Slashdot Mirror
Gangs Extort Companies With DDoS Attacks
Pcol writes "The Financial Times reports that gangs based in Eastern Europe have been launching attacks on corporate networks costing the companies millions of dollars in lost business and exposing them to blackmail. Sites have been asked to pay up to ensure they are free from Distributed Denial of Service attacks for a year. One detective reported, 'If the demand comes in for $40,000-50,000, compared to the losses they're suffering, there's an attraction for the companies to pay and hope it goes away. But there's nothing to say it will go away.'"
For /.?
The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!
So now there's an internet mafia.
So who's the god father? I vote Al Gore.
Oh wait, that isn't working so well right now, so they might have seen his example.
I can't believe I just saw an anti-microsoft comment modded down. Holy jesus.
funny thing is with the old mobsters paying protection money to mob A would stop mob B from doing the same.
what's to stop another DDoS group from doing the same?
as the movies teach never pay the protection money
Nah, a new financing model for SCO.
It is not our abilities that show what we truly are... it is our choices.
And what is the diffrence between this and security companies that extort protection money out of us to protect us from vulnrabilities that they research and publish? Eeye anyone?
One kid reported, 'If the demand comes in for $4-5, compared to the losses they're suffering, there's an attraction for the wimps to pay and hope it goes away. But there's nothing to say it will go away.'
when we could just hold kids for ransom?
The original generic sig.
I bet it's those damn Jets! They're always trying to stick it to the Sharks.
How are you going to keep them down on the farm once they've seen Karl Hungus?
If a small country contains a source of DDOS attacks, wouldn't it make sense for whoever is upstream to pull their plug? Perhaps the corporate-controlled US government will eventually use threats of sanctions/conquest to bring this about...
Ah good for organized crime they keeping up with the times.
reminds me of the movie "Analyze That" where they talking about how they need to get with the times, and discussed about getting a website.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
Firstly, I'm suprised it took this long for something like this to happen. Though I suspect it's been happening for a while. Organized crime has always been ready to utilize new technology in the persuit of money / Power.
Secondly, How is this different from some company installing spyware/nagware that's not uninstallable and then sending you email asking you to pay 20 bucks for a utility that'll "remove" their piece of software.
Yes Francis, the world has gone crazy.
topreacher@signature.slashdot.org 1% rm -rf sig
I've never understood why operations like this are so hard to track down. If you give them $40,000 that creates a finantial paper trail that is traceable! The same thing with spam, if it is illeagal spam and they ask you for money, at some point the money has to go somewhere. Why do the feds have such a hard time connecting the dots on cases like this? I'm sure there is something I'm missing so someone please inform me.
SCO.com uses Linux
...the Financial Times reported that it had received a DDoS attack from all those /. readers accessing their site. The Financial Times has responded by offering $50,000 protection money to /. ....
Its not MS doing the extortion.
Say Ford made a car and then someone gets into an accident with you. Is Ford to blame that he ran a red light?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
No, in this case you would have to sue the internetthingy because it allows all the traffic. Apache, IIS, WebSphere, they all fall to the DDoS attacks.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
HAHAHAHAhahahahaAAAAAAhahaha
Let the GAMES begin!
I can't believe I'm responding to such an obvious troll.... but...
:-)
How is this like a car that randomly explodes?
This is like a gang threatening to slash your tires. Would the auto company be liable because their tires are not slashproof?
As we know from THIS site, nobody is slashproof!
- For the complete works of Shakespeare: cat
For $50,000 a year, sounds like a decent wage for anyone who's currently unemployed. Why not just hire a good whitehat instead of caving into blackhat demands?
Because you don't own the software you only have licence to use it. Any other way is communism.
Now they're offering business models to organized crime...does anyone really think illegal gambling even thought it was losing money to online gambling until the RIAA started screaming about piracy?
Now there's irony...
I'm shocked something like this is only coming up now, It's probably happened in the past, and we havent heard about it, but really, these companys are GIGANTIC targets, with deep pockets, and the attackers are not two sleazy toughs with baseball bat's, but skilled(?) crackers, who can remain anonymous,and protect themselves from the law enforcement efforts provided to those with deep pockets. Still though, They run the risk of bringing the law down on DDoS'ers world over, SPEWS and etc. are being ddos'd and dont have the financial backing to bring the law into it, if Law enforcement tracks these guys down, they may extend into anyone doing DDoS's like this. And finally, We could just blame everything on the spammers.
Maybe, but if an Linux exploit is ever used by some IRC bozos, do you really want legal precident that says the companies can sue Linus?
Sure, Microsoft is responsible for fixing the bugs, but it's the DDOSers that are commiting the actual crime. Blaming Microsoft is ultimately a cop-out, like suing the cigarette manufacturers or video game companies.
It's one thing if you're talking about attacks that are breaking past Microsoft security, but I was under the impression that a DDoS attack involves a whole lot of quick, repeated requests on the server, not a real cracker trying to get through.
In which case, it's more like someone throwing a ton of pebbles at your Pinto's windshield, and suing Ford when eventually it cracks.
Surely this is a violation of their IP in regards to extorting money using online means!
Someone you trust is one of us.
So how do you protect yourself from a DDOS attack? Are there any closed-source or open-source products that can do it? I've seen "network appliances" that claim to protect you, but I haven't read any reviews.
