Taking on an Online Extortionist 784
An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"
oblig Churchill (Score:5, Funny)
Or however he said it
Re:oblig Churchill (Score:5, Informative)
Re:oblig Churchill (Score:4, Funny)
HALF of the article -- anyone get mopre (Score:5, Informative)
and a Whiz Kid
Took On an Extortionist
and Won Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this. Saturday, Nov. 22, 2003, 7:57 a.m.
Origins of an Onslaught
The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.
If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.
Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I saidGod, in hindsight, what an idiotI said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.
That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's officeshe had no interest in baby-sitting infrastructure in Costa Ricabut he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.
When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.
At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.
The Extortion Problem
We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatene
Re:oblig Churchill (Score:4, Funny)
Lady Astor, first woman elected to the House of Commons, to Winston Churchill:
-- If you were my husband, I would poison your coffee.
-- If you were my wife, I would drink it.
Re:oblig Churchill (Score:4, Interesting)
"I do not agree that the dog in a manger has the final right to the manger even though he may have lain there for a very long time. I do not admit that right. I do not admit for instance, that a great wrong has been done to the Red Indians of America or the black people of Australia. I do not admit that a wrong has been done to these people by the fact that a stronger race, a higher-grade race, a more worldly wise race to put it that way, has come in and taken their place."
He also had no problem with using gas to put down uprisings by colonized indigenous peoples. I'm not saying he's a saint, just pointing out that popular leaders tend to get viewed through a rose colored filter.
Re:oblig Churchill (Score:4, Interesting)
--Winston Churchill
Re:oblig Churchill (Score:4, Informative)
"we shall fight on beaches, landing grounds, in fields, in streets and on the hills. We shall throw bottles on them if that is what we have"
The sentence about bottles was actualy cut out by the BBC censor because the humor was too black. (UK had very few heavy arms left after fiasco in France.)
Re:oblig Churchill (Score:5, Funny)
Re:oblig Churchill (Score:5, Funny)
Would you have been happier if you remembered it because you were there in person?
God knows your
age discrimination! (Score:5, Funny)
Watch it with the age slurs there, sonny. That could get
Re:age discrimination! (Score:5, Funny)
*grumble* . . . get off my web site, you damn kids!
Re:age discrimination! (Score:5, Funny)
Re:oblig Churchill (Score:5, Funny)
Re:oblig Churchill (Score:5, Funny)
Re:oblig Churchill (Score:5, Informative)
Re:oblig Churchill (Score:5, Funny)
Re:oblig Churchill (Score:5, Funny)
-davidu
Re:oblig Churchill (Score:4, Informative)
Re:oblig Churchill (Score:5, Funny)
Hey, sounds like our last family vacation!
Re:oblig Churchill (Score:4, Insightful)
Re:oblig Churchill (Score:5, Interesting)
Plus several squadrons worth of American figher pilots went over to help before we declared war.
Plus our navy was fighting an unofficial war with the German U-boats for about a year before we went to war while we escorted the convoys heading from Canada to England.
FYI, we're just as grateful to England for remaining a friend ever since. Although personally I wish your government would try to hold mine in check rather than just going along with everything Bush does. Your government may be our friend but I don't think your people like us very much at this point.
Here's a tip (Score:4, Funny)
Re:Here's a tip (Score:5, Insightful)
Re:Here's a tip (Score:3, Interesting)
MAILSERVER: Error, mailbox does not exist
Not saying it would necessarily work, and as it was probably sent to a published address, would at best delay the threat while lowering the extortionist's expectation of your ability to defend your network.
Re:Here's a tip (Score:5, Interesting)
Re:Here's a tip (Score:4, Informative)
Granted: a raw bandwidth attack can use UDP, ICMP, or a TCP SYN, ACK, SYN-ACK or RST packet, and could be usefully forged.
There's a fairly riviting thread on the Intrusions list about a DDoS attack in Jan-Feb (may still be going on) that eventually involved some 80,000+ bots. It was defeated with Squid (on OBSD), as well as active upstream providers. The bots repeatedly went to load a file via http, which tied up the web server. Since the tcp connection was actually made, the src ip was known. The bots were apparently installed via drive-by download, rather than worm or email.
