DDoS Extortion Attempts On the Rise 277
John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.
Null routes? (Score:4, Informative)
Re:Null routes? (Score:5, Insightful)
Re:Null routes? (Score:4, Insightful)
Re: (Score:3, Informative)
Re:Null routes? (Score:4, Informative)
By making the banning automated you can easily cope with a DDoS.
Some other things to help cope
- Make small pages, well compressed images
- Don't make highly detailed pages you can get to without loging in first [e.g. avoid server cpu load]
- Load balance
Tom
Re: (Score:2)
Re:Null routes? (Score:3, Insightful)
From the perspective of the host going down... no.
Re:Null routes? (Score:2)
1. A full fledged ddos attack will likely saturate your switch-port (if it's 100mbit) so your webserver will not receive a lot of legitimate requests anymore.
2. Your ISP is going to bill the ddos packets to you if you don't tell them to cut it off. 400 zombies sending at 25k/s each would suffice to deliver 10M/s to your front door. Given a few big pipes (office or *shudder* university lines) on the zombie network drastically reduce the number of zombies required to plug up a 100mbit-link but
Re:Null routes? (Score:2)
I can easily send 40kb/s from home, and I'm only on a weak DSL link.
You do know that you don't have to wait for a 3-way handshake to finish to initiate another connection, right?
In practice any not-so-braindead zombie will just flood syn's and may process some the synacks as they flow in, if at all. The goal is to take the remot
Re:Null routes? (Score:2)
A DDOS will also cause most loadbalancers and firewalls to fall over even if you have the machines numbers to deal with it. But all this is irrelevant as your line will be saturated.
If you are hosted at a small ISP they may also be totally saturated to their upstream provider and they will need to contact them.
If your on a tier 1 backbone your uplink will saturate quickly particularly if you are only on a 100MB/s burstable line and probably the netw
Re:Null routes? (Score:2)
Site has 100mbit of bandwidth
Site only allows packets from the ip 1.2.3.4, rest is silently dropped (not even sending a RST or anything)
200mbit worth of packets are flying towards site.
What happens when 1.2.3.4 tries to connect to the site?
Re:Null routes? (Score:3, Insightful)
So yes, the 40 byte SYN packet consumes bandwidth coming in. But you don't expend bandwidth or cpu time otherwise [e.g. no ACK/SYN going the otherway]
Although that raises an interesting question. Who should pay for the bandwidth coming in? Just like who should pay for SMS? I didn't choose to have a SMS plan [well ok by signing up I did, but they don't have non-SMS plans]. So if som
Re:Null routes? (Score:2, Informative)
Re:Null routes? (Score:4, Informative)
Zombie software is usually smart enough to be set on a target domain name, not ip address. Once your hostname starts resolving to a new ip the zombies will attack the new target. If you change to a completely different domain you'll have to announce it to your customers - and the attacker will likely pick it up on the same channel.
Pay up (Score:5, Funny)
Send money, or else. (Score:3, Funny)
Re:Send money, or else. (Score:5, Interesting)
They invariably open the browser and attempt to open the site.
Its natural human instinct, they open it, say "Yup, its still down" and either click refresh a few times, or close it.
Watching how slash/fark folks handle flooding a site is similar.
How long... (Score:5, Funny)
If only it were that simple.
Re:How long... (Score:5, Funny)
While fantasizing about vigilanteism is entertaining, it really is not a good idea, just because of the lack of control.... to-wit:
I think this should illustrate the potential for abuse.HAND
Re:How long... (Score:5, Funny)
Re:How long... (Score:2)
Re:How long... (Score:2, Funny)
Yes, and I've thought of doing more than that. I wonder how the cracking community would respond if one of their members, such as the Russian guy mentioned in this article, were slowly tortured on a video that was then distributed over the net. I think if you were to take one of these guys and cut his fingers off with a pair of bolt cutters, and then burn his eyes out with a torch, and then deafen him by pl
Re:How long... (Score:5, Funny)
Re:How long... (Score:2, Funny)
But good idea though. I can video tape it and we solve two problems. 1. We get rid of hacks/spam. 2. We profit on the videos!