Do they use paypal?
What you see happening is what will cause more restrictions on freedom in an attempt to control illegal activity.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
... is patent DDoSs, then extort, er... I mean, charge licensing fees, to anyone invoking a DDoS against a site. I mean, isn't that what US patents are good for these days?
It exposes companies to blackmail? I wonder what they're finding? The corporate ethics grey area steps in to cloud the issue ...
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
www.lac0san0stra.com. Omerta-Online.com. SlashStabShootThrottle-dot.org. net f o
www.sicialiand00ds.net
www
www.e-Bottomofthe-Bay.org
www
www.hotbotta-bing
cor.leo.ne
www.SleepswiththeBabelFishes.org
www.We-Hack-and-We-Whack.com
www.Go-Go-Gotti.in
Organized crime has always been ready to utilize new technology in the persuit of money / Power.
that it's orgranized crime we're talking about? Of course if you call 15-25 teens looking for the easy big money and thinking that in their country there'll never eb found, yes you're right.
Seriously, I don't recall a DDoS attack done by a major person. Anyone has a counter-example?
1. No sig. 2. ???? 3. Profit!!!
Basically, there's nothing you can do (in a technological fashion) about it. Only thing that you can do is hunt them down and sue them; which is not that simple in a global environment.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
Fifteen years ago all the cool kids would make fun of me and call me a computer geek and never pick me for the baseball team and stuff. Now all the cool geeks are going off forming gangs and taking down servers and I'm still left out! I can't figure this world out...
I doubt the gangs ask for cash to be left in a briefcase in the park. I assume they use PayPal, Wire Transfer, Money Order to a PO, etc.. Anytime electronic money moves it can be traced to the receiver. Just report them to their local police.
DDoS attacks require a *lot* of hacked computers. Usually Microsoft OSes with low security settings.
It annoys me that MS's bad approach to security is now threatening businesses worldwide on two levels, first by exposing their own computers and then by exposing them to distributed attacks by the general populace. Even businesses that didn't have a single MS system in use are affected by one company's half-@$$ed security practices.
Not trying to troll, just making a genuine point. If consumer computers were security-locked by default, DDoS attacks would be infinitely more difficult to pull off.
I think a better way of seeing this is as follow:
You buy a ford car.
Someone tells you to pay $100/year and they won't punch holes through your tires for a year.
Is ford to blame for selling you a car with tires that could be deflated? likely no.
The primary targets appear to be gambling sites.
Why is it whenever the mob is involved, their first target are gambling sites? Next thing it will be online porn and pharmacudicals.
Karma Whoring for Fun and Profit.
I for one, welcome our new packet-wielding Overlords....
(and stuff).
Seriously...
When are eCommerce and all these other jagoffs going to get tired of Tha Intarw3b so that us geeks can have it back? O_o
do() || do_not();
I wonder to what extent this is largely invention. I find it hard to believe this is remotely widespread.
...to pay the 40 grand to a hitman who will fly to Eastern Europe and put a bullet in the heads of the DDoS gang members. Problem solved for everyone, and permanently.
Heck, my weekend's free. My suitcase is right here. Anybody got $40,000?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I am stupified... someone has finally found the ????? in the buisness plan. Amazing...
1. Buy computers
2. Blackmail companies for $40k or DDoS them
3. Profit!
Str8Dog
using System.Darkside; public
well there's a lot of suspission that spamers are DDoSing some of the black-list sites. it's not been proven, but if it's true it's the counter-example you are looking for,
Actually, I think a liability that follows the money would actually be a good idea, for the free software community too. Think about it, companies like Red Hat would actually have a real product -- the warranty -- they would sell a warranty that their products are performing as advertized. They would earn more money and need to hire more people to audit code, resulting in more jobs and better code. And since we all know that free software is better than proprietary, well, we would be the winners!
Employee of Inrupt, Project Release Manager and Community Manager for Solid
So we know that the DDoSes happen, and that they are real pain. There is not much the law can do, especially if the source is in another country. In this case, I ask the question, what can companies do, technologically to deal with the problem? Also, how can you tell the difference between being Slashdotted (some metacrawlers have the same effect) and being DDoSed?
Jumpstart the tartan drive.
You figure, if you could get a company to deny all traffic from a specific country... maybe they'd be more willing to hire domestic folks. Or, even better, threaten to ruin companies if they offshore.
1. find a company with high volume cheap transactactions (amazon? ebay?) or someone you do not like like Bill's Ole SmallishSofty 2. organize an army of eastern european hackers 3. ddos 4. blackmail 5. PROOOOFFFIIIITTTT!!!!!!!!!
This is like a gang threatening to slash your tires. Would the auto company be liable because their tires are not slashproof?
I agree that the poster's analogy was poor, but I think what he was trying to say (or at least the way I see it) is that it's not Microsoft's fault for making a DDOSable OS, but for making an OS that's so easily ownable, and can be used to DDOS other peoples' computers.
So, in your analogy, it would be more like suing a company that sells the "Johnny gangmember tire-slash-o-matic" that allowed the gang to unleash their bitter tire-anny (sorry).
Money I owe, money-iy-ay
which they transfer to one of the 100's of stolen credit card numbers they have which they then go off and use to by something very expensive (in person).
