Gangs Extort Companies With DDoS Attacks 423
Pcol writes "The Financial Times reports that gangs based in Eastern Europe have been launching attacks on corporate networks costing the companies millions of dollars in lost business and exposing them to blackmail. Sites have been asked to pay up to ensure they are free from Distributed Denial of Service attacks for a year. One detective reported, 'If the demand comes in for $40,000-50,000, compared to the losses they're suffering, there's an attraction for the companies to pay and hope it goes away. But there's nothing to say it will go away.'"
A new financing model... (Score:5, Funny)
Re:A new financing model... (Score:5, Funny)
But just that with all the story repeats, they might just forget that they'd been paid not to do that again.
You know, that might actually prevent them from posting repeats though
Re:A new financing model... (Score:5, Funny)
The productivity gains would be enormous.
Fine. Let them! (Score:5, Insightful)
Wrong, it is ILLEGAL! (Score:3, Insightful)
Re:Wrong, it is ILLEGAL! (Score:2)
In theory, this makes some sense. In practice, it does not.
The fact of the matter is that someone will eventually exploit the security hole. I would much rather have it be some computer science students than a criminal. The computer science students will harmlessly inform me of the security hole (or do something resulting in very little damage). The criminal will steal my passwords and credit card numbers and do some serious damage.
Your argum
is this a troll? (Score:2)
Re:Wrong, it is ILLEGAL! (Score:2)
Re:Wrong, it is ILLEGAL! (Score:3, Funny)
So if blocking a big store is like hacking.. and hackers are terrorists... All those grocery store employees striking here in California are terrorists!?
:)
-matt
Re:Wrong, it is ILLEGAL! (Score:2)
No, the hackers are preventing the companies from doing business and the... oh. Wait, I got it.. the hackers are doing this to get more money and the strikes are to... oh nevermind. :(
Doesn't matter (Score:2)
Basically, there's nothing you can do (in a technological fashion) about it. Only thing that you can do is hunt them down and sue them; which is not that simple in a global environment.
Re:Fine. Let them! (Score:5, Insightful)
You have 10,000 zombies firing packets at you, spoofed on random IPs, how do you stop this?
We had to Akamize our stuff.. and that's extremely pricey (think 2+ salaries).
S
Re:Fine. Let them! (Score:2, Interesting)
If a router were able to know that both the source and destination IP adress lay within a given logical area on the network, maybe it should reject packets that come from the source IP, but from outside the area defined by the souce and destination. This would require the router to be on the border of that region, however.
I suppose IPSec does that sort of thing automatically.
Re:Fine. Let them! (Score:2)
S
Re:The internet needs to change (Score:2)
The same is true of spam and open relays, though.
S
Re: What exactly would this consultant / admin do? (Score:3, Informative)
This allows the DDoSers to saturate your pipe, thus DDoSing you.
Even if it DOES block all traffic, and magically re-opens your pipe, you're still not safe:
If these "gangs" control thousands, or hundreds of thousands of "drones", there's nothing stopping them from generating "LEGITIMATE" (well-formed; handshake; non-spoofed) traffic on an allowed protocol and saturating your bandwidth, this way. You can put 50,000
Re:Fine. Let them! (Score:2)
Perhaps, but it also has the effect of damaging a company's public image and stock price by making them look ineffective or unsafe for consumers' data. That's the only reason protection money is paid to hackers.
Any CEO with a brain knows that if a business is attacked once, it can be attacked more than once -- but appearing vulnerable to one's customers is just compounding the damage. Better, they reason, to pay off the extortionists and then bee
It's even cheaper... (Score:2)
...to pay the 40 grand to a hitman who will fly to Eastern Europe and put a bullet in the heads of the DDoS gang members. Problem solved for everyone, and permanently.
Heck, my weekend's free. My suitcase is right here. Anybody got $40,000?
Re:It's even cheaper... (Score:3, Insightful)
Re:Fine. Let them! (Score:3, Interesting)
The extortionists want around $40-50K per year, and you think it'd be cheaper to hire consultant(s) or more/better sysadmins instead?
Who do you work for, again? I'd like to know where not to ever send my resume.
Consultants? Better admins? Bah! (Score:2)
I say hire some bad ass psyco punk to hunt those h4x0rs down and givem a full load... maybe hit them with old routers, stickem fingers on powersources, or better then all, use those printers that can print on stone and wood to tatoo those fuckers "ive been ddosed" on the forehead!!
Ok... im much more calm now
Re:Fine. Let them! (Score:5, Informative)
Commercial rates for security consultants start at $2,000 per day. People in the middle tier charge as much as $5,000. Big name consultants such as Bruce Schneier can name their price.
