Slashdot Mirror
Gangs Extort Companies With DDoS Attacks
Pcol writes "The Financial Times reports that gangs based in Eastern Europe have been launching attacks on corporate networks costing the companies millions of dollars in lost business and exposing them to blackmail. Sites have been asked to pay up to ensure they are free from Distributed Denial of Service attacks for a year. One detective reported, 'If the demand comes in for $40,000-50,000, compared to the losses they're suffering, there's an attraction for the companies to pay and hope it goes away. But there's nothing to say it will go away.'"
For /.?
I mean if their software facilitates this type of extortion shouldn't they be held accountable?
The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!
So now there's an internet mafia.
So who's the god father? I vote Al Gore.
Oh wait, that isn't working so well right now, so they might have seen his example.
What's the difference between this and SCO? They both basically blackmail the companies and jam them up.. are we going to give into SCO?
funny thing is with the old mobsters paying protection money to mob A would stop mob B from doing the same.
what's to stop another DDoS group from doing the same?
as the movies teach never pay the protection money
Nah, a new financing model for SCO.
It is not our abilities that show what we truly are... it is our choices.
slashdot does this everyday, for free. accidentally, even.
And what is the diffrence between this and security companies that extort protection money out of us to protect us from vulnrabilities that they research and publish? Eeye anyone?
One kid reported, 'If the demand comes in for $4-5, compared to the losses they're suffering, there's an attraction for the wimps to pay and hope it goes away. But there's nothing to say it will go away.'
when we could just hold kids for ransom?
The original generic sig.
Perhaps they should sue MS instead?
After all, this is most likely from zombie networks enabled by MS's complete refusal to pay heed to even the basest of security issues for home PCs.
That is, pay upgrade protection against loss of functionality? "Nice joint you got here. Be a shame if something were to happen to it."
I bet it's those damn Jets! They're always trying to stick it to the Sharks.
How are you going to keep them down on the farm once they've seen Karl Hungus?
If a small country contains a source of DDOS attacks, wouldn't it make sense for whoever is upstream to pull their plug? Perhaps the corporate-controlled US government will eventually use threats of sanctions/conquest to bring this about...
Ah good for organized crime they keeping up with the times.
reminds me of the movie "Analyze That" where they talking about how they need to get with the times, and discussed about getting a website.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
submit your story to slashdot
Firstly, I'm suprised it took this long for something like this to happen. Though I suspect it's been happening for a while. Organized crime has always been ready to utilize new technology in the persuit of money / Power.
Secondly, How is this different from some company installing spyware/nagware that's not uninstallable and then sending you email asking you to pay 20 bucks for a utility that'll "remove" their piece of software.
Yes Francis, the world has gone crazy.
More like Gayngs if you ask me.
topreacher@signature.slashdot.org 1% rm -rf sig
I've never understood why operations like this are so hard to track down. If you give them $40,000 that creates a finantial paper trail that is traceable! The same thing with spam, if it is illeagal spam and they ask you for money, at some point the money has to go somewhere. Why do the feds have such a hard time connecting the dots on cases like this? I'm sure there is something I'm missing so someone please inform me.
SCO.com uses Linux
...the Financial Times reported that it had received a DDoS attack from all those /. readers accessing their site. The Financial Times has responded by offering $50,000 protection money to /. ....
HAHAHAHAhahahahaAAAAAAhahaha
Let the GAMES begin!
For $50,000 a year, sounds like a decent wage for anyone who's currently unemployed. Why not just hire a good whitehat instead of caving into blackhat demands?
Now they're offering business models to organized crime...does anyone really think illegal gambling even thought it was losing money to online gambling until the RIAA started screaming about piracy?
Now there's irony...
You gotta wonder if M$ is taking its piece of the action?
I'm shocked something like this is only coming up now, It's probably happened in the past, and we havent heard about it, but really, these companys are GIGANTIC targets, with deep pockets, and the attackers are not two sleazy toughs with baseball bat's, but skilled(?) crackers, who can remain anonymous,and protect themselves from the law enforcement efforts provided to those with deep pockets. Still though, They run the risk of bringing the law down on DDoS'ers world over, SPEWS and etc. are being ddos'd and dont have the financial backing to bring the law into it, if Law enforcement tracks these guys down, they may extend into anyone doing DDoS's like this. And finally, We could just blame everything on the spammers.
Surely this is a violation of their IP in regards to extorting money using online means!
Someone you trust is one of us.
So how do you protect yourself from a DDOS attack? Are there any closed-source or open-source products that can do it? I've seen "network appliances" that claim to protect you, but I haven't read any reviews.
...is named Mick Deats. Anyone else see that previous Slashdot article on how wrods aer lgebile eevn wneh letters are transposed? To Mr. Deats...I'm so sorry.
I guess this is a new Microsoft Subscription Service :)
Do they use paypal?
What you see happening is what will cause more restrictions on freedom in an attempt to control illegal activity.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
... is patent DDoSs, then extort, er... I mean, charge licensing fees, to anyone invoking a DDoS against a site. I mean, isn't that what US patents are good for these days?
It exposes companies to blackmail? I wonder what they're finding? The corporate ethics grey area steps in to cloud the issue ...
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
cuz bloods kill
www.lac0san0stra.com. Omerta-Online.com. SlashStabShootThrottle-dot.org. net f o
www.sicialiand00ds.net
www
www.e-Bottomofthe-Bay.org
www
www.hotbotta-bing
cor.leo.ne
www.SleepswiththeBabelFishes.org
www.We-Hack-and-We-Whack.com
www.Go-Go-Gotti.in
Organized crime has always been ready to utilize new technology in the persuit of money / Power.
that it's orgranized crime we're talking about? Of course if you call 15-25 teens looking for the easy big money and thinking that in their country there'll never eb found, yes you're right.