As a side note, I know a network security company who got hit with one of these, end result? The FBI and the local (eastern european) police arrested and are trying the hackers in question.
When you start trying to extort real money across international borders you are into real crime. The FBI does investigate these attacks, and I am sure they will get much better at it as time goes on.
-jon
Cigani! Juris!
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
As an MS user I resent the implication that MS is a "gang" or that the Disk Operating System is software which "attacks" people from eastern europe.
mod parent 5 troll, you gotta hand it to him, he got in fast.
DDOS attacks are usually launched through Windows boxes that have been exploited, for example by worms such as SOBIG.
All's true that is mistrusted
A lot of people seem to misunderstand you..
They think that you're saying that MS is liable because someone can use all your resources (which is ridiculous, of course.)
What I think you're saying is that it's MS that allows the security holes in their software, which allows these gangs to take control of other people's computers and launch the DDoS.
Your analogy is wrong - perhaps a better one might be that an automobile manufacturer makes a car that can be easily stolen (say by jiggling the door handle, and a key is not required to start it) if someone steals this car, and drives it through a business's window, should the car manufacturer be liable?
...but it involves Guido and Nunzio tracking down the extortionists and hitting them with baseball bats.
"Coming from Eastern Europe you say?" says Special Agent Buttbreath. "Too bad, so sad." You then make a call to your anti-extortion squad and they go to work for you.
Of course, this will take reaseach for the going rates in the country that the threats are coming from; if they want you to pay $10,000, you do $10,001 of bodily damage to them--it doesn't have to be on one person, spread it around to their families--kick their cats. Let them know that they're playing in the big leagues. If the authorities are unwilling, or unable, to do something about this, then the time for vigilantes to step up. Sure, you'll occationally start a war with the real Russian Mafia, but those are the chances you take when you get that MBA, my friends.
This post was only halfway flippant. Thugs need to find out that there are consequences to their actions, even if that action is hitting enter on a keyboard.
I donno about anyone else, but twice now the SOSDG's main web server has been Slashdotted, and it didn't even cough. Its on a 1.5/256 DSL line. Maybe it could be because we don't load our pages down with tons of crap, and don't depend on SQL databases to do our main content.
:)
*shrug*
Or it could be that we just know how to run our server really well
Brielle
For the outsourcing some companies have been doing. You let some Ukrainian company design software for integral parts of your organisation's business and later get screwed by some thugs blackmailing you, well, this is one of those cases where maybe you should have paid a little more to hire domestic programmers who come from a less thugocratic society.
Saving a buck has its limits!
How come blackhats never seem to figure out that they are destroying the very thing (Internet) that they are using for personal gain?
What does it take to instill a little cause-and-effect knowledge?
I too once had a dark side on the Internet and it didn't take me very long to realize "Hey, I like this huge source of information and facility of communication... I think I'll quit polluting it."
Those who destroy the very thing they are causing the destruction with are kicking their own ass.
Wake up and respect yourself and the things you find so useful.
This is what hit Worldpay a few days ago where their system was just flooded with bogus orders. Not a traditional DDOS but still just as effective. more details
Rus
Cheap UK and US VPS
And this is different from Microsoft's "embrace, extend, and necessitate upgrade" policy how, exactly?
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
For some time I've pondered the ways to stop DDoS.
Couldn't you write a program that scans each incoming packet and keeps statistics. Won't DDoS packets come far more frequently from a given source?
Is there a way to avoid spoofed packets by making sure you can reply to the source first? Shouldn't current protocols be designed to avoid spoofing? Or is it more fundamental (e.g. spoofing must be solved at a lower layer in the networking model)?
Where are the machines these attacks originate from located? Can't we get their ISPs to get rid of them, or ban ISPs that are known to be bad?
The solution is simple.
Never Pay.
Kidnapping only became a business because people payed.
Of course it is not funny for someone who get their relatives kidnapped och their networks DOS'ed.
Are someone sad because they relatives are kidnapped? That kidnapping would never have happened if the kidnappers hadnt gotten any money in the first place.
It CAN end here tonight.
Its not like Gang A can Stop Gang B from DDos attacking a network.. This is not the slums where they can have hired henchmen beat anyone else trying to inch into there area.
You pay gang A to go away.. a month later gang B hits you.. You complain to gang A.. They tell you its not them.. You pay gang B.. a month later gang C hits you.. WASH and Repeat till your company is broke
Personal Website
Holy crap, you stole the crap out of my name!
--- What
Cigani! Juris!: Gypsies! Attack!
Too funny. Get the money!
Speaking as a systems security consultant, I cannot disagree. But keep in mind that using that logic we'll have to thank burglars for door and windows security improvements, while in fact those improvements are only needed to keep our homes safe from those very same burglars in the first place. They are not part of the solution, but part of the problem, as Bruce Schneier would say.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
That WOULD have solved the problem.
The same is true of spam and open relays, though.
S
...the targets need not be large companies with high-profile Websites. My small (5 person) company is just now recovering from a DDOS attack against the DNS server used by our ISP; as of yesterday evening, they were getting repeated hits from at least 15,000 zombies. Our email and our Website were completely inaccessible for about 24 hours, and many other DNS customers will have suffered similarly. Various changes in server IP address etc. seem to have fixed the problem for now. The advice from the DNS server people is to use at least two independent DNS services in future. It must hurt to have to tell customers, in effect, to do business with your competitors to ensure service.
