DDoS Extortion Attempts On the Rise

John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.

They get rather annoying...

[mc_wilson]

The school network here has been getting attacked about once a week for the last month. I am really tired of the internet going down and getting 60% packet loss this often.

I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...

Re:They get rather annoying...

[josecanuc]

oh man... It was great when I was in school there (where you are)... It was about 2 years after they started wiring the dorms for student network access (ethernet anyway -- prior to that there were serial terminals...) So few people had computers in the dorms, coupled with the fact that the campus had not yet "shaped" all dorm traffic to a 100 Mbit virtual pipe. Student printing was not limited -- I printed over a dozen 500+ page programming books straight from the dorm to the Teague building without question from those in charge. (I might be a small part of the reason they did impose print limits, though.)

But even then CIS was stupid... Nothing's changed there!

Last I heard they were planning on getting a 10 Gbit pipe to the "regular" Internet and another 10 Gbit pipe to Internet2. Makes a DoS of one server on campus a large threat with that much incoming bandwidth.

Re:They get rather annoying...

[dougmc]

I am not sure why we would be getting DoS attacks at a major university.

It's probably aimed at one individual. I get packeted at home on my cable modem because people want the nick I use on IRC, for example. Typically if they can flood me badly enough, it only takes 10 minutes to kick me off and get my nick, but sometimes they'll leave the flood going for hours or even days, I guess to `teach me a lesson' or something. What lesson have I learned? To log everything, and make phone calls while it happens, and emails to all the IP addresses involved when it's done. I've nailed one guy already that I know of (in Romania no less -- visited by the local police. I don't know how it turned out, however.) -- it's rarely effective, but if you keep at it, it'll eventually work.

I wish they would try something that would prevent them. Stupid CIS...

Tell us, how should they prevent them? Since you've labeled them as stupid, I'm sure you have the answer all figured out? We'd love to hear what the victim of a DDoS attack can do to prevent an arbitrary DDoS attack.

Filtering on your router doesn't work, because it's usually your pipe that's overloaded. (Though schools often have huge pipes.) Having your provider filter can be effective, but not all attacks are easy to filter. Buying more bandwidth and faster routers is usually effective -- I'm sure you won't mind your tuition going up to cover the costs? Turning off the campus resnet completely would probably be effective ...

You got any better ideas?

No, I don't work for your school's CIS. But I certainly understand their position.

DDOS and 2nd and 3rd world countries

[Monkelectric]

Criminials in 2nd and 3rd world countries *LOVE* the internet because it gives them *ACCESS* to first world country victims. If a russian guy can steal 100$, thats less then a days pay for me, but 6 months salary to him.

I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.

Re:Send money, or else.

[LiquidCoooled]

Its amusing to note peoples reactions when they hear that XYZ is suffering a DDOS attack.
They invariably open the browser and attempt to open the site.
Its natural human instinct, they open it, say "Yup, its still down" and either click refresh a few times, or close it.

Watching how slash/fark folks handle flooding a site is similar.

IP Spoof Filtering...

[Autonin]

I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.

It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.

Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.

Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.

Sounds like he learned a lot while in IRC...

[Juvenall]

From the article
But that's good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year.

"Pay us and we'll save you from DDoS". Where have I heard that before?

I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?

Time for a 'retrovirus' ?

[MaineCoon]

As much as I hate to suggest it, it seems like underground vigilantism may be the only way to deal with the problem currently.

It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).

At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.

The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...

Re:Time for a 'retrovirus' ?

[Croaker]

Actually, there might be an easier way to take down zombie networks than creating a roaming virus... As I understand it, most zombie networks take their marching orders by watching an IRC channel on some server someplace. If you can figure out where the channel is, and can manage to compromise it, you should be able to hijack the zombie network and make it patch itself and then uninstall the viruses.

Instead of polluting the net even more with "retrovirus" traffic, this would be a surgical strike, although timing would be critical. I assume they shift IRC servers and channels fairly frequently, and the IRC servers might be well hardened.

I'm not a very good network admin

[scribblej]

Or at least, I like to think I'm not very good. There's so much to know, and I only know a tiny part of it.

My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"

I like to respond, "Nothing."

But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?

I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --

I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.

I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.

I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.

I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.

Is there any way to win?

Is there any way I can tell my boss something other than "nothing?"

Save me Slashdot! Pleeeeease!?

Re:I'm not a very good network admin

To quote WarGames:
Strange game, The only way to win is to not play.

DDoS Heart Attack

[Grokko]

If one were to know the irc channel that a DDoSer uses to communicate with the zombie machines, is it possible to spam the channel with commands that will physically shut down the zombies, like a poweroff command in Linux, thus mitigating the effect?

It could be a Denial of Denial of Service Attack, or DoDos. I confess I might be simplifying the issue too much.

In this case, you'd have to:

1. Identify a DDoS is in progress.
2. Pick one of the zombie IP addresses.
3. Identify the type of DDoS it is performing, by trying all known ones (if it is out there in quantity, it is likely known).
4. Find it's IRC channel and spam it with poweroff commands.
5. DDoS stops happening.

Solution

1) Log zombie IP.
2) Expoit zombie using the same exploit used to 'zombify' it in the first place.
3) Patch zombie machine.
4) Repeat.

Is this feasible?

Re:This is the reason why we cant get world peace.

[RajivSLK]

They should bring back public flogging as a form of punishment

Yes, but instead of being held in the town square we'll setup a webcam and webcast it around the world.

Re:Null routing vs intelligent DDoS defense

Null routes aren't completely bad if the attack is by IP as opposed to a DNS name. So, for example, setting TTLs on A records for the attacked DNS name to something like 5 minutes will enable you to Null route the attacked IP, update DNS with the new A record and then be back up. Obviously, if the zombies routinely do DNS lookups for the host this solution doesn't quite work. But, I can assure you that after working for a company that was routinely attacked (they would fill a 100Mb pipe) this worked quite well -- we weren't e-commerce. We did talk with Mazu, but that solution was way too expensize for us...especially during a period of IT downsizing.

Ultimately TCP/IP needs to be updated to have something like ANI in the telco system. I can remember before ANI there were no concerns doing war dialing. Once it came out....everyone got a little timid.

Also, from my experience spoofed IP attacks really aren't as common. With zombies...they don't really care because they know tracing all of them will be a severe headache.

Authorize.Net is getting HAMMERED

[JohnnyGTO]

Our CC processing company is getting HAMMERED again today with a DDOS. Now how am I going to process those fraudulant Nigerian orders?

Re:Authorize.Net is getting HAMMERED

[sevinkey]

I work for a credit card processor, and DDOS is now the norm for us. Everyday. Fortunately it only took a couple of days to get the system completely stable while accepting daily DDOS attacks as the norm.