Seriously, I don't recall a DDoS attack done by a major person. Anyone has a counter-example?
1. No sig. 2. ???? 3. Profit!!!
Basically, there's nothing you can do (in a technological fashion) about it. Only thing that you can do is hunt them down and sue them; which is not that simple in a global environment.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
Fifteen years ago all the cool kids would make fun of me and call me a computer geek and never pick me for the baseball team and stuff. Now all the cool geeks are going off forming gangs and taking down servers and I'm still left out! I can't figure this world out...
I doubt the gangs ask for cash to be left in a briefcase in the park. I assume they use PayPal, Wire Transfer, Money Order to a PO, etc.. Anytime electronic money moves it can be traced to the receiver. Just report them to their local police.
DDoS attacks require a *lot* of hacked computers. Usually Microsoft OSes with low security settings.
It annoys me that MS's bad approach to security is now threatening businesses worldwide on two levels, first by exposing their own computers and then by exposing them to distributed attacks by the general populace. Even businesses that didn't have a single MS system in use are affected by one company's half-@$$ed security practices.
Not trying to troll, just making a genuine point. If consumer computers were security-locked by default, DDoS attacks would be infinitely more difficult to pull off.
The primary targets appear to be gambling sites.
Why is it whenever the mob is involved, their first target are gambling sites? Next thing it will be online porn and pharmacudicals.
Karma Whoring for Fun and Profit.
He went to the University of Oklahoma. There aren't too many things he knows, like how to sign his name. Never mind what a DDOS attack is.
I for one, welcome our new packet-wielding Overlords....
(and stuff).
Seriously...
When are eCommerce and all these other jagoffs going to get tired of Tha Intarw3b so that us geeks can have it back? O_o
do() || do_not();
I wonder to what extent this is largely invention. I find it hard to believe this is remotely widespread.
They could get paid not to post an article because it would otherwise bring a server to it's knees. This happens because so many people read Slashdot and click on the article link at the same time. Most website servers weren't made to handle this kind of sudden increase in traffic. This can result in a Direct Denial of System attack. So if companies know what's good for them and don't want a DDoS denial attack they should pay up!
Heheheheheheh.
Or it is as bad as some greedy lady and her lawyers lying in court to get $$$$ from McDonald's just because the lady chose to spill hot coffee on her lap.
Once you check the facts, this is a textbook example of why we need tort reform, and jail terms for those who dare to bring such frivolous lawsuits to the court room.
McFact #1) McDonald's sold millions of cups of coffee. Only a few hundred complainers thought it was too hot.
McFact #2) After McDonald's was forced by this lawsuit to make their coffee cold, customer complaints about the coffee went way up (of course, it was now cold)
McFact #3) The most important one: she spilled the coffee, not McDonald's. Come on people, if you dump coffee in your own crotch, it is your own fault!
...to pay the 40 grand to a hitman who will fly to Eastern Europe and put a bullet in the heads of the DDoS gang members. Problem solved for everyone, and permanently.
Heck, my weekend's free. My suitcase is right here. Anybody got $40,000?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
It's pretty hard to receive payment in a manner that is untracable. How are they mitigating that?
I am stupified... someone has finally found the ????? in the buisness plan. Amazing...
1. Buy computers
2. Blackmail companies for $40k or DDoS them
3. Profit!
Str8Dog
using System.Darkside; public
By facilitating the distributed bit.
well there's a lot of suspission that spamers are DDoSing some of the black-list sites. it's not been proven, but if it's true it's the counter-example you are looking for,
"Detective Superintendent Mick Deats"
Maybe I should go outside more...
But, I could have sworn I read the name different...
So we know that the DDoSes happen, and that they are real pain. There is not much the law can do, especially if the source is in another country. In this case, I ask the question, what can companies do, technologically to deal with the problem? Also, how can you tell the difference between being Slashdotted (some metacrawlers have the same effect) and being DDoSed?
Jumpstart the tartan drive.
You figure, if you could get a company to deny all traffic from a specific country... maybe they'd be more willing to hire domestic folks. Or, even better, threaten to ruin companies if they offshore.
1. find a company with high volume cheap transactactions (amazon? ebay?) or someone you do not like like Bill's Ole SmallishSofty 2. organize an army of eastern european hackers 3. ddos 4. blackmail 5. PROOOOFFFIIIITTTT!!!!!!!!!
from the article... "Detective Superintendent Mick Deats"
As if I didn't have this intense, general hatred towards Eastern Europe already because of uncontrolled spamming, this happens...
.ro
My question is: wtf is wrong with these people? Is the drinking water contaminated there or something? Or is braindeaded-ness running rampant?
You know who you are
Slash dot is the best at DDos attacks.
All you gotta do is sneak a really good article onto their server. Report this mind blowing article to slashdot and before you know it, the servers are down for days.
slash dot is the ddos attackers dream.
which they transfer to one of the 100's of stolen credit card numbers they have which they then go off and use to by something very expensive (in person).
As a side note, I know a network security company who got hit with one of these, end result? The FBI and the local (eastern european) police arrested and are trying the hackers in question.
When you start trying to extort real money across international borders you are into real crime. The FBI does investigate these attacks, and I am sure they will get much better at it as time goes on.
-jon
Cigani! Juris!
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
...but it involves Guido and Nunzio tracking down the extortionists and hitting them with baseball bats.