From what I remember of the story, she sued not because the coffee was spilled, or hot. But that it was so hot it caused 3rd degree burns. 3rd degree burns. Apparently there were over 700 reports of burns from coffee that was over 180 degrees Fahrenheit. Now I'm as much against frivolous lawsuits as the next guy, but come on, coffee is a hot drink, not a burn your flesh in seconds drink.
On the topic's note about the extortion. GOOD. I'm looking forward to a cyberpunk dark future. I'm going to get a gun and fight evil clowns, and hack and use monowire, and get a light tattoo. I hope there is more of this anticorporate stuff.
100% Pure Evil With The Look And Feel Of Wholesome Goodness
It pays to know what you're talking about.
McReality #1) That coffee was 185 degrees fahrenheit. Over 700 people complained about it.
McReality #2) You can still get a hot cup of coffee at McDonald's
McReality #3) McDonald's sold her a dangerous product. If I buy a phone that explodes when dropped, should the company be liable for damages if I drop it?
--
the strongest word is still the word "free"
Maybe I should RTFA, but I don't see the relation with MS in just the above comments.
As for the analogy, I guess it would be more accurate to say that they know that Pintos randomly explodes and then use that fact to cause accidents (i.e. leave it on the side of a busy street). Then who is really responsible?
Here we go again!
hire consultants or better administrators...
:)
I say hire some bad ass psyco punk to hunt those h4x0rs down and givem a full load... maybe hit them with old routers, stickem fingers on powersources, or better then all, use those printers that can print on stone and wood to tatoo those fuckers "ive been ddosed" on the forehead!!
Ok... im much more calm now
$5 / month hosted VPS on linux = awesome!
A lot of people seem to be bringing this up so I'll make a wild guess. However, IANAC (criminal) so I don't really know.
I would start by opening an account in the name of someone who's identity I've stolen. Once the money was placed in that account, I would transfer it through several more with it eventually ending up in a few accounts which are also under stolen identities. At which point, I would go close out the accounts and leave with my money. I might even have some buddies in other countries collect some of the money from other accounts in there area.
Good luck tracking that money down.
If it was as simple as calling up the bank and saying 'hey who's account is this... cool, thanks, let's go arrest 'em guys', it wouldn't be a problem because they would all be caught.
It's not just that a company directly makes money from their web presence. Many companies provide information at no cost to it's consumers (FAQ's, Knowlege Bases, Instructions, etc...). The availability of these resources often lead to our purchasing a product.
Another way to look at it...
If a company makes windows without locks can you sue because your house was so easy to break into? Or better yet, can you sue them cause it was so easy to break into your house to rack up long distance charges on your phone? Who the heck was calling Eastern Europe from this number?
You just dont muck around with businesses like gambling and expect to get away with it. Once their identities are discovered, they'll be pushing up daisies.
What SpamHaus did, use this
Not to be a naysayer, but the entire page load for SOSDG was under 3k. I supposed there is a lesson to be learned from that, but I imagine there are cases when people acutally want to put more than 3k of streamlined content on their pages. Maybe people who want to use graphics...
I wasn't intentionally sarcastic, but I didn't delete it once I reread it, because it's true - Not everyone wants to make 3k text web pages.
Not to say that you didn't do a nice job on your webpage, but the problem of surviving a slashdotting is less trivial than just 'running your server well.'
What ever happend to the good old days where entire ISPs got blacklisted when they didn't do their job and where incorrectly configured mail servers with open relays were blocked as well? Yeah, it sucks to get blacklisted, but it sure does get you to fix the problem and fast at that.
More than a dozen offshore gambling sites serving the US market were hit by the so-called Distributed Denial of Service attacks and extortion demands in September and the tactic is now spreading. Sites have been asked to pay up to $50,000 to ensure they are free from attacks for a year.
Offshore gambling sites? Almost as if one gang who run the casinos are being hit by other gangs. I wonder who the Cyber-Godfathers are?
Ruby on Rails Screencast
$10K, maybe. $40K, and I'd rather hire a private investigator to bust the guy. The less scrupolous might hire a "private investigator" to make sure the guy ends up in the hospital. Even if it's international, $40K should cover it.
Cheers
-b
If I wanted a sig I would have filled in that stupid box.
An analogy might be... if I left a gun unattended just by my front door, and a would-be murderer pushed my door open and took it, maybe I would share some small part of the responsibility for his future crimes. I'd certainly feel some sense of guilt...
If Joe's getting stung, he's going to shout at his vendor -> his vendor is going to shout at his manufacturer -> his manufacturer is going to shout at the people who set up his OS, and left in lots of vulnerabilities in there along with an insecure default setup. At the very least, Joe is going to make sure he tells all of his Joe pals not to leave their machines with always on connections and no security patches.
I know Joe is a victim too, but maybe we need to be a little more pragmatic about how we can reduce the growing problem of DDoS attacks. Individual Joe's are alot easier to track down and scare than the Russian mob.
Then when Red Hat gets 95% of users, people start developing exploits for it. Then not only would Red Hat would then have to pay people for their "warrenty" (however that works) but the same kind of suit w ould be brought against them as the on ethat took MS down. Then Red Hat goes down.