Sidenote: Wasn't there a video clip with some guy getting his buddy to hit him in the face with a keyboard?
Not all attacks can be blocked. (Score:5, Funny)
Re: (Score:2, Insightful)
Re:Not all attacks can be blocked. (Score:4, Informative)
I know my web browser sets the referrer URL to that of the site I'm going to, and I suspect many other people do the same thing. It prevents blacklisting based on referrer, and it has the side benefit of allowing hotlinking from Geocities and other cheap hosting.
Re:Not all attacks can be blocked. (Score:2)
Bugzilla does
Re:Not all attacks can be blocked. (Score:2)
There you go. Now nothing can drive up the load on my web server.
DOS Blackmail (Score:5, Funny)
was that MS-DOS TRS-DOS, or Apple DOS?
Re: (Score:3, Funny)
They get rather annoying... (Score:5, Interesting)
I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...
Re:They get rather annoying... (Score:2, Interesting)
Re:They get rather annoying... (Score:2)
Well, I started there back before we had Internet email. "Why do I have to change my email from bitnet to that new-fangled Internet thingey?" And the students were the biggest problem. There weren't any connections to the dorms, but I'd get on Gopher or Lynx
Viruses (Score:2)
Re:They get rather annoying... (Score:5, Interesting)
Filtering on your router doesn't work, because it's usually your pipe that's overloaded. (Though schools often have huge pipes.) Having your provider filter can be effective, but not all attacks are easy to filter. Buying more bandwidth and faster routers is usually effective -- I'm sure you won't mind your tuition going up to cover the costs? Turning off the campus resnet completely would probably be effective ...
You got any better ideas?
No, I don't work for your school's CIS. But I certainly understand their position.
The Other-Other Operation (Score:5, Funny)
Honestly, that's what I thought when I read "extortion" and "online gaming."
Why not? (Score:2)
well (Score:2, Insightful)
Prolexic Technologies (Score:3, Informative)
Re: (Score:2)
DDOS and 2nd and 3rd world countries (Score:5, Interesting)
I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.
exactly (Score:3, Informative)
Re:exactly (Score:2, Insightful)
Re:exactly (Score:2)
nigerian criminals justify their scams today because of slavery hundreds of years ago. or because it's ok to rip off christians because "they're persecuting muslims".
and that if we *WANTED* to we could solve the problems of their country easily (not true), and it is only because we are too selfish (half true) and too busy with our luxury to n
random figures stated as fact - film at 11... (Score:5, Informative)
Pull your head out of your ass and check before you state a wild guess as a fact:
"The average Russian salary is about $245 a month, but most state sector workers earn only a little more than a half of that."
So an average Russian earns $1470 in 6 months. Well, you were only out by a factor of 15 - source [smh.com.au].
You don't have anything to do with elections in Florida by any chance?
cLive ;-)
Re:random figures stated as fact - film at 11... (Score:2)
So the question is: (Score:2)
Who the Cyber-Godfathers are?
IP Spoof Filtering... (Score:5, Interesting)
It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.
Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.
Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.
Re:IP Spoof Filtering... (Score:3, Insightful)
Re:IP Spoof Filtering... (Score:2)
A lot of attacks come from completely legitimate sources. Some malware reads the local subnet address and subnet mask and spoofs from that range, revealing the origin of the packets. Other attacks are higher up in the protocol stack and require (among other things) a complete TCP handshake, so spoofing is no longer poss
Re: (Score:2)
Re:IP Spoof Filtering... (Score:2)
We watch the incoming traffic. If we see X number of hits over Y period (usually 5 seconds) we drop all the traffic from them for a 1/2 hour. After a half our if we're their still sending, they get put on a 24hr block list.
what you could go is write a program that would do this on a linux box that would have an out of band connection to the router at the head of the network and configure the acls to drop the IP at that level. Granted this isn't going to get any of your bandwidth back, bu
Re:IP Spoof Filtering... (Score:2)
Re:IP Spoof Filtering... (Score:2)
interface foo
ip verify unicast source reachable-via any allow-self-ping
Also, like others have said, zombies usually don't spoof.