"Coming from Eastern Europe you say?" says Special Agent Buttbreath. "Too bad, so sad." You then make a call to your anti-extortion squad and they go to work for you.
Of course, this will take reaseach for the going rates in the country that the threats are coming from; if they want you to pay $10,000, you do $10,001 of bodily damage to them--it doesn't have to be on one person, spread it around to their families--kick their cats. Let them know that they're playing in the big leagues. If the authorities are unwilling, or unable, to do something about this, then the time for vigilantes to step up. Sure, you'll occationally start a war with the real Russian Mafia, but those are the chances you take when you get that MBA, my friends.
This post was only halfway flippant. Thugs need to find out that there are consequences to their actions, even if that action is hitting enter on a keyboard.
I donno about anyone else, but twice now the SOSDG's main web server has been Slashdotted, and it didn't even cough. Its on a 1.5/256 DSL line. Maybe it could be because we don't load our pages down with tons of crap, and don't depend on SQL databases to do our main content.
:)
*shrug*
Or it could be that we just know how to run our server really well
Brielle
For the outsourcing some companies have been doing. You let some Ukrainian company design software for integral parts of your organisation's business and later get screwed by some thugs blackmailing you, well, this is one of those cases where maybe you should have paid a little more to hire domestic programmers who come from a less thugocratic society.
Saving a buck has its limits!
"Pay me $40.000 by Monday or I'll get your site posted on Slashdot!"
How come blackhats never seem to figure out that they are destroying the very thing (Internet) that they are using for personal gain?
What does it take to instill a little cause-and-effect knowledge?
I too once had a dark side on the Internet and it didn't take me very long to realize "Hey, I like this huge source of information and facility of communication... I think I'll quit polluting it."
Those who destroy the very thing they are causing the destruction with are kicking their own ass.
Wake up and respect yourself and the things you find so useful.
This is what hit Worldpay a few days ago where their system was just flooded with bogus orders. Not a traditional DDOS but still just as effective. more details
Rus
Cheap UK and US VPS
And this is different from Microsoft's "embrace, extend, and necessitate upgrade" policy how, exactly?
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
For some time I've pondered the ways to stop DDoS.
Couldn't you write a program that scans each incoming packet and keeps statistics. Won't DDoS packets come far more frequently from a given source?
Is there a way to avoid spoofed packets by making sure you can reply to the source first? Shouldn't current protocols be designed to avoid spoofing? Or is it more fundamental (e.g. spoofing must be solved at a lower layer in the networking model)?
Where are the machines these attacks originate from located? Can't we get their ISPs to get rid of them, or ban ISPs that are known to be bad?
1) shut off the internet.
2) disinfect and patch EVERY COMPUTER in the WORLD.
3) profit?
windows, linux, bsd... everything has had security holes in it. there are, unfortunately, MANY zombie machines that simply never get patched. heck, i'll wager there are some with incorrect dates that still have some of those historical worms running on them.
there are thousands and thousands of zombie machines, and it only takes a handful of packets to trigger them.. and some of those machines are on massive huge pipes.
do what some US universities did -- simply shut off access to -everyone- until they either patch their machine or sign a waiver.
To quote Wheel of Time: "Have to clear rubble before you can build"
Ignorance is not an excuse. Find the zombie machines and punish their owners.
The solution is simple.
Never Pay.
Kidnapping only became a business because people payed.
Of course it is not funny for someone who get their relatives kidnapped och their networks DOS'ed.
Are someone sad because they relatives are kidnapped? That kidnapping would never have happened if the kidnappers hadnt gotten any money in the first place.
It CAN end here tonight.
Its not like Gang A can Stop Gang B from DDos attacking a network.. This is not the slums where they can have hired henchmen beat anyone else trying to inch into there area.
You pay gang A to go away.. a month later gang B hits you.. You complain to gang A.. They tell you its not them.. You pay gang B.. a month later gang C hits you.. WASH and Repeat till your company is broke
Personal Website
Holy crap, you stole the crap out of my name!
--- What
We need mandatory egress filtering for every ISP, and also we need standards for upstream filtering.
Cigani! Juris!: Gypsies! Attack!
Too funny. Get the money!
Speaking as a systems security consultant, I cannot disagree. But keep in mind that using that logic we'll have to thank burglars for door and windows security improvements, while in fact those improvements are only needed to keep our homes safe from those very same burglars in the first place. They are not part of the solution, but part of the problem, as Bruce Schneier would say.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
What company has a website that makes in excess of $40,000-$50,000 a year? Excluding eBay and Amazon maybe.
...the targets need not be large companies with high-profile Websites. My small (5 person) company is just now recovering from a DDOS attack against the DNS server used by our ISP; as of yesterday evening, they were getting repeated hits from at least 15,000 zombies. Our email and our Website were completely inaccessible for about 24 hours, and many other DNS customers will have suffered similarly. Various changes in server IP address etc. seem to have fixed the problem for now. The advice from the DNS server people is to use at least two independent DNS services in future. It must hurt to have to tell customers, in effect, to do business with your competitors to ensure service.
It pays to know what you're talking about.
McReality #1) That coffee was 185 degrees fahrenheit. Over 700 people complained about it.
McReality #2) You can still get a hot cup of coffee at McDonald's
McReality #3) McDonald's sold her a dangerous product. If I buy a phone that explodes when dropped, should the company be liable for damages if I drop it?
--
the strongest word is still the word "free"
It should be "Gangs extort money from companies..."
Duh.
hire consultants or better administrators...