Not everything is analogous to cars. Car analogies rarely work.
I donno about anyone else, but twice now the SOSDG's main web server has been Slashdotted, and it didn't even cough. Its on a 1.5/256 DSL line.
Of course, it didn't even cough. It's only serving 256 Kbps of bandwidth! A Pentium 75 running Apache can saturate a 10 Mbps network with static page requests and never hit a high load average!
I mean, for static requests, the code in Apache might as well be:
$fp=fopen($sourcefile, 'r');
while (fwrite($stdout, fgets($fp, 1024)))
{}
fclose($fp);
At which point the *only* bottleneck is I/O.
The question is really: How many people never saw your website due to the anemic bandwidth?
Answer that, and then you have something to say.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The blacklist hosts were DDoSed into oblivion.
Ironically..
(-:
S
It's probably because people don't RTFA.
Not everything is analogous to cars. Car analogies rarely work.
"But there's nothing to say it will go away."
Make them sign a contract hahahaha
Trolls dont like to be Flamebait, because they burn so well. Protect our Troll heritage!
Clearly you are missing the point. The number of people who filed complaint with corporate McDonalds does not mean only 700 people were burned. The point isn't how many people. The point is the coffee burned this 79 year old lady so bad, she was hospitalized for 8 weeks and underwent skin grafts. She only initally requested $20,000, but McD's refused so she took them too court.
Why not get yourself a pot of boiling coffee and dump it in your lap before you post again AC explaining how it is not "too hot".
100% Pure Evil With The Look And Feel Of Wholesome Goodness
I just want to congratulate you for getting +1 informative on a post with an obvious goatse link.
:)
Well done Sir
The Melior iSecure Technology, currently applied to dDoS & Penetration Testing Defense,
:)
* Detects and defends against (distributed) Denial-of-Service attacks (dDoS)
o bandwidth flooding attacks
o network attacks
o low/medium/high-bandwidth application-level attacks
o works against known and unknown attack tools
* Cloaks your networks & systems against attackers
* Works "on the wire" (thus: In Line Scanner - ILS)
+ as stand-alone version (ISP/Carrier deployment)
+ as modular TIPS version (enterprise/site deployment)
* Works in real time (6 nanoseconds to 6 milliseconds)
* Works to full bandwidth capacity (currently: 100 Mbit/s, 400 Mbit/s, or 1Gigabit/s)
* Cannot be detected, addressed, or compromised (no MAC or IP address)
* Does not require configuration to be effective and works instantly
against DoS/dDoS attacks ("plug & protect") - optional administration
- no baselining / QoS setting
- no signatures
- no "learning curve" for traffic pattern matching
* Foundation layer of security ---
protects and enhances the effectiveness of IDS and firewalls
* Compliments existing infrastructure - no reconfiguration necessary
* Built for very large, large, medium, and small enterprise deployment
SpamHaus is using it. Check out their site
p.s.: I dont work for them
I've had a sneaky suspicion for a while that this is exactly how a number of self-proclaimed "security consultants" get their business: run an exploit or DoS attack on a target, then volunteer to make the system "immune" to future attacks.
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
Redundant?
i didn't even read the previous replies!
maybe i wasted to much time RTFA first.
How do these guys expect to collect the money without being caught? You need to show up in person to accept cash (or at least show up at a drop point) and large transfers can be tracked... Can't they? So how do they collect?
IPv6 will fix this. Because of the hierarchy in the addressing methodology, ISPs will be able to drop any packets coming from source IPs that do not match the network they are directly responsible for.
Would an IPv6 internet make it more difficult for these kind of DDoS attacks to come about?
A good whitehat wouldn't be able to do much against thousands of incoming packets from randomly forged IP addresses, but is it (as) possible to do this if every computer had a direct connection via an IPv6 address to the internet?
Nothing stopping ISPs from implementing this in IPv4, even.
Tell your router to drop traffic that doesn't have a source or destination of your block, and it will. No IPv6 magic necessary.
The problem is that ISPs won't, and don't.
S
Someone set us up the Gang!
This is Clinton's fault. He and Gore first invented the internet to try and get the economy rolling but of course it exploded in their face when no one bought anything on the superhighway of bankruptcies. Now it's just a criminal realm used by software, music, and movie pirates and other criminal extortionists. Now thanks to George Bush a fine upstanding man, we now have the DCMA to protect us from the thieves and thugs. Bush knows that shutting down free thought and the internet will put an end to the madness. Clinton and his band of traitorous thieves can go crawl back under that commie rock of theirs.
Anti-gun zealots have been trying to use that argument for years. They want gun manufacturers to be liable because some homicidal nutjob used a gun to shoot someone. A variation on their arguement involves the gun manufacturers not making a gun that was child-proof. Next we'll be suing a steel manufacturer for not molding a pipe that is swing-proof. Bunch of damned retards trying to get on TV.
No, it'd be like selling tires with a large weak area, and putting a note saying (to the effect of) slash here to flatten tire by it.
No, it's more like someone stealing your (locked) Escort (after the Pinto, but I chose it because (at least the early '90s models) have an emergency key which will work on all Escorts of that key design) to throw pebbles from it at a building.
You, sir, must be incredibly blissful.