Re:Here's a tip (Score:4, Insightful)
Unless ISPs got off their asses and implemented egress filtering for packets leaving their networks. Cable modem in Florida spewing packets addressed from China? Holy shit, I think they're bogus! The closer you filter these bogus packets to the source, the less traffic any given filter has to deal with, PLUS the smaller network size it has to accept packets from, leading to a reduced chance of dropping or allowing the wrong packets.
Re:Here's a tip (Score:5, Interesting)
Interesting article (Score:3, Interesting)
Re:Interesting article (Score:5, Informative)
Re:Interesting article (Score:4, Insightful)
I frequent these Russian forums frequently where they are giving away 5 digit ICQ# to the first person to read the post.
However, the most amazing thing is, if I had the ability to direct 10,000 zombie systems to attack websites for extortion money, you could bet that every type of online communication I engaged in would be done thru no less than 5 different proxies, for every type of service, with an excrypted tunnel between me and the first proxy, and with complete control of that first proxy to erase full logs afterward.
You think that these guys are brilliant, but they're really just a bunch of stupid script using kidhacks.
I would be interesting to know what percentage of the zombie machines were windows...
Re:Interesting article (Score:4, Interesting)
ICQ accounts aren't named, they're numbered (you can assign names, but they were always changeable). Low ICQ account numbers are like 2 or 3 digit Slashdot ids....a source of pride.
The hacker probably gave Lyon a low ID account, and to those fuckers it's a nice gift for status.
Hacked ICQ? (Score:3, Interesting)
Even Slashdot? (Score:5, Funny)
I guess that includes getting a mention on Slashdot?
Troc
Re:Even Slashdot? (Score:4, Informative)
I have determined that my personal website would stand for less than 4 seconds if it were to receive a propper slashdotting.
Needless to say I don't take threats like this very seriously. Here are the options I see:
1. Give in and pay up like a good pansy
2. Form a team of cyber attack monkeys to do your bidding
3. Launch a counter offensive with a team of script kiddies and their IRC Bots
4. Contact the authorities and report the threat, block the IPs delivering said packets, carefully monitor your servers like a good admin, and prevent the traffic that you deem as harmful.
If they really threw all that much at you, it would take a very sophisticated attack to not leave a large enough trail to figure out where it came from and actually do something about it.
Re:Even Slashdot? (Score:5, Informative)
Re:Even Slashdot? (Score:5, Informative)
Re:Even Slashdot? (Score:3, Funny)
Re:Even Slashdot? (Score:5, Insightful)
I don't know... I found the last paragraph grated against his super-hero image:
That's right. Lyon is one of the good guys. Still, Lyon's heroics weren't possible without Mickey Richardson's resolve. It's easy to forget that as Lyon worked to save him, Richardson considered paying off the extortionists. Now Richardson has a better option. Pay Lyon $50,000 a year and he's protected. He doesn't have to worry about paying extortionist's protection fees.
I've always found there to be a rather fine line between insurance and extortion. If the story is true, he probably is one of the good guys, but he's merely tapped into the revenue stream the extortionists created.
So now we're gonna slashdot 'em? (Score:5, Funny)
The DDoS worked apparently. (Score:3, Funny)
That's frightening (Score:5, Interesting)
It makes me wonder if this new anti-DDoS company can somehow establish relationships with ISPs to track back the zombies and get them shut down more quickly? Seems that would be the sanest and most effective tool -- take away the bots. No bots -- no botnet -- no attacks.
Re:That's frightening (Score:4, Funny)
Re:That's frightening (Score:5, Interesting)
Doubtful, but perhaps it should.
Consider another everyday activity, with a lot of benefits but some inherent risks, which works fine when people take care but goes wrong when they don't: driving. In most places, you don't get to drive without taking a simple test to prove you're reasonably safe and competent. Then if you're caught driving in a way that's hazardous or inconsiderate to others, a nice policeman pulls you over. Depending on the significance of the violation, you get a verbal warning, a formal sanction, or read your rights and your vehicle confiscated.
