Slashdot Mirror
Gangs Extort Companies With DDoS Attacks
Pcol writes "The Financial Times reports that gangs based in Eastern Europe have been launching attacks on corporate networks costing the companies millions of dollars in lost business and exposing them to blackmail. Sites have been asked to pay up to ensure they are free from Distributed Denial of Service attacks for a year. One detective reported, 'If the demand comes in for $40,000-50,000, compared to the losses they're suffering, there's an attraction for the companies to pay and hope it goes away. But there's nothing to say it will go away.'"
For /.?
The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!
So now there's an internet mafia.
So who's the god father? I vote Al Gore.
funny thing is with the old mobsters paying protection money to mob A would stop mob B from doing the same.
what's to stop another DDoS group from doing the same?
as the movies teach never pay the protection money
Nah, a new financing model for SCO.
It is not our abilities that show what we truly are... it is our choices.
One kid reported, 'If the demand comes in for $4-5, compared to the losses they're suffering, there's an attraction for the wimps to pay and hope it goes away. But there's nothing to say it will go away.'
when we could just hold kids for ransom?
The original generic sig.
I bet it's those damn Jets! They're always trying to stick it to the Sharks.
How are you going to keep them down on the farm once they've seen Karl Hungus?
Firstly, I'm suprised it took this long for something like this to happen. Though I suspect it's been happening for a while. Organized crime has always been ready to utilize new technology in the persuit of money / Power.
Secondly, How is this different from some company installing spyware/nagware that's not uninstallable and then sending you email asking you to pay 20 bucks for a utility that'll "remove" their piece of software.
Yes Francis, the world has gone crazy.
I've never understood why operations like this are so hard to track down. If you give them $40,000 that creates a finantial paper trail that is traceable! The same thing with spam, if it is illeagal spam and they ask you for money, at some point the money has to go somewhere. Why do the feds have such a hard time connecting the dots on cases like this? I'm sure there is something I'm missing so someone please inform me.
SCO.com uses Linux
...the Financial Times reported that it had received a DDoS attack from all those /. readers accessing their site. The Financial Times has responded by offering $50,000 protection money to /. ....
No, in this case you would have to sue the internetthingy because it allows all the traffic. Apache, IIS, WebSphere, they all fall to the DDoS attacks.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
I can't believe I'm responding to such an obvious troll.... but...
:-)
How is this like a car that randomly explodes?
This is like a gang threatening to slash your tires. Would the auto company be liable because their tires are not slashproof?
As we know from THIS site, nobody is slashproof!
- For the complete works of Shakespeare: cat
For $50,000 a year, sounds like a decent wage for anyone who's currently unemployed. Why not just hire a good whitehat instead of caving into blackhat demands?
Surely this is a violation of their IP in regards to extorting money using online means!
Someone you trust is one of us.
So how do you protect yourself from a DDOS attack? Are there any closed-source or open-source products that can do it? I've seen "network appliances" that claim to protect you, but I haven't read any reviews.
Do they use paypal?
What you see happening is what will cause more restrictions on freedom in an attempt to control illegal activity.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
... is patent DDoSs, then extort, er... I mean, charge licensing fees, to anyone invoking a DDoS against a site. I mean, isn't that what US patents are good for these days?
www.lac0san0stra.com. Omerta-Online.com. SlashStabShootThrottle-dot.org. net f o
www.sicialiand00ds.net
www
www.e-Bottomofthe-Bay.org
www
www.hotbotta-bing
cor.leo.ne
www.SleepswiththeBabelFishes.org
www.We-Hack-and-We-Whack.com
www.Go-Go-Gotti.in
Fifteen years ago all the cool kids would make fun of me and call me a computer geek and never pick me for the baseball team and stuff. Now all the cool geeks are going off forming gangs and taking down servers and I'm still left out! I can't figure this world out...
DDoS attacks require a *lot* of hacked computers. Usually Microsoft OSes with low security settings.
It annoys me that MS's bad approach to security is now threatening businesses worldwide on two levels, first by exposing their own computers and then by exposing them to distributed attacks by the general populace. Even businesses that didn't have a single MS system in use are affected by one company's half-@$$ed security practices.
Not trying to troll, just making a genuine point. If consumer computers were security-locked by default, DDoS attacks would be infinitely more difficult to pull off.
The primary targets appear to be gambling sites.
Why is it whenever the mob is involved, their first target are gambling sites? Next thing it will be online porn and pharmacudicals.
Karma Whoring for Fun and Profit.
I am stupified... someone has finally found the ????? in the buisness plan. Amazing...
1. Buy computers
2. Blackmail companies for $40k or DDoS them
3. Profit!
Str8Dog
using System.Darkside; public
Actually, I think a liability that follows the money would actually be a good idea, for the free software community too. Think about it, companies like Red Hat would actually have a real product -- the warranty -- they would sell a warranty that their products are performing as advertized. They would earn more money and need to hire more people to audit code, resulting in more jobs and better code. And since we all know that free software is better than proprietary, well, we would be the winners!