:)
I say hire some bad ass psyco punk to hunt those h4x0rs down and givem a full load... maybe hit them with old routers, stickem fingers on powersources, or better then all, use those printers that can print on stone and wood to tatoo those fuckers "ive been ddosed" on the forehead!!
Ok... im much more calm now
$5 / month hosted VPS on linux = awesome!
Thanks for the irrelevant link. Their first "source" was a crooked organization of those who get rich from lying in the courtroom during frivolous lawauits.
"McReality #1) That coffee was 185 degrees fahrenheit. Over 700 people complained about it."
Already dealt with. 700 out of many millions.
"McReality #2) You can still get a hot cup of coffee at McDonald's"
Except now you have far too many complaints that it is cold then you used to have complaints it was hot. The frivolous lawsuit has prevented McDonald's from selling the coffee the customers want.
"McReality #3) McDonald's sold her a dangerous product. "
That is a McFiction of yours. If only 700 out of millions had a problem, it is clearly safe.
"If I buy a phone that explodes when dropped, should the company be liable for damages if I drop it?"
Invalid example. A more valid one is "If I buy a phone that hurts me if I smash myself over the head with it, should the company be liable?".
Of course not. Nor should a company be liable to such frivolous lawsuits because someone spills hot coffee into her crotch instead of drinking it. Anything can be dangerous if you CHOOSE TO DO SOMETHING IDIOTIC with it.
Be a shame if something happened to it.
You just dont muck around with businesses like gambling and expect to get away with it. Once their identities are discovered, they'll be pushing up daisies.
What SpamHaus did, use this
Not to be a naysayer, but the entire page load for SOSDG was under 3k. I supposed there is a lesson to be learned from that, but I imagine there are cases when people acutally want to put more than 3k of streamlined content on their pages. Maybe people who want to use graphics...
I wasn't intentionally sarcastic, but I didn't delete it once I reread it, because it's true - Not everyone wants to make 3k text web pages.
Not to say that you didn't do a nice job on your webpage, but the problem of surviving a slashdotting is less trivial than just 'running your server well.'
More than a dozen offshore gambling sites serving the US market were hit by the so-called Distributed Denial of Service attacks and extortion demands in September and the tactic is now spreading. Sites have been asked to pay up to $50,000 to ensure they are free from attacks for a year.
Offshore gambling sites? Almost as if one gang who run the casinos are being hit by other gangs. I wonder who the Cyber-Godfathers are?
Ruby on Rails Screencast
$10K, maybe. $40K, and I'd rather hire a private investigator to bust the guy. The less scrupolous might hire a "private investigator" to make sure the guy ends up in the hospital. Even if it's international, $40K should cover it.
Cheers
-b
If I wanted a sig I would have filled in that stupid box.
An analogy might be... if I left a gun unattended just by my front door, and a would-be murderer pushed my door open and took it, maybe I would share some small part of the responsibility for his future crimes. I'd certainly feel some sense of guilt...
If Joe's getting stung, he's going to shout at his vendor -> his vendor is going to shout at his manufacturer -> his manufacturer is going to shout at the people who set up his OS, and left in lots of vulnerabilities in there along with an insecure default setup. At the very least, Joe is going to make sure he tells all of his Joe pals not to leave their machines with always on connections and no security patches.
I know Joe is a victim too, but maybe we need to be a little more pragmatic about how we can reduce the growing problem of DDoS attacks. Individual Joe's are alot easier to track down and scare than the Russian mob.
I donno about anyone else, but twice now the SOSDG's main web server has been Slashdotted, and it didn't even cough. Its on a 1.5/256 DSL line.
Of course, it didn't even cough. It's only serving 256 Kbps of bandwidth! A Pentium 75 running Apache can saturate a 10 Mbps network with static page requests and never hit a high load average!
I mean, for static requests, the code in Apache might as well be:
$fp=fopen($sourcefile, 'r');
while (fwrite($stdout, fgets($fp, 1024)))
{}
fclose($fp);
At which point the *only* bottleneck is I/O.
The question is really: How many people never saw your website due to the anemic bandwidth?
Answer that, and then you have something to say.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I suspect there are many more companies than the number that are listed in the article that are experiencing this type of extortion. For example the DNS service (primary and backup) we use, (Worldwidedns.net) went down yesterday morning from a DDOS. And are still not back up to speed yet, (check out the note at the top of their home page). Our company is spread out over several states and we use a web based database for all transactions. We were effectively shut down all day. I edited the hosts file of the machines in my local office to reflect the IP address of our servers so at least we could conduct some business. I did add another DNS service to our domains as a backup, but the fact that we operate across several domains the delay for the WHOIS updates to propagate down the system means that we still are not fully operational yet. There is no legal punishment that would satisfy my anger toward the lowlifes that perpetrate this type of crime.
It's probably because people don't RTFA.
Not everything is analogous to cars. Car analogies rarely work.
2 stories ago someone said that people should release hacks into the wild so as to avoid being CnD'd based on the DMCA, well how quickly things move here at slashdot.
Keep up the good work underground mafia lords, keep up the good work. Soon DMCA will give way to online security analysts and my future will be stable in the patching business.
=)
md5sum
d41d8cd98f00b204e9800998ecf8427e
So that linked article was quite relevant. The fact that you don't agree with it doesn't change that.
Finally, spilling coffee is something that is likely to happen accidentally, bashing oneself upside the head with a phone is not. It's not as if this lady decided "hey, what the hell? I think I'll just dump this scalding hot coffee into my lap!"
--
the strongest word is still the word "free"
"But there's nothing to say it will go away."