If a similar principle applied to the Internet, with minor offences attracting a polite warning up to running a grossly insecure system that causes widespread inconvenience to other netizens getting you completely blocked, people would soon learn to respect the technology and others using it. But first we have to get over this strange idea that because it's The Internet, everyone should be allowed to use it, without any traceability or responsibility for their actions whatsoever, regardless of the harm it may cause others. I doubt that'll be a popular viewpoint around these parts.
Re:That's frightening (Score:5, Interesting)
Re:That's frightening (Score:4, Interesting)
But what they don't solve and, indeed, what they cannot solve, no matter how smart, is the problem of sheer volume - the problem of bandwidth. If the attacker overwhelms your pipe, or your ISP's pipe, or your ISP's ISP's pipe, then mission accomplished.
You also have to have enough bandwidth to fight the attack, even if your servers can handle all those SYN packets per se.
Re:That's frightening (Score:4, Insightful)
Along with IPS in general, I think a lot of the devices out there have some pretty good rate-limiting and SYN flood mitigation, however, they all seemed to miscalculate the sheer amount of processing power it takes to do deep packet inspections and protocol verification. Prolexic's network is currently representing about 10 Terahertz of processing ability just for the DPI, so hoping a single FPGA based hardware device will do the trick may be a bad idea. Also, most devices can not handle out-of-state TCP based attacks (see: Riverhead), so keep your eyes out on that too.
Prolexic often gets new customers when the TopLayer, Tipping Point, and Riverhead gear fails, so I don't see how anyone could be comfortable with just a single unit to save the day when there are people out there that will take down DNS servers, router serial interfaces, carriers, do long lived TCP sessions to slow down web servers, HTTP connection floods, and anything else they can think of to just hurt the network (75k machines all doing random searche quries on a cgi, etc.)
Further, a box does not have much of a turn-around time, so just call Tipping Point at 2 AM on sunday when the network failed and nobody has any clue with what is going on. Then wait for their one good programmer to fix the FPGA issue and a week later cross their fingers that whatever they did can stop the botnet that is causing someone's business to fail.
I may just be a little beat up from all the traffic we deal with, but it's a little isane to say things like, "we have box X, its magic will fix everything."
-Barrett
Re:That's frightening (Score:4, Informative)
I don't think we can every take away the bots (it would be nice), because we are seeing P2P bots that run encrypted communications between each other. The attacker guy just tosses his instructions into the P2P stream and they distribute over the entire network - creating a nearly headless command less network that can (once started) operate decentralized. These easy IRC bots are almost a thing of the past now. The point being, as the code base for bot networks grows they will get more complicated and more difficult to shut down.
If a blackhat geek can download source code and knows how to hack it up, he/she can do anything they want. Then it's down to just finding open machines to install their goods on. Policing the Terabits-per-second of backbone traffic for odd-ball P2P traffic like that is a bad idea.
Prolexic also gets attacks now that may not have any botnet, some Ixia (packet generator) connected in Asia-Pac blasting 600 Mbps of generated packets does the same as a 10-20k botnet. We believe to have been attacked by something similar to that at least twice.
The main problem is, there are just bad people out there and you need to create security policy that protects your business. If your revenue stream comes from your online business, then you should protect your online business and not hope your ISP will do that for you.
-Barrett
Mirror of article (Score:4, Informative)
gambling and extortion? (Score:3, Funny)
Re:gambling and extortion? (Score:3, Funny)
Never pay (Score:5, Insightful)
Any measure of success will encourage more of the same behaviour.
Re:Never pay (Score:5, Interesting)
Re:Never pay (Score:3, Insightful)
Uhm. And when you're robbed on the street, never give them your wallet. Get beaten, raped, killed. Just don't give them your wallet - they might just get tempted to do it again.
Moral is nice. Getting phucked is not. We can't expect every single person or company to act in public interest if that means they might get killed doing so.
What is really needed, is serious money being pushed into Interpol, and hiring whitehats there. Online criminals aren't going to spend much time in countries with strong fede
Good, some balls. (Score:5, Interesting)
Re:Good, some balls. (Score:3, Funny)
What about the interns?