Not knowledgable on topic but... (Score:3)
That should realistically mean that whilst you might lose the site for half an hour you shouldn't be losing it for days at a time. Anything like this exist? I would have thought that the bigger gambling sites would be all over it by now.
Re:Not knowledgable on topic but... (Score:3, Informative)
Re:Not knowledgable on topic but... (Score:4, Informative)
Firewalls sometimes deal with connection overload by proxying the TCP three-way handshake and only allowing the completed handshakes through to the end server. Under attack, however, the firewalls themselves can have these connection queues saturated and then they begin selectively dropping a percentage of the connection requests. Since it can't tell valid from hostile, real users experience connectivity issues.
For UDP-based protocols, used by many real-time online games, there's simply no way to stem the flood other than drop packets above a certain threshold, also causing a partial DOS for valid users.
All of these measures also cannot address the bandwidth consumption issue. This can *only* be addressed upstream.
With IP spoof protection in place at end points where hostiles live, or at gateways to foreign networks, we can at least keep attackers to real IP's that we can then isolate and prosecute.
Re:Not knowledgable on topic but... (Score:4, Funny)
Re:Not knowledgable on topic but... (Score:2)
Once upon a time (when I was an IRC user), I used to run a little forum in which people could post random stupod IRC quotes. Apparently someone got so mad about one of the quotes that they decided to hit me to death, so they distributed a worm which would simply resolve my domain and send me really huge fragmented UDP packets whose effect blocked my whole inbound traffic. I repeatedly asked my ISP to apply some QoS and lower the priority of that t
Clarify (Score:5, Informative)
You can call gambling "gaming" in the offline world, but not the online -- "online gaming" is already taken
Re:Clarify (Score:2)
Sounds like he learned a lot while in IRC... (Score:2, Interesting)
But that's good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year.
"Pay us and we'll save you from DDoS". Where have I heard that before?
I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?
Re:Sounds like he learned a lot while in IRC... (Score:2, Insightful)
How is it a protection racket?
Comparing a security company which helps defend against DDOS attacks to the DDOS attackers themselves is like comparing a security guard whom you hire to guard your business to the local gang who shake you down for "fire insurance".
Yes, both are getting paid to prevent harm to your livelihood. But the DDOS attackers and the gang are the ones threatning that livelihood i
Re:Sounds like he learned a lot while in IRC... (Score:3, Informative)
Sounds pretty much like standard capitalism to me... perhaps you're one of those people who thinks that everything should be free.
In short, yes, you are the only one who thinks it's hypocritical.
This is the reason why we cant get world peace. (Score:5, Insightful)
Re:This is the reason why we cant get world peace. (Score:4, Informative)
Re:This is the reason why we cant get world peace. (Score:3, Interesting)
Yes, but instead of being held in the town square we'll setup a webcam and webcast it around the world.
Time for a 'retrovirus' ? (Score:5, Interesting)
It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).
At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.
The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...
Re:Time for a 'retrovirus' ? (Score:5, Interesting)
Instead of polluting the net even more with "retrovirus" traffic, this would be a surgical strike, although timing would be critical. I assume they shift IRC servers and channels fairly frequently, and the IRC servers might be well hardened.
Re:Time for a 'retrovirus' ? (Score:2)
Not so nice, but you'll find users learn their lessons when some asshole deletes their operating system / personal files.
I'm not a very good network admin (Score:5, Interesting)
My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"
I like to respond, "Nothing."
But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?
I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --
I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.
I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.
I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.
I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.
Is there any way to win?
Is there any way I can tell my boss something other than "nothing?"
Save me Slashdot! Pleeeeease!?
Re:I'm not a very good network admin (Score:3, Interesting)
Strange game, The only way to win is to not play.
Re:I'm not a very good network admin (Score:2)
The only effective prevention tool that I know of is available from a company called Arbor Networks [arbor.net]. Unfortunately, the tools are very expensive and not really applicable for the indiv
Re:I'm not a very good network admin (Score:2)
Re:I'm not a very good network admin (Score:2)
Re:I'm not a very good network admin (Score:2)
That's not to say it is the easiest solution. It will take massive effort on the part of every geek out there.