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I can imagine the headline. . , hitman kills a bunch-o 14 year olds for 40 grand=)
How Now Brown Cow
which they transfer to one of the 100's of stolen credit card numbers they have which they then go off and use to by something very expensive (in person).
As a side note, I know a network security company who got hit with one of these, end result? The FBI and the local (eastern european) police arrested and are trying the hackers in question.
When you start trying to extort real money across international borders you are into real crime. The FBI does investigate these attacks, and I am sure they will get much better at it as time goes on.
-jon
DDOS attacks are usually launched through Windows boxes that have been exploited, for example by worms such as SOBIG.
All's true that is mistrusted
A lot of people seem to misunderstand you..
They think that you're saying that MS is liable because someone can use all your resources (which is ridiculous, of course.)
What I think you're saying is that it's MS that allows the security holes in their software, which allows these gangs to take control of other people's computers and launch the DDoS.
Your analogy is wrong - perhaps a better one might be that an automobile manufacturer makes a car that can be easily stolen (say by jiggling the door handle, and a key is not required to start it) if someone steals this car, and drives it through a business's window, should the car manufacturer be liable?
I donno about anyone else, but twice now the SOSDG's main web server has been Slashdotted, and it didn't even cough. Its on a 1.5/256 DSL line. Maybe it could be because we don't load our pages down with tons of crap, and don't depend on SQL databases to do our main content.
:)
*shrug*
Or it could be that we just know how to run our server really well
Brielle
For the outsourcing some companies have been doing. You let some Ukrainian company design software for integral parts of your organisation's business and later get screwed by some thugs blackmailing you, well, this is one of those cases where maybe you should have paid a little more to hire domestic programmers who come from a less thugocratic society.
Saving a buck has its limits!
For some time I've pondered the ways to stop DDoS.
Couldn't you write a program that scans each incoming packet and keeps statistics. Won't DDoS packets come far more frequently from a given source?
Is there a way to avoid spoofed packets by making sure you can reply to the source first? Shouldn't current protocols be designed to avoid spoofing? Or is it more fundamental (e.g. spoofing must be solved at a lower layer in the networking model)?
Where are the machines these attacks originate from located? Can't we get their ISPs to get rid of them, or ban ISPs that are known to be bad?
Its not like Gang A can Stop Gang B from DDos attacking a network.. This is not the slums where they can have hired henchmen beat anyone else trying to inch into there area.
You pay gang A to go away.. a month later gang B hits you.. You complain to gang A.. They tell you its not them.. You pay gang B.. a month later gang C hits you.. WASH and Repeat till your company is broke
Personal Website
Cigani! Juris!: Gypsies! Attack!
Too funny. Get the money!
...the targets need not be large companies with high-profile Websites. My small (5 person) company is just now recovering from a DDOS attack against the DNS server used by our ISP; as of yesterday evening, they were getting repeated hits from at least 15,000 zombies. Our email and our Website were completely inaccessible for about 24 hours, and many other DNS customers will have suffered similarly. Various changes in server IP address etc. seem to have fixed the problem for now. The advice from the DNS server people is to use at least two independent DNS services in future. It must hurt to have to tell customers, in effect, to do business with your competitors to ensure service.
It's not just that a company directly makes money from their web presence. Many companies provide information at no cost to it's consumers (FAQ's, Knowlege Bases, Instructions, etc...). The availability of these resources often lead to our purchasing a product.
Another way to look at it...
If a company makes windows without locks can you sue because your house was so easy to break into? Or better yet, can you sue them cause it was so easy to break into your house to rack up long distance charges on your phone? Who the heck was calling Eastern Europe from this number?
More than a dozen offshore gambling sites serving the US market were hit by the so-called Distributed Denial of Service attacks and extortion demands in September and the tactic is now spreading. Sites have been asked to pay up to $50,000 to ensure they are free from attacks for a year.
Offshore gambling sites? Almost as if one gang who run the casinos are being hit by other gangs. I wonder who the Cyber-Godfathers are?
Ruby on Rails Screencast
An analogy might be... if I left a gun unattended just by my front door, and a would-be murderer pushed my door open and took it, maybe I would share some small part of the responsibility for his future crimes. I'd certainly feel some sense of guilt...
If Joe's getting stung, he's going to shout at his vendor -> his vendor is going to shout at his manufacturer -> his manufacturer is going to shout at the people who set up his OS, and left in lots of vulnerabilities in there along with an insecure default setup. At the very least, Joe is going to make sure he tells all of his Joe pals not to leave their machines with always on connections and no security patches.
I know Joe is a victim too, but maybe we need to be a little more pragmatic about how we can reduce the growing problem of DDoS attacks. Individual Joe's are alot easier to track down and scare than the Russian mob.
