Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gangs Extort Companies With DDoS Attacks

Posted by timothy on from the crisis-of-the-week dept.

Pcol writes "The Financial Times reports that gangs based in Eastern Europe have been launching attacks on corporate networks costing the companies millions of dollars in lost business and exposing them to blackmail. Sites have been asked to pay up to ensure they are free from Distributed Denial of Service attacks for a year. One detective reported, 'If the demand comes in for $40,000-50,000, compared to the losses they're suffering, there's an attraction for the companies to pay and hope it goes away. But there's nothing to say it will go away.'"

9 of 423 comments (clear)

  1. Re:Isn't Microsoft culpable in this mess? by I8TheWorm · · Score: 2, Informative

    No, in this case you would have to sue the internetthingy because it allows all the traffic. Apache, IIS, WebSphere, they all fall to the DDoS attacks.

    --
    Saying Android is a family of phones is akin to saying Linux is a family of PCs.
  2. They make pay to their hacked eBay accounts... by jcrb · · Score: 4, Informative

    which they transfer to one of the 100's of stolen credit card numbers they have which they then go off and use to by something very expensive (in person).

    As a side note, I know a network security company who got hit with one of these, end result? The FBI and the local (eastern european) police arrested and are trying the hackers in question.

    When you start trying to extort real money across international borders you are into real crime. The FBI does investigate these attacks, and I am sure they will get much better at it as time goes on.

    --
    -jon
  3. Re:This sounds like a good way for Slashdot to mak by bruns · · Score: 2, Informative

    I donno about anyone else, but twice now the SOSDG's main web server has been Slashdotted, and it didn't even cough. Its on a 1.5/256 DSL line. Maybe it could be because we don't load our pages down with tons of crap, and don't depend on SQL databases to do our main content.

    *shrug*

    Or it could be that we just know how to run our server really well :)

    --
    Brielle
  4. Bregovic rules by metulj · · Score: 2, Informative
    Translation for you non-South Slavs:

    Cigani! Juris!: Gypsies! Attack!

    Too funny. Get the money!

  5. Re:Anyone looking for work in security? by br0ck · · Score: 2, Informative

    As reported on their cyber attacks page, Spamhaus.org is using the iSecure product from Melior to block the DDoS from mimail and variants. If iSecure fails and spamhaus.org is unreachable, here's the Google cache.

  6. Re:SOLUTION? by merlin_jim · · Score: 2, Informative

    I was under the assumption that products are available that allow you to block traffic from any IP that sends data over a pre-defined threshold. This block happens automatically when the data limit is reached.

    But in a DDoS attack, the traffic is coming from thousands of IPs... even if each one individually trips that threshold, there's no reason a DDoS can't IP-spoof. As a matter of fact most of them do anyways, because it generates three times as many packets if the SYN/ACK handshake protocol fails...

    --
    I am disrespectful to dirt! Can you see that I am serious?!
  7. Re:Fine. Let them! by Zeinfeld · · Score: 4, Informative
    The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!

    Commercial rates for security consultants start at $2,000 per day. People in the middle tier charge as much as $5,000. Big name consultants such as Bruce Schneier can name their price.

    And the fact is that none of us can do diddly against a DDoS attack, except advise you on how to configure bigger pipes and how to get in touch with ISPs quickly to stop the traffic from their networks.

    Occasionally there is a DDoS that has a flawed mode of attack that can be diverted. There have been a couple of attacks against the Whitehouse that were like that. They can divert the attacks because they can get top rank consulting for free in extremis.

    Not paying might be cheaper in the long run, but in the long run we are all dead. The answer is not consultants, it is law enforcement and better infrastructure.

    For example why exactly does anyone need to send a stream of several thousand SYN packets per second from a home computer to the same IP address for several hours at a time? There is simply no reason why a home machine should need to do that, nor should a home machine be sending millions of DNS requests per second to any machine.

    There is a pretty easy fix to DDoS attacks, put intelligence into cable modems and router boxes. Even if there is an option that allows the expert user to turn the checking off the boxes should be shipped in a safe configuration by default and it should not be possible to disable the safety catch without physical access to the modem.

    Congress could encourage ISPs to adopt this type of technology by merely suggesting that ISPs be made liable for attacks mounted from their machines.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  8. Re: What exactly would this consultant / admin do? by TheTomcat · · Score: 2, Informative

    As far as I can tell, this device blocks traffic on the "local" side of your pipe to your ISP.

    This allows the DDoSers to saturate your pipe, thus DDoSing you.

    Even if it DOES block all traffic, and magically re-opens your pipe, you're still not safe:
    If these "gangs" control thousands, or hundreds of thousands of "drones", there's nothing stopping them from generating "LEGITIMATE" (well-formed; handshake; non-spoofed) traffic on an allowed protocol and saturating your bandwidth, this way. You can put 50,000 null-routes in your ACLs.. your hardware will choke, and the IPs will change, so you'll block legit traffic.

    S

  9. Solution by rjbrown99 · · Score: 2, Informative

    I have been on the security consulting end of at least 4 of these over the past 12 months. The issue with many of the targets is that they can't use Akamai or a co-lo site because their businesses are illegal in many countries (i.e. no online gambling in the USA.) So the database and transaction servers must be located in their own country.

    Here's my solution. Co-locate your primary web content, graphics, and other critical services on a high-bandwidth connection in the USA. Use a TopLayer Intrusion Prevention switch to defend the site from traditional and SYN-type attacks. For the back-end database, create either a VPN or PPP tunnel to your actual site in Costa Rica, the Caribbean, or wherever else you are located. The only IP addresses that you advertise will be the ones from the co-lo site - this includes all inbound email, web, DNS, and other traffic. You also want a sniffer at this location that has out-of-band access so you can get to it and create custom router/IDS filters if needed.

    The strategy is that if the bad guys can't find your slow (but necessary) offshore connection, they can't launch DoS attacks against anything but your co-lo site.

    The only way I can see to beat the problem is to hide from the bad guys. You can't get 3GB of bandwidth in Central America so you are pretty much out of luck if you try to use traditional DoS methods.