Re:Good, some balls. (Score:5, Insightful)
Please excuse my asking, oh well-armed-one, but WTF for?
The glock is a fine weapon, and being an admin for an ISP is a fine job, but I can't quite see the relationship between the two things...
Re:Good, some balls. (Score:5, Interesting)
And to answer the obvious question, our office WAS there for a reason, we were a block from the ILEC's main CO. This made quite a difference in the cost and time to install of new circuits.
Re:Good, some balls. (Score:4, Interesting)
"I SWEAR I'll do it man! I'll fry this bitch right now if you don't put your gun down! I crazzzzzy - don't you know I'm loco!?!"
What are you going to do then, mister rent-an-adminCop?
Re:Good, some balls. (Score:5, Insightful)
In Texas there is no lower limit. You can shoot someone in the back who is running away from you and is no longer on your property, as long as they stole from you and you can expect that you won't see it again if they make off with it and you would be at risk if you caught them. That's pretty much a blank check to shoot a robber in the back.
The very idea of killing someone over something so trivial as a router makes me sick.
I'm a raving liberal when it comes to most things, but I seem to be on the rabid conservative side for this one issue. Why is their right to steal from me greater than my right to stop them? I have the right to be secure in my person and property. They do not have the right to be secure in my property, only their own.
Using deadly force to stop a felony seems quite reasonable. Using deadly force to stop a car chase seems quite reasonable. Deadly force should be used to stop crimes in progress and to stop those after crimes are committed if failure to do so would result in them getting away. If you don't like it, quit committing felonies.
Re:Good, some balls. (Score:4, Insightful)
I am myself a gun owner and a vocal proponent of the Second Amendment, and I have to say I could not disagree more with what you are saying. It's this kind of testosterone-driven false bravado and thoughtless remarks that give real firearm enthusiasts a bad name.
Deadly force is a last-resort measure that should be employed only when there is direct risk to your life or the lives of others. If someone else is threatening or attacking you with a gun, or if someone comes at you with a knife or something, or someone is subjecting another person to such a threat, you are justified in shooting them. But how can you justify taking someone's life because they're about to make off with your hubcaps or your computer?
The power to take a life carries a tremendous responsibility to use that power only when it is necessary in order to protect the lives of others. Anyone who says otherwise clearly does not understand the responsibility that comes with wielding deadly force, and the sooner the crackpots who kill some poor kid to save their property are hauled off to prison, the better.
Your post smacks of the attitude of a kid who's never actually held a gun, much less been in a situation where it was necessary to use it. I haven't had to fire upon another human being either, but I know people who have; my father's gun saved his life on several occasions, and a friend of mine is a police officer. Think before you speak, maybe.
P.S: I have to say I do agree that sometimes deadly force should be used to stop a car chase. If the suspect represents a direct threat to innocent life, or the moment they make an assault with their vehicle, any measure required to stop them should be employed. However, in a pursuit situation, the best option is to simply let the suspect get away - unless you know that they do in fact pose an immediate threat (say, they're an escaping murder, or they have a hostage, or something of that magnitude), it's simply not worth the risk to public safety that is involved in a high-speed pursuit. It's sad the number of times innocent people have been injured or killed because the cops didn't want to let a drug dealer or two-bit robber get away.
Chicks dig it... (Score:3, Insightful)
Makes you look less geeky.
Re:Good, some balls. (Score:5, Funny)
Because, sometimes that Windows box crashes one time to many...
Re:Good, some balls. (Score:3, Funny)
In actual fact, my Batman utility belt is getting kinda crowded. Ipaq 5500, Nokia 6620, Motorola HS850, Knife, and Gun. I think I need a pair of suspenders. (Does Jinx sell geek-spenders?) Fortunately for me, I have a larger circumference than the average geek, which gives me more belt real-estate. I don't know how y
Re:Good, some balls. (Score:4, Funny)
Actually, In Nevada, it's called "brandishing".
Take a fucking joke people, jeez. Yes, the story is true. Yes, we all carry Glocks. No, we didn't point them at anyone. Just snatching the fucker out of his perceived anonymity was enough. (hint to the AC's?)