Make them sign a contract hahahaha
Trolls dont like to be Flamebait, because they burn so well. Protect our Troll heritage!
The Melior iSecure Technology, currently applied to dDoS & Penetration Testing Defense,
:)
* Detects and defends against (distributed) Denial-of-Service attacks (dDoS)
o bandwidth flooding attacks
o network attacks
o low/medium/high-bandwidth application-level attacks
o works against known and unknown attack tools
* Cloaks your networks & systems against attackers
* Works "on the wire" (thus: In Line Scanner - ILS)
+ as stand-alone version (ISP/Carrier deployment)
+ as modular TIPS version (enterprise/site deployment)
* Works in real time (6 nanoseconds to 6 milliseconds)
* Works to full bandwidth capacity (currently: 100 Mbit/s, 400 Mbit/s, or 1Gigabit/s)
* Cannot be detected, addressed, or compromised (no MAC or IP address)
* Does not require configuration to be effective and works instantly
against DoS/dDoS attacks ("plug & protect") - optional administration
- no baselining / QoS setting
- no signatures
- no "learning curve" for traffic pattern matching
* Foundation layer of security ---
protects and enhances the effectiveness of IDS and firewalls
* Compliments existing infrastructure - no reconfiguration necessary
* Built for very large, large, medium, and small enterprise deployment
SpamHaus is using it. Check out their site
p.s.: I dont work for them
I've had a sneaky suspicion for a while that this is exactly how a number of self-proclaimed "security consultants" get their business: run an exploit or DoS attack on a target, then volunteer to make the system "immune" to future attacks.
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
I'm picturing some pimped-faced geek in servitude getting bitch slapped by his pimp for being slow with the SYN flood.
How do these guys expect to collect the money without being caught? You need to show up in person to accept cash (or at least show up at a drop point) and large transfers can be tracked... Can't they? So how do they collect?
"Maybe it could be because we don't load our pages down with tons of crap, and don't depend on SQL databases to do our main content. :)"
*shrug*
Or it could be that we just know how to run our server really well
Like a no-cycling sign to a cyclist...
Would an IPv6 internet make it more difficult for these kind of DDoS attacks to come about?
A good whitehat wouldn't be able to do much against thousands of incoming packets from randomly forged IP addresses, but is it (as) possible to do this if every computer had a direct connection via an IPv6 address to the internet?
Sure, my arguments make sense if there is no money involved. However, if I stand to earn a few hundred thousands by lying in the courtroom in order to get the ladder company to cough up $10 million because some clumsy oaf stumbled off the top of a ladder and busted his pinkie, you might find me lying with the best of 'em.
Someone set us up the Gang!
So in other words, if someone finds a threat, and helps you fix it, they shouldnt be paid? They should keep it secret and hopefully nobody will find it? Get real. If you have to make a living and you are doing security research shouldnt you be paid for it, if you have a solution? Who cares if YOU found the problem, you didn't create it.
This is Clinton's fault. He and Gore first invented the internet to try and get the economy rolling but of course it exploded in their face when no one bought anything on the superhighway of bankruptcies. Now it's just a criminal realm used by software, music, and movie pirates and other criminal extortionists. Now thanks to George Bush a fine upstanding man, we now have the DCMA to protect us from the thieves and thugs. Bush knows that shutting down free thought and the internet will put an end to the madness. Clinton and his band of traitorous thieves can go crawl back under that commie rock of theirs.
"So that linked article was quite relevant. The fact that you don't agree with it doesn't change that"
No, it wasn't relevant since I had already specifically dismissed the false claims in the parent item.
"185 degrees is too hot. There's really no debating that. "
No, it's not. There is really not debating that it is not too hot at all. The ones who will debate you are most McDonald's coffee drinkers. Or all but 0.000018% of them.
"If something causes third degree burns necessitating a skin graft, it's clearly not safe."
See the telephone example. It's safe unless you go out of your way to abuse it. If your false claim were true, you'd have millions of 3rd degree burn cases. Instead the reality is that it was safe: hardly anyone at all consuming this coffee at this supposedly high heat had any problem at all.
Safe, indeed: it has been estimated that they sell 1,000,000 cups per DAY. And they get 700 burn complaints over many years. Probably from twits who pour it onto their genetalia.
Now, excuse me, I'm going to go sue Apple because an iMac can kill if dropped from a 2 story window.
It us also true that an iPod can present a choking hazard. That criminally negligent company.
" Clearly you are missing the point"
I get the points, and understand that they have no validity.
"The number of people who filed complaint with corporate McDonalds does not mean only 700 people were burned."
Yes, it does. There is only evidence that something happened if there is evidence that it happened. Don't go and try to improve your case by referring to imaginary made-up situations.
"The point isn't how many people. The point is the coffee burned this 79 year old lady so bad,"
The number of people have everything to do with it. How is it that many millions are happily able to drink the coffee but a mere 700 have a problem.... and the one you mention actually was POURING IT INTO HER CROTCH. The problem is not the coffee, clearly: it is the people.
" She only initally requested $20,000, but McD's refused so she took them too court."
That was exactly $20,000 more than she deserved. She made an outragenous demand, and then filed an utterly frivolous lawsuit when the company laughed at her greed.
"Why not get yourself a pot of boiling coffee and dump it in your lap before you post again AC explaining how it is not "too hot"."
Why not? Because it would be stupid and 100% my own fault. However, unlike that lady, I have some sense of right and wrong and will not get greedy and try to get rich by making people who had nothing to do with my own stupidity give me money for it.
We need tort reform, so people who make frivolous lawsuits like that lady go to jail.
Your mare would never DDoS you!
