Ask Slashdot: How To Deal With a DDoS Attack?

First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"

Next time

[Progman3K]

Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.

Re:Next time

[Nyder]

Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.

Dude was in Lebannon, I'm sure the local police would be happy to pick him up.

Honestly, this person is smart. Keep it small and low, and you probably will get away with it lot. Ramp it up, go after a big fish, and our government might start getting pissed, but they won't care about a bunch of small businesses.

Rackspace IDS

[Karem Lore]

We employ a Rackspace IDS (Intrusion Detection System) which all our servers sit behind. We also have a firewall at Rackspace. The IDS detects sql injection attempts, brute forces, DDoS etc and stops them, alerts us and, in our case, we have a pre-arranged agreement for Rackspace to immediately block said IP in our firewall.

We can then determine whether or not that IP is malicious and remove it if necessary. I can't give you any prices, but for a stable and protected environment, it is a requirement these days.

If in the middle of an attack, check if you can still get an ssh onto the box. If so, netstat to find out what is hitting it (or look at the apache logs etc) and stick a block in the iptables to reject the request from said IP.

There is a number of other techniques that you can employ also if you are being attacked by bots (multiple IPs), but the IDS does a good job.

Not many choices

[DarkOx]

Option a) Your best bet is go strait to law enforcement. The FBI is actually very interested in these sorts of things even if you are small fry. This might not be a such a hot idea though if the group extorting you actually has some capability. Usually they will set up a string, and track the money when you pay.

Option b) Just shut up and pay up. Never taken this approach myself. I assume it makes the problem go away for a while anyway. I imagine said problems come back for another fix later, and I'd wonder if the attacker ever really had the capability.

Option c) pay the back bone provider, ie ATT&T or whoever is your ISPs, ISP for their DDOS protection services. They actually DO have the resources to protect you from a DDOS. Everything else anyone else is selling is just snake oil because a large enough botnet can simply use all the bandwidth weather you attempt to ack tarpit, or not; They unanswered SYNs alone will consume your entire pipe. This option is terribly expensive, might be worthwhile if you are running a large and inadequately distributed eCommerce site or similar.

Option d) Distribute the hell out of your site. This leads to all sorts of complexity around replication and have the big CDN providers host all your static content and resources. This may help depending on the type of attack. You will want make sure your DNS resources are also well distributed you will basically use fast-flux DNS yourself to stay ahead of your attackers. Essentially you keep changing IPs every 300 seconds or so. You will have challenges preserving sessions and for lots of services its not viable, for WWW it can be made to work. Again this is serious money and time. It might be cheaper than Option c, if you want you are trying to be available for is a small amount if high dollar transactions, as opposed to a higher volume smaller dollar situation.

Price gouging? YOU should have been prepared.

[LoadWB]

So you never bothered with DDoS prevention services for what is apparently a critical company web site, which would allow the provider to work pro-actively on protecting your assets. Then when your assets come under attack you expect your provider will just drop everything and tend to your immediate emergency without additional costs? Sounds like car insurance after the accident, or health insurance after you develop cancer.

It's 2012. DDoS are a real and credible threat today. 10 years ago, perhaps a passing thing, but today... do you not read the news?

Stipulating that your lack of preparedness is not your fault and over-sight, I want to address RackSpace's mitigation fees and perhaps defend your position at least a little. Being that it is 2012 and DDoS are a real and credible threat, depending on the costs of such protection, perhaps RackSpace (or another provider, free market thingie and all) could provide these mitigation services as standard for a bumped-up cost. Perhaps 400% mark-up is a little steep for immediate service when 200-300% might cover the costs of getting someone involved.

Nonetheless, my inclination is to side with RackSpace. When you work proactively, your provider can have technology in place and ready to go so that a DDoS doesn't affect you. But calling in when it's going on: first off, they have to deal with the increase in bandwidth, the abuse of the server, virtual service, or multi-hosted box you occupy and hence affects on other customers, getting someone or a team of someones involved to start the mitigation process and move your incoming traffic to the systems which perform this protection, amongst other issues.

No, you need to bite the bullet on this one and count it as a learning experience. And call your local and/or state authorities and start an investigation, since your costs will most likely be well over the threshold of damages necessary to start such an investigation.

Re:Best solution...

[Andy Prough]

Offer the Lebanese hacker an extra $1,000 or so for documented evidence of the competitor hiring him for the DDoS. Let the attack carry on unabated. Sue the competitor for tortious interference, and ask the judge for a massive amount of punitive damages. Get paid about 1000X the amount you lost due to the DDoS attack.

Re:Don't negotiate with cyber criminals?

[Existential Wombat]

It is always a temptation to an armed and agile nation
    To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
    Unless you pay us cash to go away."

And that is called asking for Dane-geld,
    And the people who ask it explain
That you've only to pay 'em the Dane-geld
    And then you'll get rid of the Dane!

It is always a temptation for a rich and lazy nation,
    To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
    We will therefore pay you cash to go away."

And that is called paying the Dane-geld;
    But we've proved it again and again,
That if once you have paid him the Dane-geld
    You never get rid of the Dane.

It is wrong to put temptation in the path of any nation,
    For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
    You will find it better policy to say: --

"We never pay any-one Dane-geld,
    No matter how trifling the cost;
For the end of that game is oppression and shame,
    And the nation that pays it is lost!"

There's still no free lunch.

[pushf popf]

Before I found that there was a lot more money and a lost less hours and stress doing consulting than being a cubicle drone, I worked for a large hosting company.

Handling a DDOS attack is a piece of cake. We handled a few a week and this was in the early 2000s. We would watch the router traffic graphs and see a spike that might be eating 5% or 10% of our capacity and just grin. All you need is money. Your ISP needs giant pipes, spare server capacity distributed around the world and sharp network guys, and for the right price, they'll simply make the problem go away for you.

However the cost of doing this means that if $1500 to Rackspace sounds like a lot of money, you're not in this league.

If you're at the "less than $200/month" level for hosting, your best course of action is to not piss people off, and if you're attacked just hope you can wait it out.

The "up side" of having a small site with cheap hosting is that it probably won't actually do much damage to your business if it's down for a few days.

Re:Not many choices

[Anonymous Coward]

There are two reasons you may not have heard back. First, bank fraud divisions tend to be for people defrauding the bank or it's customers. From your description, a completely legal transaction was occurring. It is irrelevant that it is part of an illegal scam. They are not the cops. They are not charged with having to do all the leg work to corroborate your story. They typically have their hands full doing their actual job. They may report it to the cops, they may not. In fact, you should have reported it to the authorities instead of playing TV detective.

Second, why on Earth should they use you in an investigation? Do you think your Sherlock Holmes impression somehow entitles you to being part of an actual investigation? If this is a repeat scammer, they don't need to involve you at all.