When asked why we carried, our stock response was "We take Network Security VERY seriously." And follow it up with (in my best Monty Python) "I don't like SPAM!".
Just do what we do on IRC (Score:5, Funny)
Curious (Score:3, Interesting)
I've always wondered...when a site is slashdotted, it implies that the site has been hit by high referrals from slashdot, causing it to become slow or go down totally.
But how does slashdot itself cope with the high traffic?
Re:Curious (Score:5, Funny)
Re:Curious (Score:5, Funny)
Re:Curious (Score:5, Informative)
But when you're running your own server, and it normally gets 50 hits/day, and then suddenly a Slashdot listing hits it with millions of hits in one day, well, that's harder to prepare for, because 1) you often don't know you're going to be on /. until it's already happened, and 2) is it even worth preparing for? It's just one or two days, and then things will go back to normal. More hardware and bandwidth may cost lots of money, money that you're not going to spend just so people can see pictures of whatever neat thing you did.
Really, the only sites that get /.ed are the smaller ones. The larger ones already have the hardware and bandwidth needed to handle it. Sure, a /.ing probably shows up on their mrtg reports, but it's probably just a 20% or so increase in traffic, not a 1000x fold increase.
Re:Curious (Score:5, Funny)
All the 813,621 users before you don't really exist. These messages are randomly generated geek buzzwords. "Users" are given personalities, ranging from "Linux lover" to "Windows loser", from "I'm just a troll" to "IAARS", from "Funny" to "I take myself serious, but no one else does".
Those "personalities" alter the pre-populated phrase list according to topic (actually, I am not even sure the topic matters). Think of it as an advanced Turing simulation.
I was fooled for my first three months. Then, I saw the predictable responses, and realized that there was no actual intellegence here. Just the occassional real life person who wanders in and is fooled for a while. The auto-misspell feature was a nice addition, I have to admit.
Want proof? Pick a user id. Peruse messge list. Notice the lack of variety? Notice the lack of real meaning behind each message? And when there is real content, try browsing earlier messages. You will find phrases ripped verbatim from an earlier post.
Of course, you may also be a bot. CommanderTaco is always making tweaks to the message generation algorithm (though his posts, too, are mostly generated by code). I will have to peruse your message history when I am done posting here.
Re:Curious (Score:3, Informative)
Remember that the site in this article was getting hit with over 3 gigabits of traffic a second under the pressure of a DDoS composed of an estimated 35k bots. Now imagine that your average dedicated server account comes with a 10 megabit pipe. It would take a lot fewer consistent
Extorting a gambling site? (Score:5, Funny)
Many gambling sites still have connections to, shall we say, respectible businessmen of the Italian or Asian pursuasion, who are used to handling such matters extra-legally.
You might just wake up one day with your computer's monitor (cables severed with an ax) in bed with you.
Or Guido and Nunzio standing over you, giving you tips on the finer points of extortion while they wait for the concrete to set.
Re:Extorting a gambling site? (Score:5, Funny)
If such a job were available I'd personally be going through sharpshooter training right now.
I for one... (Score:3, Insightful)
fighting back with infrastructure (Score:5, Interesting)
The ease of infecting home XP systems remotely means you sometimes find teenagers with tens of thousands of zombie computers at their control. They can sell them to spammers, too.
The ease of doing massive DDoS attacks is why I stopped running an IRC server, and also stopped a research project I was doing related to inter-protocol messaging. It wasn't worth the hassle.
Fighting back is hard if you don't know who to fight, but in the case of extortion, (1) document everything on paper, (2) keep timestamped printed IRC logs of all conversations, and full email printouts; (3) ask some other people to print copies of their IRC logs when appropriate. Then contact the RCMP (or if you are in the USA, the FBI, but in the USA you need to show financial damage of $5,000 or more). Don't wait until it's all over before contacting them.
Good luck!
Liam
Re:fighting back with infrastructure (Score:3, Informative)
If your not sure who you should report this kind of stuff too (local or RCMP), you can make use RECOL.ca [recol.ca](Reporting Economic Crimes On-line). They can direct your complaint to the proper force/department.