100% Pure Evil With The Look And Feel Of Wholesome Goodness
Off topic, but if you reckon the cigarette makers aren't liable, why blame heroin dealers? Is your reasoning that companies should be immune from suits related to products because the buyer shouldn't have bought them?
As some of you have correctly pointed out, it's not a security issue for the target site, however it is still a security issue. The security problem lies with the ping zombie machines that are being operated by these gangs (or just about anyone who knows where to find a collection of compromised machines). There really needs to be more cooperation between ISPs worldwide, and their upstream providers. It will be expensive in terms of time (especially for big ISPs), but what needs to happen is that ping flood victims need to contact their upstream providers, and those providers need to collect data about the sources of the attacks. The ISPs hosting the zombie machines need to disable the accounts associated with the tainted computers.
It's an ugly, sloppy way to do it, but it may be the most effective way. Ultimately, it's up to the user to properly configure his machine, whether he does it himself, or pays someone to do it. My biggest fear would be that half of the Internet-connected population of computers are compromised, in which case shutting down those accounts would create a massive consumer backlash and probably lawsuits. In that case, let's discuss building an Internet for non-stupid people.
At any rate, ISPs are going to have to take a more active role here, because I certainly don't want to see the Internet Terrorism Act follow up the Patriot Act and the DMCA.
Fred
"A fool and his freedom are soon parted"
-RMS
Never at a loss for words... because of the voices.
Old gangs running the "protection" racket could actually offer protection for a price, by ensuring the exclusivity of their turf, and freedom from other gangs for those in it. That's how the tax/police model works, theoretically offering the taxed a chance to choose the Boss by voting. But these Eastern European "gangs" can't guarantee exclusive control of their turf (the Internet). By the same token, neither can the police. Where will the equilibrium coalesce? Or have we swept over the edge of chaos, into the abyss?
--
make install -not war
Hope that some of the trojan'd computers are behind Belkin routers. This way, Belkin get's DDOS'd
That is the best website bizmodel I've ever seen. "Superscriptions" to distractingly powerful websites! It's like the Alka-Seltzer company giving away Free Beer (TM).
--
make install -not war
This is despicable. DDoS attacks come from the scum of the earth, and they should be treated as such.
ISP's should start taking care of this, or we should track down and arrest anyone who even tries to DDoS a network. Treat them as adults, even if they're L33T H4X0R 13 year old brats.
Browse at -1, because trolls are often the most creative part of
As long as cigarettes are legal, I think it's silly to bring legal action against the manufacturers, cigarettes are bad for you and as far as I know, everyone is familiar with this. As soon as cigarettes are outlawed, then if someone wants to keep distibuting then, then sue away. I think if anyone wanted to sue Microsoft for having security holes, they'd have to take a long hard look at themselves first and think about the consequences. Such action would have strong merit however if you could point to a a vulerability that Microsoft intentionally introduced or refused to fix, such as a backdoor. There are a lot of injustices in the world, but it's important to pick your battles carefully. Today it's people using windows exploits to DDOS vulnerable sites, tomorrow it might be a bug in sendmail or bind doing the same thing.
The solution is obvious; just patent "Extortion by the web!" Now the crooks will have to pay you!
One man's -1 Flamebait is another man's +5 Funny.
Oy. You can tell I'm a slashdot noob because that totally stripped all my line breaks, like I'm an illiterate boob or something.
Software development companies already carry liability insurance, paid out of their revenue. The economics depend on the value of entire industry's products exceeding the loss due to defects. The SW revenue must also include the insurance operating expenses and profit. So there's nothing to stop Red Hat, or you, from offering a warranty of liability, compensating a user for proven losses. It would be interesting to see insurance companies contracting systems analysts as claims examiners.
This all leads to insured code signatures, and host firewalls with insurance "policies". Kind of like an evolved "membrane" of insurance wrapping "nuclei" of code, separating the LAN "cytoplasm" from the Inter(celluar)net(fluid). Only the secure survive, when Code Lives!
--
make install -not war
Thank you.
I will now have that music playing through my head for the rest of the day.
Don't suppose you kiddies out there know what I'm talking about.
Another Nathalie, no grits.
If you don't want to repeat the past, stop living in it.
Old gangs running the "protection" racket could actually offer protection for a price, by ensuring the exclusivity of their turf, and freedom from other gangs for those in it. That's how the tax/police model works, theoretically offering the taxed a chance to choose the Boss by voting. But these Eastern European "gangs" can't guarantee exclusive control of their turf (the Internet). By the same token, neither can the police. Where will the equilibrium coalesce? Or have we swept over the edge of chaos, into the abyss?
Quite true, and well said.
-kgj
-kgj
Companies would even hire a rival Yakuza group to protect them from the one making threats.
Mobsters doing ddos is just a high-tech example of an age-old practice.
Some more info: article
Reading Slashdot is ruining my spelling and grammar.
Seriously, what I want to see now is somebody to track down one of these "gangs" and then hire goons to break into where they live, destroy their computer equipment and bust their heads open. I know that probably sets a bad precedent, but I think it would be a great deterrent. "Cyber-gangs" might feel bold wreaking havoc from the safe end of a wire, but I expect that like most geeks they would be highly uncomfortable with the possibility of real violence upon themselves.
The main difficult case is end-users who have multiple ISP connections and may send packets out their ISP2 connection with their ISP1 address, but even that's manageable.