*warning; hippy-esque feel good plan follows*
What we really need to do (yeah us techies) is to educate users that their home computer is probably doing bad stuff without their knowledge. Then we show them how to stop it, or offer to help them clean up their machines.
All users. Not just the ones we are "responsi
Re:I'm not a very good network admin (Score:2, Funny)
"Start a grassroots campaign!"
That'll get me promoted, no doubt.
Re:I'm not a very good network admin (Score:2)
Then after that meeting suggest to your boss that he could investigate taking out an insurance policy to cover business losses while your ISP filters traffic.
Matt.
Re:4 things to do... bad to good order (Score:2)
Why not just block the method of communication? (Score:2)
This can be done on the ISP level, or at a personal level by blocking ports or what have you- or even by DDoS'ng known IRC servers themselves (a taste of their own meds?).
Just a thought
Re:Why not just block the method of communication? (Score:5, Insightful)
To attack IRC servers just because thats the place where the bots go, is assanine and illegal. Some servers have 5000+ users on them, and the people who own/run those servers have enough problems as it is dealing with attacks from packet monkeys.
How would you like it if I DDoS'd your server because one of your users sent out spam? You'd probably be screaming bloody murder to the FBI about it.
Unless you are willing to allow other people to do the same things you want do to them at the exact same levels, don't even suggest that attacks are a way of dealing with a problem.
Money laundering services (Score:5, Informative)
Another is WebMoney [wmtransfer.com], mentioned on the spammer board SpamForum.biz [spamforum.biz]. It's a anonymous money transfer service in Moscow. Elaborate crypto. Special downloaded applications. Schemes for transferring money between customers, and finally out into the banking system. Accounts can be in euros, dollars, rubles, or hryvnias. Address is supposedly 71 Sadovnicheskaya Street, Moscow, Russia, 115035. Same address as the "Three Monkeys", which is a gay nightclub.
There are a number of services like this. They come and go. There's Gold-Cash [gold-cash.biz], in Latvia. There's EvoCash [evocash.com], at an undisclosed "offshore" location. (Well, there was EvoCash; they ceased operations on October 19th.) They even have a trade association [gdcaonline.org], which rates services as "Platinum", "Gold", "Silver", "Copper", "Carbon", or "Chlorine", which gives a hint of the problems in this area.
Then there are brokers who transfer money between these services. These can be used to perform the "rinse cycle" in money laundering. But that's another story.
DDoS Heart Attack (Score:2, Interesting)
It could be a Denial of Denial of Service Attack, or DoDos. I confess I might be simplifying the issue too much.
In this case, you'd have to:
1. Identify a DDoS is in progress.
2. Pick one of the zombie IP addresses.
3. Identify the type of DDoS it is performing,
Null routing vs intelligent DDoS defense (Score:5, Informative)
Basically they look for anomolies like the rate of traffic hitting a specific site, then they start to look for patterns in the traffic (source IP, packet size, packet interval, page requested, etc.). From there the detection boxes inform a second machine that "scrubs" the traffic, in other words drops all nefarious stuff. Some of these guys sit inline (inline=the packets must physically pass through them as light/electricity) or sit off the path, but send BGP Updates to the routers passing these packets. The BGP Update technique is interesting because it allows the normal routers to send traffic destined to the IP under attack through the scrubber because the router has a very specific route to that machine, while the rest of the subnet is routed normally. Anyone familiar with BGP knows that you advertise the biggest supernet possible (/20,
I'm sure some products use null routing at the end of this process, but it isn't some geek sitting at a keyboard typing in IPs. It's intelligent automation (at least one product actually checks to see if its remedy fixed the problem, and if it didn't it undoes the fix). I can tell you for a fact that AT&T is deploying a bunch of these attack mitigators (Riverhead - now part of Cisco) in their routing core.
As for writing an Apache module or taking steps on the actual target web site
Solution (Score:2, Interesting)
2) Expoit zombie using the same exploit used to 'zombify' it in the first place.
3) Patch zombie machine.
4) Repeat.
Is this feasible?
Re:Solution (Score:2)
Bah! (Score:2, Funny)
<h4ckrr> gimme opz or i fl00d u!