In terms of the RCMP, it's usually the Commercial Crimes Division (they'll then bring the Tech. Crime guys in as needed).
Next News Story... (Score:3, Funny)
I'm glad that somebody's standing up to the jerk though... people who do stuff like that are wasting perfectly good matter.
No protection (Score:5, Interesting)
Re:No protection (Score:3, Interesting)
Sorry, but I grew up in a decidedly non-ethnic area and a
Re:No protection (Score:3, Informative)
Network admins! Prevent this from happening (Score:5, Informative)
There are so many blacklists these days, so just use rsync to grab fresh copies of AHBL, CBL, DSBL, SORBS, whatever. Then run through grepcidr [pc-tools.net] to see if any IPs from your network(s) are on the blacklists. So easy, and you'll be protecting both yourself and others from malicious zombies.
Re:Network admins! Prevent this from happening (Score:5, Informative)
It depends on the type of the attack. "Traffic" is quite unspecific, but it's not necessarily ICMP echo-request (a.k.a. "ping"). For DoS ping is rather uninteresting, because there are enough sites that don't allow ping to their servers and filter it out some hops before the servers anyway. At least I was recommending to customers to allow ping only from monitoring and maintenance sites. (As a side note: A lot of IPs for servers are not coupled with a specified hardware address anyway, but handled and distributed by loadbalancers and serverfarms, so there is no point in having those virtual servers respond on anything else than the service they are supposed to provide.)
So if you have a site that only allows a very limited number of packet types through, attacking it with something outside of the scope of the firewall is somewhat pointless, except you manage to muster such an high bandwidth that it clogs up the pipe at some hops way before the original site. And traffic that is easily to distinguish from legitimate traffic is also easily filtered directly at the backbone routers of the really big ISPs or exchange points ("drop anything not TPC to the site in question").
To make your attack more effective you have at least to mimick the legitimate traffic a little. Your DoS-requests thus should be at least formally correct (or being incorrect in a quite sophisticated manner to trigger complex fault and exception handling.) If you manage to cause the service to calculate a long or data intensive response, it's even better, because then you are clogging up CPU time now missing to handle requests that generate business for the site ("Give me all betting quotes which are either between 1:1 and 1:5 or between 1:4 and 1:10 or between 1:8 and 1:100 or are better than 1:75" forces the site to answer with a large sheet containing all quotes, but the answer set consists of several subsets to be calculated separately. Not every site has middleware in place to change this to "give me all quotes"). If you manage to make your request variable, so filtering out the DoS request with a single pattern doesn't work, it's much better. If you change your attacking pattern during the attack, so the filters in place have to be changed the whole time by the defending site, your DoS will be further more effective.
In the end for an effective DoS you should a) fill all available bandwidth with traffic indistinguishable from legitimate traffic b) use up as much CPU time on the servers as possible to handle your request c) try to generate an asymmetric pattern (your request should use up much less bandwidth for you than the answer of the site is using) d) make it as variable as possible to avoid static filtering.
EVIL! (Score:5, Funny)
From: Father Mayai (Yes, you may!)
Subject: Notice of Eviction
Rudyard Kipling's "Dane-geld" - extortion poem (Score:4, Interesting)
(A.D. 980-1016)
IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:--
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation to a rich and lazy nation,
To puff and look important and to say:--
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to says:--
"We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!"
- Rudyard Kipling
Anyone willing to try their hand at "updating" this to fit online extortion? This could be lots of fun
Re:Rudyard Kipling's "Dane-geld" - extortion poem (Score:5, Funny)
It seems a good idea to sit in Eastern Europea
And mail out missives with a threat
"We know that you have gold, and if I may be so bold
If you send me some I will not be a threat"
And that is called running protection
And the scum who demand it defend
That you only have to pay them protection
And your enterprise won't have to end.
It is a real temptation to avoid a confrontation
And pay off the bottom sucking filth
Then the business you created won't be immolated
By the bandwidth sucking zombies and their ilk
And that is called paying protection
But after you've paid up today
They'll come calling for more protection
There will never be an end to what you pay
It's a shame to whimper quietly and meet with their demand
To keep the money flowing fast and free
So when they do demand the little money in your hand
I would suggest that you repeat slowly after me.
