Slashdot Mirror


DDoS Extortion Attempts On the Rise

John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.

8 of 277 comments (clear)

  1. They get rather annoying... by mc_wilson · · Score: 5, Interesting

    The school network here has been getting attacked about once a week for the last month. I am really tired of the internet going down and getting 60% packet loss this often.

    I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...

    1. Re:They get rather annoying... by dougmc · · Score: 4, Interesting
      I am not sure why we would be getting DoS attacks at a major university.
      It's probably aimed at one individual. I get packeted at home on my cable modem because people want the nick I use on IRC, for example. Typically if they can flood me badly enough, it only takes 10 minutes to kick me off and get my nick, but sometimes they'll leave the flood going for hours or even days, I guess to `teach me a lesson' or something. What lesson have I learned? To log everything, and make phone calls while it happens, and emails to all the IP addresses involved when it's done. I've nailed one guy already that I know of (in Romania no less -- visited by the local police. I don't know how it turned out, however.) -- it's rarely effective, but if you keep at it, it'll eventually work.

      I wish they would try something that would prevent them. Stupid CIS...
      Tell us, how should they prevent them? Since you've labeled them as stupid, I'm sure you have the answer all figured out? We'd love to hear what the victim of a DDoS attack can do to prevent an arbitrary DDoS attack.

      Filtering on your router doesn't work, because it's usually your pipe that's overloaded. (Though schools often have huge pipes.) Having your provider filter can be effective, but not all attacks are easy to filter. Buying more bandwidth and faster routers is usually effective -- I'm sure you won't mind your tuition going up to cover the costs? Turning off the campus resnet completely would probably be effective ...

      You got any better ideas?

      No, I don't work for your school's CIS. But I certainly understand their position.

  2. DDOS and 2nd and 3rd world countries by Monkelectric · · Score: 5, Interesting
    Criminials in 2nd and 3rd world countries *LOVE* the internet because it gives them *ACCESS* to first world country victims. If a russian guy can steal 100$, thats less then a days pay for me, but 6 months salary to him.

    I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.

    --

    Religion is a gateway psychosis. -- Dave Foley

  3. Re:Send money, or else. by LiquidCoooled · · Score: 5, Interesting

    Its amusing to note peoples reactions when they hear that XYZ is suffering a DDOS attack.
    They invariably open the browser and attempt to open the site.
    Its natural human instinct, they open it, say "Yup, its still down" and either click refresh a few times, or close it.

    Watching how slash/fark folks handle flooding a site is similar.

    --
    liqbase :: faster than paper
  4. IP Spoof Filtering... by Autonin · · Score: 5, Interesting

    I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.

    It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.

    Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.

    Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.

    --
    -AutoNiN
  5. Time for a 'retrovirus' ? by MaineCoon · · Score: 4, Interesting

    As much as I hate to suggest it, it seems like underground vigilantism may be the only way to deal with the problem currently.

    It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).

    At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.

    The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...

    --
    Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
    1. Re:Time for a 'retrovirus' ? by Croaker · · Score: 4, Interesting

      Actually, there might be an easier way to take down zombie networks than creating a roaming virus... As I understand it, most zombie networks take their marching orders by watching an IRC channel on some server someplace. If you can figure out where the channel is, and can manage to compromise it, you should be able to hijack the zombie network and make it patch itself and then uninstall the viruses.

      Instead of polluting the net even more with "retrovirus" traffic, this would be a surgical strike, although timing would be critical. I assume they shift IRC servers and channels fairly frequently, and the IRC servers might be well hardened.

  6. I'm not a very good network admin by scribblej · · Score: 5, Interesting

    Or at least, I like to think I'm not very good. There's so much to know, and I only know a tiny part of it.

    My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"

    I like to respond, "Nothing."

    But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?

    I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --

    I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.

    I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.

    I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.

    I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.

    Is there any way to win?

    Is there any way I can tell my boss something other than "nothing?"

    Save me Slashdot! Pleeeeease!?