(at worst, when she's not in mood, she could issue a classic "Denial of Service"/" Access Denied" by lowering her tail)
Why not get yourself a pot of boiling coffee and dump it in your lap before you post again AC explaining how it is not "too hot"."
Nice sneaky little lie there, but your arguments are peppered with lies.
This argument has to do with 185-degree coffee. Now you are equating it with "boiling coffee", which is actually above 212 degrees: a hefty difference of 28 degrees! With your latest argument, you've actually made the coffee almost 30 degrees hotter than it actually was! But what do the facts matter to you, you've got a case to make.
Off topic, but if you reckon the cigarette makers aren't liable, why blame heroin dealers? Is your reasoning that companies should be immune from suits related to products because the buyer shouldn't have bought them?
As some of you have correctly pointed out, it's not a security issue for the target site, however it is still a security issue. The security problem lies with the ping zombie machines that are being operated by these gangs (or just about anyone who knows where to find a collection of compromised machines). There really needs to be more cooperation between ISPs worldwide, and their upstream providers. It will be expensive in terms of time (especially for big ISPs), but what needs to happen is that ping flood victims need to contact their upstream providers, and those providers need to collect data about the sources of the attacks. The ISPs hosting the zombie machines need to disable the accounts associated with the tainted computers.
It's an ugly, sloppy way to do it, but it may be the most effective way. Ultimately, it's up to the user to properly configure his machine, whether he does it himself, or pays someone to do it. My biggest fear would be that half of the Internet-connected population of computers are compromised, in which case shutting down those accounts would create a massive consumer backlash and probably lawsuits. In that case, let's discuss building an Internet for non-stupid people.
At any rate, ISPs are going to have to take a more active role here, because I certainly don't want to see the Internet Terrorism Act follow up the Patriot Act and the DMCA.
Fred
"A fool and his freedom are soon parted"
-RMS
No, I'm pissed. These sort of frivolous lawsuits happen all the time, and needs to stop.
Never at a loss for words... because of the voices.
XBox Live..
Old gangs running the "protection" racket could actually offer protection for a price, by ensuring the exclusivity of their turf, and freedom from other gangs for those in it. That's how the tax/police model works, theoretically offering the taxed a chance to choose the Boss by voting. But these Eastern European "gangs" can't guarantee exclusive control of their turf (the Internet). By the same token, neither can the police. Where will the equilibrium coalesce? Or have we swept over the edge of chaos, into the abyss?
--
make install -not war
Hope that some of the trojan'd computers are behind Belkin routers. This way, Belkin get's DDOS'd
That is the best website bizmodel I've ever seen. "Superscriptions" to distractingly powerful websites! It's like the Alka-Seltzer company giving away Free Beer (TM).
--
make install -not war
This is despicable. DDoS attacks come from the scum of the earth, and they should be treated as such.
ISP's should start taking care of this, or we should track down and arrest anyone who even tries to DDoS a network. Treat them as adults, even if they're L33T H4X0R 13 year old brats.
Browse at -1, because trolls are often the most creative part of
As long as cigarettes are legal, I think it's silly to bring legal action against the manufacturers, cigarettes are bad for you and as far as I know, everyone is familiar with this. As soon as cigarettes are outlawed, then if someone wants to keep distibuting then, then sue away. I think if anyone wanted to sue Microsoft for having security holes, they'd have to take a long hard look at themselves first and think about the consequences. Such action would have strong merit however if you could point to a a vulerability that Microsoft intentionally introduced or refused to fix, such as a backdoor. There are a lot of injustices in the world, but it's important to pick your battles carefully. Today it's people using windows exploits to DDOS vulnerable sites, tomorrow it might be a bug in sendmail or bind doing the same thing.
The solution is obvious; just patent "Extortion by the web!" Now the crooks will have to pay you!
One man's -1 Flamebait is another man's +5 Funny.
Oy. You can tell I'm a slashdot noob because that totally stripped all my line breaks, like I'm an illiterate boob or something.
I work for a sportsbook/casino and we've been triggered...and had to pay....like many of the big ones in the market.
It's about time these guys get caught!
Karma: Very Very Very Very Bad
Software development companies already carry liability insurance, paid out of their revenue. The economics depend on the value of entire industry's products exceeding the loss due to defects. The SW revenue must also include the insurance operating expenses and profit. So there's nothing to stop Red Hat, or you, from offering a warranty of liability, compensating a user for proven losses. It would be interesting to see insurance companies contracting systems analysts as claims examiners.
This all leads to insured code signatures, and host firewalls with insurance "policies". Kind of like an evolved "membrane" of insurance wrapping "nuclei" of code, separating the LAN "cytoplasm" from the Inter(celluar)net(fluid). Only the secure survive, when Code Lives!
--
make install -not war
Thank you.
I will now have that music playing through my head for the rest of the day.
Don't suppose you kiddies out there know what I'm talking about.
Another Nathalie, no grits.
If you don't want to repeat the past, stop living in it.
Old gangs running the "protection" racket could actually offer protection for a price, by ensuring the exclusivity of their turf, and freedom from other gangs for those in it. That's how the tax/police model works, theoretically offering the taxed a chance to choose the Boss by voting. But these Eastern European "gangs" can't guarantee exclusive control of their turf (the Internet). By the same token, neither can the police. Where will the equilibrium coalesce? Or have we swept over the edge of chaos, into the abyss?
Quite true, and well said.
-kgj
-kgj
Companies would even hire a rival Yakuza group to protect them from the one making threats.
Mobsters doing ddos is just a high-tech example of an age-old practice.