Routers have traditionally not been very good at doing this kind of filtering, at least without burning large amounts of CPU because it's not implemented in the ASICs, but there's been increasing support recently. For ISPs using Cisco routers, the common approach is uRPF reverse packet filtering, which drops packets with a Source IP address that the router doesn't have a valid route for. Typically on end-user connections you run it in strict mode (which drops it if there isn't a route using the interface that the packet came from), and in the middle or peering edges of the network you'd run loose mode, which drops it if there isn't _some_ route known to the router.
Some ISPs implement this, including one of the largest in the US (Disclaimer: my employer hasn't authorized me to give a shameless plug here, so I won't name them) and most ISPs are at least pretty good about filtering BGP route announcements to only permit addresses that the customer actually owns. That's not universal, and it's sometimes harder to validate ownership than you'd expect, so there's a certain amount of IP address space hijacking, typically of space where the original owners are a dead.com so they're not around to complain when somebody forges a request to one of the registries.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
> I can't see it being very difficult to keep a buffer of source IPs and a counter at the router level and stop things that way-- How many systems are used in a DDOS attack? Even a few thousand shouldn't be difficult to spot, flag, and then drop.
The zombies involved in a properly designed DDOS attack will spoof IP addresses. Any given machine will send packets flagged for a wide array of IP addresses, but not the same one(s) over and over again. Since it's very hard to tell until you try to respond to it whether a request is spoofed, you have to respond to all of them to have any chance to respond to legitimate requests. Because they're coming in so fast, most servers simply can't keep up, and so a legitimate user's requests just get lost in a sea of invalid requests. Blocking traffic by IP address would be entirely ineffective at stopping such an attack, because the zombie doesn't use a particular IP address enough, and even if you did block one, it'd still be bombing you on several thousand other addresses. And that's just one machine.
Virg
No, but Ford is to blame for the seatbelt not working...
"Hey, it's less hassle to not use the seatbelt. That's why everyone is a root by default." - Microsoft logic
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Why not? It's all about the Benjamin's, after all. Get a hustle and stick with it.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
If someone robs a bank and uses a Ford as their getaway car, is Ford liable?
The answer is, OF COURSE NOT
Kiss my shiny metal ass
but most sites aren't able to withstand those costs
Do they cost more than $50,000/yr?
Better investment than selling out to internet terrorists.
Paying off extortion rackets is cheaper than the alternatives, yeah ... IF there's only ONE, and IF it's a one-shot deal, and IF it weren't like painting a big red target on your company. Not so cheap when you've paid off 30 or 40 of them, all of which will be back next year to collect another installment, in growing droves as word gets around about who's willing to pay 'em off.
"Once you pay the danegeld, you never get rid of the Dane." -- British proverb (ca. 800 A.D.)
~REZ~ #43301. Who'd fake being me anyway?
oh of course, I'm not arguing for it. I was only curious about how anyone here has dealt with slashdotting without having to be geographically load balanced, or distributed across multiple-connections.
There have been 3 different online magazines I have worked where we have survived a slashdotting, but that was about 2 years ago. I assume that these days the amount of traffic is even larger.
Assume that you're the maker of a popular brand of cars. You're very successful and there are millions of these cars all over the places. There are problems with it, and you have issued recalls. Many times. Most users are just happy with their cars and never bothered.
Now, your cars have a curious problem: if a jerk points a finger at someone's home and yells "Shazam!", all the parked cars around just start and bee-line to this home. Soon, they crash into the walls, splash into the pool, and make the home unlivable.
Granted, these jerks are criminals. And you, the car maker, issued several recalls. But it's really not that hard to point a finger and yell "Shazam!". Lots of bored kids do it. And a lot of car owners don't even know what a recall is. So this problem happens frequently.
Now, don't you think the owners of the devastated homes might want to drag you to court?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
The old protection racket has gone digital. I, for one, would love it if we could just give anyone found guilty of being involved in this sort of extortion a lobotomy. Why must people be so driven by greed that they do something so heinous? These folks are on my list just below spammers who retain the top position for volcano diving when I rule the world.
Un-news
Simply, the ISPs should take responsiblity for traffic leaving their networks onto the Internet. All spoofed traffic could quite simply be avoided by ALL ISP Internet routers doing the simple task of not forwarding packets with source IP's that dont match the network they come from. Yes it increases CPU usage on each router, but its a highly effective way of preventing IP spoofing. The real question is why haven't those clever sods at the ISPs done this already ? Wishful
If the brakes were faulty due to Ford's negligence, yes. In this case Microsoft made a faulty product that is being exploited for these extortion schemes. If an auto maker were to put out a product as faulty as, say, Microsoft Windows 98, they'd have to recall it or face serious consequences.
I have been on the security consulting end of at least 4 of these over the past 12 months. The issue with many of the targets is that they can't use Akamai or a co-lo site because their businesses are illegal in many countries (i.e. no online gambling in the USA.) So the database and transaction servers must be located in their own country.