And the fact is that none of us can do diddly against a DDoS attack, except advise you on how to configure bigger pipes and how to get in touch with ISPs quickly to stop the traffic from their networks.
Occasionally there is a DDoS that has a flawed mode of attack that can be diverted. There have been a couple of attacks against the Whitehouse that were like that. They can divert the attacks because they can get top rank consulting for free in extremis.
Not paying might be cheaper in the long run, but in the long run we are all dead. The answer is not consultants, it is law enforcement and better infrastructure.
For example why exactly does anyone need to send a stream of several thousand SYN packets per second from a home computer to the same IP address for several hours at a time? There is simply no reason why a home machine should need to do that, nor should a home machine be sending millions of DNS requests per second to any machine.
There is a pretty easy fix to DDoS attacks, put intelligence into cable modems and router boxes. Even if there is an option that allows the expert user to turn the checking off the boxes should be shipped in a safe configuration by default and it should not be possible to disable the safety catch without physical access to the modem.
Congress could encourage ISPs to adopt this type of technology by merely suggesting that ISPs be made liable for attacks mounted from their machines.
You have a case for more than $5K (Score:3, Interesting)
Rate limiting SYN packets is one answer, but you can DDOS someone just with HTTP GETs if you have enough machine. Just ask a recent /. effect victim.
The other thing is to just follow the money. This is where the FBI come in. It is *very* difficult now to make a transfer of more than a few thousand dollars thro
Internet Mafia (Score:4, Funny)
So who's the god father? I vote Al Gore.
Re:Internet Mafia (Score:2)
Re:Internet Mafia (Score:2)
Re:Internet Mafia (Score:2)
Al Gore
Linus Torvalds
RMS
D J Bernstein
Steve Ballmer AKA Monkey Boy
Steve Jobs AKA Super Ego
Wil Wheaton
Anybody but CowboyNeal
Re:Internet Mafia (Score:2)
protection market (Score:5, Insightful)
what's to stop another DDoS group from doing the same?
as the movies teach never pay the protection money
Re:protection market (Score:3, Insightful)
Re:protection market (Score:5, Interesting)
One kind is the low-level "Pay me or I wreck shit". In this model, you don't actually get "protection" from anyone else, just the people you paid don't arbitrarily wreck your stuff. If some third party decides to play rough, the people you're paying protection to generally don't care, unless it threatens their protection money (ie, driving a store owner completely out of business).
The more sophisticated kind of protection generally involves paying someone so that you can operate without interference. Generally this involves handing over a percentage of the operations as a tithe or tribute (and in fact among Italian mafia, it is a historical descendent of the practice of conquered peoples paying tributes to Roman officials). In this case, since the payment is generally dependent on the successful completion of whatever the protected activity is, you'd be more likely to get muscle applied in your favor to keep rivals away. But even then there may be extra money associated with hiring muscle, and often it is an artificial ruse used to obtain larger tributes. (In an episode of the Sopranos, Tony uses a black political agitator to get more tribute out of a construction business that is already paying tribute. He then "breaks up" the black's protest and later splits the take with the black's leaders).
A new financing model for /.? (Score:5, Funny)
Re:A new financing model for /.? (Score:2)
Lunch money (Score:3, Funny)
One kid reported, 'If the demand comes in for $4-5, compared to the losses they're suffering, there's an attraction for the wimps to pay and hope it goes away. But there's nothing to say it will go away.'
what happened to the good old days... (Score:2, Funny)
Pffft! Gangs! (Score:3, Funny)
This isn't surprising... (Score:5, Interesting)
Secondly, How is this different from some company installing spyware/nagware that's not uninstallable and then sending you email asking you to pay 20 bucks for a utility that'll "remove" their piece of software.
Re:This isn't surprising... (Score:5, Funny)
Easy. Asking for money to not attack someone's servers is extortion. Your example is an "innovative business model".
-Todd
Solution! (Score:3, Funny)
Re:This isn't surprising... (Score:2)
Re:And what makes you think.... (Score:2)
Re:This isn't surprising... (Score:2)
Don't belive me ? ask anyone here on /.
What gives? (Score:2, Interesting)
Re:What gives? (Score:4, Interesting)
They make pay to their hacked eBay accounts... (Score:5, Informative)
As a side note, I know a network security company who got hit with one of these, end result? The FBI and the local (eastern european) police arrested and are trying the hackers in question.
When you start trying to extort real money across international borders you are into real crime. The FBI does investigate these attacks, and I am sure they will get much better at it as time goes on.