<Daishi> no
*h4ckrr has quit (Ping timeout)
My Regime... (Score:4, Funny)
First license would be free if you can pass the multiple-choice test. If it's revoked, you have to take a class and pay $50 to have it reinstated. Reasons for revocation would include, among other things, having your system compromised and used to attack other systems. That'd take care of all those zombie systems in one easy step. Having your Internet license revoked more than three times would be grounds for revoking your breeding license (Which will have somewhat more stringent entry requirements to begin with.)
Other countries which my regime has not yet assimilated will not be left out. They can either adopt my policies or have their traffic signed by a generic key when it enters my country. Of course, if the generic key gets revoked, everyone using it will be out of luck...
Re:My Regime... (Score:5, Funny)
I intend to make this country profitable by selling the right to watch the country on television to countries like Russia and China. This effectively combines their dislike of Americans with their youths addiction to our media.
Just kidding.
Re:My Regime... (Score:2)
Anyway, like I said, the first license would be free. And hell, if you can prove that you practised good security (Did routine updates, didn't run Outlook, etc) and STILL got pwned, well then we'd even consider waiving the fe
How about an RBL? (Score:3)
Cutting an infected machine off from the net entirely isn't such a bad option... having an infected machine spewing out spam and DDOS is similar to an HIV patient in a bordello...
It's kind of ironic... (Score:3, Insightful)
The debate touches on more subjects than we could possibly cover here, but experts are claiming that SCO could have taken countless preventative measures to stop the attack affecting their services.
(see here [itvibe.com])
Groklaw had a bunch of "experts" claiming it was easily stopped, as well, and suggested it was faked by SCO.
The truth is, as people here have pointed out, that it really doesn't matter what preventative action you take; if your pipe is full, your pipe is full, even if you drop all the packets when they hit your routers.
You can't easily beat a bandwidth saturating attack.
-Dan
Authorize.Net is getting HAMMERED (Score:3, Interesting)
Re:Authorize.Net is getting HAMMERED (Score:4, Interesting)
Rush Limbaugh Coordinates Denial of Service Attack (Score:3, Informative)
Rush Limbaugh Coordinates Denial of Service Attack
Transcripts from Rush Limbaugh's own Web site from his show confirm that he coordinated a Denial of Service attack on a third party's Web site. This is a crime punishable by up to 5-10 years incarceration, according to one source[1]. The victim of this attack has elected to
not seek legal compensation, but that does not make the attack any
less illegal.
Rush Limbaugh, September 28, 2004:[2] "Let's shut this website down,
folks. Shall we? [...] I don't often suggest this kind of thing, but
this could be fun here. [...] And, you know, we've shut down the
server, folks. That's why you can't get through. Don't tell me the
address is wrong, that's what happens when you ask about five million
people to go to the same website at once, you shut it down, that was
the objective here. We want them to get all excited and say wow, our
website is taking off. Essentially in the computer world what we've
created here is a DOS, a denial of service attack, so many people
trying to get in at one time."
Rush Limbaugh, September 30, 2004:[3] "And so when I heard about this
I thought we'd have a little fun with it. [...] I said, 'Let's go shut
'em down, folks,' meaning not put 'em out of business, but let's just
flood them with activity knowing full well that that's always gonna
happen when I give a web address here and suggest people go look at
it. There are simply too many millions of people here, and this is
obviously a small website. Shut it down for awhile. "
[1] http://www.seifried.org/security/network/20020305
[2] http://www.rushlimbaugh.com/home/daily/site_09280
[3] http://www.rushlimbaugh.com/home/daily/site_09300
Weird 0wn3d computers! Wonder what they run. (Score:2)
Alas, the article doesn't give you a clue about what OS these mysterious PC are running. They are easily 0wnable, they are trojaned and zombified to deat
Re:Worldpay and Paypal, that hurt bad (Score:5, Insightful)
Re:Worldpay and Paypal, that hurt bad (Score:2)
It is insightful. Why? Because it gives insight into the stupidity of businesses that have Internet connections. Having worked in telecom for a while, one invariably finds people that pay the cheapest amount for a home DSL account, then call in wanting thousands because they accidently shut off their rout
Re:Easy Solution (Score:2, Insightful)