Some more info: article
Reading Slashdot is ruining my spelling and grammar.
Seriously, what I want to see now is somebody to track down one of these "gangs" and then hire goons to break into where they live, destroy their computer equipment and bust their heads open. I know that probably sets a bad precedent, but I think it would be a great deterrent. "Cyber-gangs" might feel bold wreaking havoc from the safe end of a wire, but I expect that like most geeks they would be highly uncomfortable with the possibility of real violence upon themselves.
The main difficult case is end-users who have multiple ISP connections and may send packets out their ISP2 connection with their ISP1 address, but even that's manageable.
Routers have traditionally not been very good at doing this kind of filtering, at least without burning large amounts of CPU because it's not implemented in the ASICs, but there's been increasing support recently. For ISPs using Cisco routers, the common approach is uRPF reverse packet filtering, which drops packets with a Source IP address that the router doesn't have a valid route for. Typically on end-user connections you run it in strict mode (which drops it if there isn't a route using the interface that the packet came from), and in the middle or peering edges of the network you'd run loose mode, which drops it if there isn't _some_ route known to the router.
Some ISPs implement this, including one of the largest in the US (Disclaimer: my employer hasn't authorized me to give a shameless plug here, so I won't name them) and most ISPs are at least pretty good about filtering BGP route announcements to only permit addresses that the customer actually owns. That's not universal, and it's sometimes harder to validate ownership than you'd expect, so there's a certain amount of IP address space hijacking, typically of space where the original owners are a dead.com so they're not around to complain when somebody forges a request to one of the registries.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
> I can't see it being very difficult to keep a buffer of source IPs and a counter at the router level and stop things that way-- How many systems are used in a DDOS attack? Even a few thousand shouldn't be difficult to spot, flag, and then drop.
The zombies involved in a properly designed DDOS attack will spoof IP addresses. Any given machine will send packets flagged for a wide array of IP addresses, but not the same one(s) over and over again. Since it's very hard to tell until you try to respond to it whether a request is spoofed, you have to respond to all of them to have any chance to respond to legitimate requests. Because they're coming in so fast, most servers simply can't keep up, and so a legitimate user's requests just get lost in a sea of invalid requests. Blocking traffic by IP address would be entirely ineffective at stopping such an attack, because the zombie doesn't use a particular IP address enough, and even if you did block one, it'd still be bombing you on several thousand other addresses. And that's just one machine.
Virg
Back in the late '80's and early 90's, right after Holland basically declared there was no such thing as computer crime against any computer connected to the internet, there were a few more or less well known crackers who wound up in an alley with a bullet in the head. There were rumors that they had been severely annoying some large corporations controlled by some other corporations owned by some folks with a lot of vowels in their last names, and that with formal resolution of their grievances out of the question they had resorted to informal methods which were quite effective in dealing with the problem.
This suggests they had best be careful who they lean on.
Why not? It's all about the Benjamin's, after all. Get a hustle and stick with it.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
but most sites aren't able to withstand those costs
Do they cost more than $50,000/yr?
Better investment than selling out to internet terrorists.
...shame if something were to "happen" to it...
And the title of your one sucked ASS.
Paying off extortion rackets is cheaper than the alternatives, yeah ... IF there's only ONE, and IF it's a one-shot deal, and IF it weren't like painting a big red target on your company. Not so cheap when you've paid off 30 or 40 of them, all of which will be back next year to collect another installment, in growing droves as word gets around about who's willing to pay 'em off.
"Once you pay the danegeld, you never get rid of the Dane." -- British proverb (ca. 800 A.D.)
~REZ~ #43301. Who'd fake being me anyway?
oh of course, I'm not arguing for it. I was only curious about how anyone here has dealt with slashdotting without having to be geographically load balanced, or distributed across multiple-connections.
There have been 3 different online magazines I have worked where we have survived a slashdotting, but that was about 2 years ago. I assume that these days the amount of traffic is even larger.
Assume that you're the maker of a popular brand of cars. You're very successful and there are millions of these cars all over the places. There are problems with it, and you have issued recalls. Many times. Most users are just happy with their cars and never bothered.
Now, your cars have a curious problem: if a jerk points a finger at someone's home and yells "Shazam!", all the parked cars around just start and bee-line to this home. Soon, they crash into the walls, splash into the pool, and make the home unlivable.
Granted, these jerks are criminals. And you, the car maker, issued several recalls. But it's really not that hard to point a finger and yell "Shazam!". Lots of bored kids do it. And a lot of car owners don't even know what a recall is. So this problem happens frequently.
Now, don't you think the owners of the devastated homes might want to drag you to court?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
The old protection racket has gone digital. I, for one, would love it if we could just give anyone found guilty of being involved in this sort of extortion a lobotomy. Why must people be so driven by greed that they do something so heinous? These folks are on my list just below spammers who retain the top position for volcano diving when I rule the world.
Un-news
Simply, the ISPs should take responsiblity for traffic leaving their networks onto the Internet. All spoofed traffic could quite simply be avoided by ALL ISP Internet routers doing the simple task of not forwarding packets with source IP's that dont match the network they come from. Yes it increases CPU usage on each router, but its a highly effective way of preventing IP spoofing. The real question is why haven't those clever sods at the ISPs done this already ? Wishful
From the linked article:
I work for a UK-based online advertising company and one of our clients has had first hand experience of this. They paid up.
Protecting the business of offshore gambling sites is not the number one priority of most law enforcement agencies.