And in other news... (Score:2, Funny)
Anyone looking for work in security? (Score:5, Insightful)
Re:Anyone looking for work in security? (Score:4, Insightful)
Re:Anyone looking for work in security? (Score:3, Interesting)
Of course, the other solution is to employ somebody to track down the buggers doing the DDOS'ing....
Re:Anyone looking for work in security? (Score:2)
Yes, the site may become unavailable due to either, but that doesn't mean they're anything similar.
Re:Anyone looking for work in security? (Score:2)
Do you have any suggestions on that ?
Re:Anyone looking for work in security? (Score:2, Informative)
Re:Anyone looking for work in security? (Score:3, Interesting)
There are several techniques, most of them involve identifying a "connection fingerprint" and block it at the ISP level
Quick! Someone call SCO! (Score:5, Funny)
SOLUTION? (Score:4, Interesting)
Re:SOLUTION? (Score:2, Interesting)
First, arrange with lots of DNS servers able to switch subdomain details in a snap.
Second, set up N web servers: n(1), n(2) [..] on separate networks.
If n(1) stops replying, n(2) notifies the DNS servers asking them to change the subdomain www.unddosble.com to n(2)'s IP address.
If n(2) fails, n(3) takes over, and so on.
Also, these servers should have pretty big pipes, so they can withstand an attack as long as possible.
Anyone tried something like this?
Re:SOLUTION? (Score:2, Interesting)
After the IP is marked as "blocked", the program can dynamically re-direct the traffic down a small pipe of its own.
The problem is, when a new packet comes in, a program still has to run a check to see what IP its from, and make a decision whether to keep it or block it. That in itself takes work,
Re:SOLUTION? (Score:3, Informative)
But in a DDoS attack, the traffic is coming from thousands of IPs... even if each one individually trips that threshold, there's no reason a DDoS can't IP-spoof. As a matter of fact most of them do anyways, because it generates three times as many packets if the SYN/ACK handshake protocol fails...
Re:SOLUTION? (Score:3, Interesting)
It is possible, but commodity networking cards generally don't support it (for a reason)
But I do not believe that mac addresses survive transit to the internet...
Many ISPs DO require static mac addresses, though, and if your mac address / IP address aren't the same then they don't route your packets. This was a big inconvenience to people with a home network
Re:SOLUTION? (Score:3, Insightful)
Unfortunately, there is no solution to DDoS attacks other than good security at the edges of the network. As long as anyone in the world can install Win98, not run Windows Update once, get cable internet service, and not be held accountable by their ISP for any bad things their computer may do that they didn't know about... DDoS will always be with us.
A strategy to deal with DDoS must be part pol
Re:SOLUTION? (Score:2)
How do they accept payment? (Score:2, Funny)
Stupid Gangs... What they ought to do (Score:4, Funny)
Blackmail ? (Score:2)
Why do I Keep Getting Left Out? (Score:5, Funny)
Re:Why do I Keep Getting Left Out? (Score:2)
Follow the money (Score:2)
I'm surprised no one has mentioned (Score:3, Insightful)
It annoys me that MS's bad approach to security is now threatening businesses worldwide on two levels, first by exposing their own computers and then by exposing them to distributed attacks by the general populace. Even businesses that didn't have a single MS system in use are affected by one company's half-@$$ed security practices.
Not trying to troll, just making a genuine point. If consumer computers were security-locked by default, DDoS attacks would be infinitely more difficult to pull off.
Hmm (Score:4, Interesting)
Why is it whenever the mob is involved, their first target are gambling sites? Next thing it will be online porn and pharmacudicals.
Re:Hmm (Score:2)
B: Gambling sites, as well as pr0n, makes money
C: I imagine eBay/Amazon are too big to knuckle under these people, or have the bandwidth to deal with them
Obli.... (Score:2)
(and stuff).
Seriously...
When are eCommerce and all these other jagoffs going to get tired of Tha Intarw3b so that us geeks can have it back? O_o
My God someone has finally done it! (Score:4, Funny)
1. Buy computers
2. Blackmail companies for $40k or DDoS them
3. Profit!
What can be done? (Score:2)
Kalashnijkov! Kalashnijkov! (Score:2)
Bregovic rules (Score:2, Informative)
Cigani! Juris!: Gypsies! Attack!
Too funny. Get the money!
Karmic in a way... (Score:4, Interesting)
Saving a buck has its limits!
Worldpay (Score:2)
Rus
Extorsion (Score:2)
Would this stop DDoS? (Score:2, Interesting)
For some time I've pondered the ways to stop DDoS.
Couldn't you write a program that scans each incoming packet and keeps statistics. Won't DDoS packets come far more frequently from a given source?