Here's my solution. Co-locate your primary web content, graphics, and other critical services on a high-bandwidth connection in the USA. Use a TopLayer Intrusion Prevention switch to defend the site from traditional and SYN-type attacks. For the back-end database, create either a VPN or PPP tunnel to your actual site in Costa Rica, the Caribbean, or wherever else you are located. The only IP addresses that you advertise will be the ones from the co-lo site - this includes all inbound email, web, DNS, and other traffic. You also want a sniffer at this location that has out-of-band access so you can get to it and create custom router/IDS filters if needed.
The strategy is that if the bad guys can't find your slow (but necessary) offshore connection, they can't launch DoS attacks against anything but your co-lo site.
The only way I can see to beat the problem is to hide from the bad guys. You can't get 3GB of bandwidth in Central America so you are pretty much out of luck if you try to use traditional DoS methods.
which book do you work for?
And i'm sending a white van full of fertilizer after you. They'll learn quick not to fuck with me.
Most ISPs don't know about ingress filtering.
I know, it's sad, but there are a lot of non-technical ISPs out there these days.
Really, to get it out there, it should be mandated. You lose your ASN if you don't do ingress filtering, or something like that.
Well, I hope it isn't Pinnacle (who reportedy paid off the crooks) (but is an excellent book) :-)
You got me there! I'll settle for 185 degree coffee dumped in your lap. Then you can tell me about the facts and the case I'm trying to make.
100% Pure Evil With The Look And Feel Of Wholesome Goodness
Heroin dealers are selling illegal products, pay no taxes, and do not follow the law.
Trying to pretend they are the same thing makes no sense.
Most of the servers under attack are probably not running a MS-OS. A DDoS attack can be done from any OS, and it can happen to any server. Blaming MS is just plain stupid.
If you really are serious, and don't want to come across as a troll, you should learn at least the basics of a DDoS attack.
Lets say your phone number is 232-232-2323. Lets say 10 people set up a computer to call your house, over and over. Your phone goes useless. It doesn't matter what kind of phone you have, and it doesn't matter what kind of computers they have dialing your phone - you still can't get any incoming calls because those 10 computers will keep the line busy 24/7.
That's a fairly low tech example of a DDoS attack. There are no easy solutions.
Rate limiting SYN packets is one answer, but you can DDOS someone just with HTTP GETs if you have enough machine. Just ask a recent /. effect victim.
The other thing is to just follow the money. This is where the FBI come in. It is *very* difficult now to make a transfer of more than a few thousand dollars through the banking system anonymously. Ironically, the only way that works are the informal methods used by overseas workers (and Al Quaida) to send cash home.
See my journal, I write things there
The local law enforcement people aren't that sophisticated. If you have that kind of knowledge, chances are you are working with a reasonable pay check.
See my journal, I write things there
Actually, having work for programmers in these countries keeps them out of trouble. Very few people would *want* to work with the mafya and with that kind of money, they would demand to be involved, whether the programmer likes it or not.
See my journal, I write things there
Sure, it's fashionable to blame those Ukrainians who do better work for less money, anyway.
But in the end, a DDoS attack couldn't care less what software is on your machine. You just have gazillions of packets per second coming your way. Your firewall probably stops them, yes. That software made in Ukraine probably doesn't even see a single one of those packets. Your outgoing pipe may well be 100% free and not answering to those pings.
But your incoming pipe is still stuffed. Your site _could_ send heaps of pages back, but the client's _requests_ are competing for that stuffed inbound pipe. Maybe one of them gets through every minute. Most don't. Your site is out of commission anyway.
So how's software written by domestic programmers going to help you against that?
Now to be mean: you just proved that you have no clue about what you're talking about. Just another bigotted clueless redneck spewing crap like "thugocratic society." Maybe _that_'s why those companies prefer to outsource to skilled Ukraineans or Indians. Beats paying some local bigotted retard who thinks he doesn't really need any skills to earn 150k a year. Unlike you, those "thugocrats" actually know their job.
A polar bear is a cartesian bear after a coordinate transform.
I found one simple solution when I got DDOSed by about 5000 zombies all trying to connect on some high range port, which never connected to my system because of my firewall, but still ate a lot of bandwidth. Actually the attack was rather ineffective other than costing me a couple hundred dollars in bandwidth. I just called my provider and they firewalled the port so the traffic never came down the pipe to my system, and everyone was happy.
Let it go.
The public associates "hacker" with bad. They always have, and they always will. People like you who try to muddy the waters aren't helping.
You're like the feminists who want to eliminate the word "woman" and instead persuade everyone to migrate to "womyn" instead.
Like woodworking? Build your own picture frames.
bigger than Pinnacle? Olympic? Grande? Willam Hill?
Better? Nah...:-)
A few days ago, my nameservers were ddosed into extinction, - I had an unhappy day playing with routers and on hold to various tech support departments. The thought springing to my mind is that Vlad the Impaler was also from Eastern Europe. Perhaps a "traditional" approch to this sort of banditry would be helpful. Oh, i'm feeling better already.
Well, if RH had been doing their job as bad MS has been doing, wouldn't that be OK? Really, that's intended effect, if you do a bad job, you go out of business. It doesn't matter if it is a company based on free software or proprietary software, bad work = you die... However, it is possible that free software will last because of the increased peer-review.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Well, that's a matter for politicians. I said "follow the money", because if it does, the liability would not apply to the individual developer, but to the distributor who takes money for the product. This distinction is very important.
Employee of Inrupt, Project Release Manager and Community Manager for Solid