I have been on the security consulting end of at least 4 of these over the past 12 months. The issue with many of the targets is that they can't use Akamai or a co-lo site because their businesses are illegal in many countries (i.e. no online gambling in the USA.) So the database and transaction servers must be located in their own country.
Here's my solution. Co-locate your primary web content, graphics, and other critical services on a high-bandwidth connection in the USA. Use a TopLayer Intrusion Prevention switch to defend the site from traditional and SYN-type attacks. For the back-end database, create either a VPN or PPP tunnel to your actual site in Costa Rica, the Caribbean, or wherever else you are located. The only IP addresses that you advertise will be the ones from the co-lo site - this includes all inbound email, web, DNS, and other traffic. You also want a sniffer at this location that has out-of-band access so you can get to it and create custom router/IDS filters if needed.
The strategy is that if the bad guys can't find your slow (but necessary) offshore connection, they can't launch DoS attacks against anything but your co-lo site.
The only way I can see to beat the problem is to hide from the bad guys. You can't get 3GB of bandwidth in Central America so you are pretty much out of luck if you try to use traditional DoS methods.
...the face of the net.
My response - go right on ahead and do this.
if you're successful we'll just order out some pizza and have an office party until you decide you're bored with us.
If you decide to 'camp on' and stay with us for the long run we'll just redirect our DNS to other locations where we're already mirrored to deal with such an incident. Before you ask - our sites were mirrored at least a year prior to "September 11".
At worst some people will gain some weight (some of whom badly need it anyway) and you won't be attacking someone else.
And i'm sending a white van full of fertilizer after you. They'll learn quick not to fuck with me.
Most ISPs don't know about ingress filtering.
I know, it's sad, but there are a lot of non-technical ISPs out there these days.
Really, to get it out there, it should be mandated. You lose your ASN if you don't do ingress filtering, or something like that.
Service Provider have the key to avoid that kind of attacks. But a Worldwide solution is requiered.
/ ps 1835/products_configuration_guide_chapter09186a008 00ca7d4.html
Mechanismsm like unicast reverse path forwarding can be used to avoid IP Address Spoofing and Smurf-like attacks.
Take a look at
http://www.cisco.com/en/US/products/sw/iosswrel
Network Engineers should understand that kind of tools.
Heroin dealers are selling illegal products, pay no taxes, and do not follow the law.
Trying to pretend they are the same thing makes no sense.
Rate limiting SYN packets is one answer, but you can DDOS someone just with HTTP GETs if you have enough machine. Just ask a recent /. effect victim.
The other thing is to just follow the money. This is where the FBI come in. It is *very* difficult now to make a transfer of more than a few thousand dollars through the banking system anonymously. Ironically, the only way that works are the informal methods used by overseas workers (and Al Quaida) to send cash home.
See my journal, I write things there
The local law enforcement people aren't that sophisticated. If you have that kind of knowledge, chances are you are working with a reasonable pay check.
See my journal, I write things there
Actually, having work for programmers in these countries keeps them out of trouble. Very few people would *want* to work with the mafya and with that kind of money, they would demand to be involved, whether the programmer likes it or not.
See my journal, I write things there
Sure, it's fashionable to blame those Ukrainians who do better work for less money, anyway.
But in the end, a DDoS attack couldn't care less what software is on your machine. You just have gazillions of packets per second coming your way. Your firewall probably stops them, yes. That software made in Ukraine probably doesn't even see a single one of those packets. Your outgoing pipe may well be 100% free and not answering to those pings.
But your incoming pipe is still stuffed. Your site _could_ send heaps of pages back, but the client's _requests_ are competing for that stuffed inbound pipe. Maybe one of them gets through every minute. Most don't. Your site is out of commission anyway.
So how's software written by domestic programmers going to help you against that?
Now to be mean: you just proved that you have no clue about what you're talking about. Just another bigotted clueless redneck spewing crap like "thugocratic society." Maybe _that_'s why those companies prefer to outsource to skilled Ukraineans or Indians. Beats paying some local bigotted retard who thinks he doesn't really need any skills to earn 150k a year. Unlike you, those "thugocrats" actually know their job.
A polar bear is a cartesian bear after a coordinate transform.
I found one simple solution when I got DDOSed by about 5000 zombies all trying to connect on some high range port, which never connected to my system because of my firewall, but still ate a lot of bandwidth. Actually the attack was rather ineffective other than costing me a couple hundred dollars in bandwidth. I just called my provider and they firewalled the port so the traffic never came down the pipe to my system, and everyone was happy.
Let it go.
The public associates "hacker" with bad. They always have, and they always will. People like you who try to muddy the waters aren't helping.
You're like the feminists who want to eliminate the word "woman" and instead persuade everyone to migrate to "womyn" instead.
Like woodworking? Build your own picture frames.
"You got me there! I'll settle for 185 degree coffee dumped in your lap. Then you can tell me about the facts and the case I'm trying to make."
The fact: if I dump the coffee in my lap, it is my own fault. Case closed.
Hi,
.dot. com..
I was wondering if anyone knew if Yahoo was being DDOSed right now???
It's been up and down all day...
Thanks,
My offlist email is bensch 128 at yahoo
This is to keep spam off my back....
Thanks,
Ben
http://slashdot.org/comments.pl?sid=31337&cid=0&pi d=0&startat=&threshold=-1&mode=thread&commentsort= 1&op=Change
A few days ago, my nameservers were ddosed into extinction, - I had an unhappy day playing with routers and on hold to various tech support departments. The thought springing to my mind is that Vlad the Impaler was also from Eastern Europe. Perhaps a "traditional" approch to this sort of banditry would be helpful. Oh, i'm feeling better already.