Is there a way to avoid spoofed packets by making sure you can reply to the source first? Shouldn't current protocols be designed to avoid spoofing? Or is it more fundamental (e.g. spoofing must be solved at a lower layer in the networking model)?
Where are the machines these attacks originate from located? C
Any company that pays is stupid (Score:4, Insightful)
You pay gang A to go away.. a month later gang B hits you.. You complain to gang A.. They tell you its not them.. You pay gang B.. a month later gang C hits you.. WASH and Repeat till your company is broke
To put this in perspective... (Score:5, Interesting)
Sympathy for the Devil (Score:3, Funny)
Offshore gambling sites? Almost as if one gang who run the casinos are being hit by other gangs. I wonder who the Cyber-Godfathers are?
How to collect? (Score:4, Insightful)
Re:How to collect? (Score:3, Interesting)
Re:Isn't Microsoft culpable in this mess? (Score:2)
Say Ford made a car and then someone gets into an accident with you. Is Ford to blame that he ran a red light?
Re:Isn't Microsoft culpable in this mess? (Score:3, Informative)
Re:Isn't Microsoft culpable in this mess? (Score:3, Insightful)
How is this like a car that randomly explodes?
This is like a gang threatening to slash your tires. Would the auto company be liable because their tires are not slashproof?
As we know from THIS site, nobody is slashproof!
Re:Isn't Microsoft culpable in this mess? (Score:2)
I agree that the poster's analogy was poor, but I think what he was trying to say (or at least the way I see it) is that it's not Microsoft's fault for making a DDOSable OS, but for making an OS that's so easily ownable, and can be used to DDOS other peoples' computers.
So, in your analogy, it would be more like suing a company that sells the "Johnny gangmember tire-slash-o-matic" t
Re:Isn't Microsoft culpable in this mess? (Score:2)
In which case, it's more like someone throwing a ton of pebbles at your Pinto's windshield, and suing Ford when eventually it cracks.
Re:Isn't Microsoft culpable in this mess? (Score:2, Insightful)
You buy a ford car.
Someone tells you to pay $100/year and they won't punch holes through your tires for a year.
Is ford to blame for selling you a car with tires that could be deflated? likely no.
Re:Isn't Microsoft culpable in this mess? (Score:3, Insightful)
They think that you're saying that MS is liable because someone can use all your resources (which is ridiculous, of course.)
What I think you're saying is that it's MS that allows the security holes in their software, which allows these gangs to take control of other people's computers and launch the DDoS.
Your analogy is wrong - perhaps a better one might be that an automobile manufacturer makes a car that can be easily stolen (say by jiggling the door handle, an
Something easy to steal != cupable for theft (Score:3, Insightful)
No. Theft of property is an act seperate from the nature of that property. The fact that I left my wallet on the window sill does not mean that I am in any way responsible for your choice to take it, or the subsequent fact that you used the money to finance a
A different analogy: car (Score:3, Funny)
Assume that you're the maker of a popular brand of cars. You're very successful and there are millions of these cars all over the places. There are problems with it, and you have issued recalls. Many times. Most users are just happy with their cars and never bothered.
Now, your cars have a curious problem: if a jerk points a finger at someone's home and yells "Shazam!", all the parked cars around just start and bee-line to this home. Soon, they cras
Re:Isn't Microsoft culpable in this mess? (Score:2, Funny)
DDOS [wikipedia.org] attacks [theregister.co.uk] are usually [theregister.com] launched [about.com] through Windows [microsoft.com] boxes [boxes.com] that have been exploited [goatse.cx], for example by worms [sophos.com] such as SOBIG [symantec.com].
Re:Isn't Microsoft culpable in this mess? (Score:3, Interesting)
whooooooaaaaa (Score:2)
Top 10 New Mafia Websites (Score:2, Funny)
www.sicialiand00ds.net
www
www.e-Bottomofthe-Bay.org
www
www.hotbotta-bing
cor.leo.ne
www.SleepswiththeBabelFishes.org
www.We-Hack-and-We-Whack.com
www.Go-Go-Gotti.in
Re:This sounds like a good way for Slashdot to mak (Score:3, Informative)
*shrug*
Or it could be that we just know how to run our server really well
Re:This sounds like a good way for Slashdot to mak (Score:3, Insightful)
Of course, it didn't even cough. It's only serving 256 Kbps of bandwidth! A Pentium 75 running Apache can saturate a 10 Mbps network with static page requests and never hit a high load average!
I mean, for static requests, the code in Apache might as well be:
$fp=fopen($sourcefile, 'r');
while (fwrite($stdout, fgets($fp, 1024)))
{}
fclose($fp);
At which point the *
Re:that much? (Score:2, Insightful)