I donno about anyone else, but twice now the SOSDG's main web server has been Slashdotted, and it didn't even cough. Its on a 1.5/256 DSL line.
Of course, it didn't even cough. It's only serving 256 Kbps of bandwidth! A Pentium 75 running Apache can saturate a 10 Mbps network with static page requests and never hit a high load average!
I mean, for static requests, the code in Apache might as well be:
$fp=fopen($sourcefile, 'r');
while (fwrite($stdout, fgets($fp, 1024)))
{}
fclose($fp);
At which point the *only* bottleneck is I/O.
The question is really: How many people never saw your website due to the anemic bandwidth?
Answer that, and then you have something to say.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
How do these guys expect to collect the money without being caught? You need to show up in person to accept cash (or at least show up at a drop point) and large transfers can be tracked... Can't they? So how do they collect?
As far as I can tell, this device blocks traffic on the "local" side of your pipe to your ISP.
This allows the DDoSers to saturate your pipe, thus DDoSing you.
Even if it DOES block all traffic, and magically re-opens your pipe, you're still not safe:
If these "gangs" control thousands, or hundreds of thousands of "drones", there's nothing stopping them from generating "LEGITIMATE" (well-formed; handshake; non-spoofed) traffic on an allowed protocol and saturating your bandwidth, this way. You can put 50,000 null-routes in your ACLs.. your hardware will choke, and the IPs will change, so you'll block legit traffic.
S
Never at a loss for words... because of the voices.
Old gangs running the "protection" racket could actually offer protection for a price, by ensuring the exclusivity of their turf, and freedom from other gangs for those in it. That's how the tax/police model works, theoretically offering the taxed a chance to choose the Boss by voting. But these Eastern European "gangs" can't guarantee exclusive control of their turf (the Internet). By the same token, neither can the police. Where will the equilibrium coalesce? Or have we swept over the edge of chaos, into the abyss?
--
make install -not war
As long as cigarettes are legal, I think it's silly to bring legal action against the manufacturers, cigarettes are bad for you and as far as I know, everyone is familiar with this. As soon as cigarettes are outlawed, then if someone wants to keep distibuting then, then sue away. I think if anyone wanted to sue Microsoft for having security holes, they'd have to take a long hard look at themselves first and think about the consequences. Such action would have strong merit however if you could point to a a vulerability that Microsoft intentionally introduced or refused to fix, such as a backdoor. There are a lot of injustices in the world, but it's important to pick your battles carefully. Today it's people using windows exploits to DDOS vulnerable sites, tomorrow it might be a bug in sendmail or bind doing the same thing.
The solution is obvious; just patent "Extortion by the web!" Now the crooks will have to pay you!
One man's -1 Flamebait is another man's +5 Funny.
Assume that you're the maker of a popular brand of cars. You're very successful and there are millions of these cars all over the places. There are problems with it, and you have issued recalls. Many times. Most users are just happy with their cars and never bothered.
Now, your cars have a curious problem: if a jerk points a finger at someone's home and yells "Shazam!", all the parked cars around just start and bee-line to this home. Soon, they crash into the walls, splash into the pool, and make the home unlivable.
Granted, these jerks are criminals. And you, the car maker, issued several recalls. But it's really not that hard to point a finger and yell "Shazam!". Lots of bored kids do it. And a lot of car owners don't even know what a recall is. So this problem happens frequently.
Now, don't you think the owners of the devastated homes might want to drag you to court?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I have been on the security consulting end of at least 4 of these over the past 12 months. The issue with many of the targets is that they can't use Akamai or a co-lo site because their businesses are illegal in many countries (i.e. no online gambling in the USA.) So the database and transaction servers must be located in their own country.
Here's my solution. Co-locate your primary web content, graphics, and other critical services on a high-bandwidth connection in the USA. Use a TopLayer Intrusion Prevention switch to defend the site from traditional and SYN-type attacks. For the back-end database, create either a VPN or PPP tunnel to your actual site in Costa Rica, the Caribbean, or wherever else you are located. The only IP addresses that you advertise will be the ones from the co-lo site - this includes all inbound email, web, DNS, and other traffic. You also want a sniffer at this location that has out-of-band access so you can get to it and create custom router/IDS filters if needed.
The strategy is that if the bad guys can't find your slow (but necessary) offshore connection, they can't launch DoS attacks against anything but your co-lo site.
The only way I can see to beat the problem is to hide from the bad guys. You can't get 3GB of bandwidth in Central America so you are pretty much out of luck if you try to use traditional DoS methods.
Rate limiting SYN packets is one answer, but you can DDOS someone just with HTTP GETs if you have enough machine. Just ask a recent /. effect victim.
The other thing is to just follow the money. This is where the FBI come in. It is *very* difficult now to make a transfer of more than a few thousand dollars through the banking system anonymously. Ironically, the only way that works are the informal methods used by overseas workers (and Al Quaida) to send cash home.
See my journal, I write things there