"We never pay any scum protection
I am no Rudyard Kipling, but I think this captures the essence of itNo matter how hard they may lean
For tomorrow you'll be back threatening to hack
Using any zombies you can glean "
Article (Score:3, Informative)
and a Whiz Kid
Took On an Extortionist --
and Won
Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this.
CSO Magazine
May 2005
By Scott Berinato
Saturday, Nov. 22, 2003, 7:57 a.m.
Origins of an Onslaught
The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.
If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.
Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I said--God, in hindsight, what an idiot--I said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.
That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's offices--he had no interest in baby-sitting infrastructure in Costa Rica--but he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.
When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.
At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.
The Extortion Problem
We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 1
Good story (Score:3, Insightful)
I fought a DDoS and won (Score:5, Interesting)
Anonymizer.net tried to help me by putting my domain behind a series of rotating proxy servers. Their whole network crashed after 6 hours and they had to stop helping me.
Finally my web host hit on the right idea. I set up a half dozen virtual private servers (VPS) at Globalservers.com (same company that hosts about.com and freeservers) and my host installed a proxy server on each one called twhttpd and set them all to route traffic to and from my web server at his data center.
Then I set up an account at ZoneEdit and added all the IPs for the proxy servers with a failover system. Every time the bastards knocked out one of the proxy servers, ZoneEdit would detect that the server was borked and switch to another one. With the load reduced, the dead proxy came back on its own a few minutes later.
After about 6 months of this, they finally gave up and I won.
Re:I fought a DDoS and won (Score:5, Interesting)
Once the traffic passed through their routers, it went through the proxy and the proxy would pull the data from my webserver.
My host wrote a script that he installed somewhere (on his switch I think) that filtered out a specific type of HTTP GET. Whoever wrote the attack bot made a mistake because it generated some weird error (408 or 508 or something). His script filtered that out and then the webserver would return data to the proxy servers and from there to the end client.
It was a little glitchy and it nearly ruined my message board (all the users had the same 6 IP addresses and that played hell with session IDs), but it kept the site going despite the attacker's best efforts. He/they eventually moved on to attack other antispyware web sites with less resources.
So... (Score:5, Funny)
...is submitting a story to /. the last revenge of the DDOS extortioner?
Good guys vs. bad guys (Score:5, Insightful)
From a purely economic standpoint, it makes me wonder who's the real "extortionist"...
Re:Fight! (Score:5, Insightful)
This is where R'ingTFA comes in...
If no joy from the authorities, I'm sure your local newsrag would be glad to shame the cops into doing something. Of course, if the extortionist is overseas, things might be a little difficult.
Again, this is where R'ingTFA comes in. I'd also add that one downside of moving your business to an unregulated third world country is that neither the local journalists nor the local cops are especially interested in your gringo problems. I don't understand why Scotland Yard bothered with him.
Re:Fight! (Score:5, Funny)
Oh wait...
You can send us $40K by Western Union [and] your site will be protected
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans
Lyon says, "I could have left it alone, but I had gotten attached, and I started investigating. I came up with some interesting techniques to trace back the attacks." He turned over his work to several law enforcement agencies, but he never heard about it again.
"Um, hello - FBI? Hi. Yes I run a website gambling business offshore in Costa Rica and I just got threated by someone who says they will shut me down unless I wire fourty thousand via Western Union to someone in Belarus who *click* Hello?"
Re:Question (Score:5, Interesting)
But like I said, he's cleaned up his act in recent months, so I no longer have a beef with him. Some folks, on the other hand, still hold this against him--which isn't an entirely unreasonable position to take.
Re:Question (Score:5, Funny)
Hey, leave me out of this! I can't even get my own articles accepted.
Re:Question (Score:4, Funny)
Re:Complete Mirror (Score:3)
Re:And the lesson is... (Score:3, Insightful)
There's a point where they keep coming back with higher numbers. If you look, they only guaranteed the protection for a year.