiate with cyber criminals? (Score:4, Insightful)
I suspect they were thinking "we need to get our website back up or we'll lose business, and $400 is cheaper than the $6000 that Rackspace are asking for". They know they did wrong- hence why they're asking us here for better ways to deal with it next time. But unfortunately, it's a "you can't start from here" situation- if your site is down and you're under sustained attack and you don't already have something in place to deal with it, you don't really have many options.
So do you have a suggestion as to what they could have done differently / can do differently next time, or are you just here to make easy quips?