Slashdot Mirror
DDoS Extortion Attempts On the Rise
John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.
Sure, Null Routes are great for throwing away traffic, but they don't work against DDoS (notice the extra "D"!). The whole _point_ of DDoS is that the traffic comes from so many sources that the manual work involved in blocking it is huge.
With great numbers come great responsibility!
Pay up or I'll suggest a /. article about you, and you know the editors will accept it too!
If you dont send 1,500$ to the following PayPal acount I will post an article about your company on Slashdot.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
If only it were that simple.
Support more choices in goverment-Vote 3rd party.
You can't null-route a slashdotting.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Noone's going to blackmail me into using DOS again...
was that MS-DOS TRS-DOS, or Apple DOS?
The school network here has been getting attacked about once a week for the last month. I am really tired of the internet going down and getting 60% packet loss this often.
I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...
Aston Games
"That's a nice StarCraft server you have set up there. Be a shame if anything happened to it."
Honestly, that's what I thought when I read "extortion" and "online gaming."
Don't blame me, I voted for Durga.
Comment removed based on user account deletion
Sooner or later they're gonna try to extort the wrong people, and then Luca Brasi shows up at their doorstep.
Apparently, Prolexic Technologies is the company that's providing the DDoS Solution.
I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.
Religion is a gateway psychosis. -- Dave Foley
I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.
It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.
Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.
Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.
-AutoNiN
...aren't there firewalls that can handle this yet? Ok, so you probably can't stop it initially but surely we have equipment capable of detecting which clients are hitting the site in an abnormal manner and ignoring their traffic - at least in the short term (Hours / Days).
That should realistically mean that whilst you might lose the site for half an hour you shouldn't be losing it for days at a time. Anything like this exist? I would have thought that the bigger gambling sites would be all over it by now.
People that believe in their opinions don't post AC.
Just to clarify for everyone, this is extortion against online *gambling* companies, not online gaming.
:)
You can call gambling "gaming" in the offline world, but not the online -- "online gaming" is already taken
From the article
But that's good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year.
"Pay us and we'll save you from DDoS". Where have I heard that before?
I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?
Your friends are obviously not real e-commerce people. Everyone who has ever worked in tech support knows that all businesses lose millions of dollars a second every time anything related to their Internet service goes down.
When ever we make someting available to the general public there is a matter of time until some jirk finds a way to cause problems. The internet has been around for about 30 years and has been popular for about 10 years. So after this short time we have turned a means of comunication ( And what a lot of people think as a step to peace ) into a complete war zone. And because no one directly (Indirectly some one may) gets hurt, and it is a lot harder to track someone down, they will attack sites and ingage in Mob beheavior much more esially then in real life. So a person who is on the outside will seem like an ordanry citizan when on the internet becomes a massive crime lord extrorting thousands of dollars from companies. They should bring back public flogging as a form of punishment, it seems a suitable punishment for a criminal who comits his crime in anonmity.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
As much as I hate to suggest it, it seems like underground vigilantism may be the only way to deal with the problem currently.
It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).
At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.
The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...
Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
Or at least, I like to think I'm not very good. There's so much to know, and I only know a tiny part of it.
My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"
I like to respond, "Nothing."
But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?
I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --
I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.
I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.
I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.
I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.
Is there any way to win?
Is there any way I can tell my boss something other than "nothing?"
Save me Slashdot! Pleeeeease!?
So most of these bots use IRC to get their marching orders- so why not disrupt that method of communication?
This can be done on the ISP level, or at a personal level by blocking ports or what have you- or even by DDoS'ng known IRC servers themselves (a taste of their own meds?).
Just a thought
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
for some reason people in many 2nd and 3rd world countries are raised on propaganda (often from their government) believing that every single american is a millionaire.
Another is WebMoney, mentioned on the spammer board SpamForum.biz. It's a anonymous money transfer service in Moscow. Elaborate crypto. Special downloaded applications. Schemes for transferring money between customers, and finally out into the banking system. Accounts can be in euros, dollars, rubles, or hryvnias. Address is supposedly 71 Sadovnicheskaya Street, Moscow, Russia, 115035. Same address as the "Three Monkeys", which is a gay nightclub.
There are a number of services like this. They come and go. There's Gold-Cash, in Latvia. There's EvoCash, at an undisclosed "offshore" location. (Well, there was EvoCash; they ceased operations on October 19th.) They even have a trade association, which rates services as "Platinum", "Gold", "Silver", "Copper", "Carbon", or "Chlorine", which gives a hint of the problems in this area.
Then there are brokers who transfer money between these services. These can be used to perform the "rinse cycle" in money laundering. But that's another story.
If one were to know the irc channel that a DDoSer uses to communicate with the zombie machines, is it possible to spam the channel with commands that will physically shut down the zombies, like a poweroff command in Linux, thus mitigating the effect?
It could be a Denial of Denial of Service Attack, or DoDos. I confess I might be simplifying the issue too much.
In this case, you'd have to:
1. Identify a DDoS is in progress.
2. Pick one of the zombie IP addresses.
3. Identify the type of DDoS it is performing, by trying all known ones (if it is out there in quantity, it is likely known).
4. Find it's IRC channel and spam it with poweroff commands.
5. DDoS stops happening.
Pull your head out of your ass and check before you state a wild guess as a fact:
"The average Russian salary is about $245 a month, but most state sector workers earn only a little more than a half of that."
So an average Russian earns $1470 in 6 months. Well, you were only out by a factor of 15 - source.
You don't have anything to do with elections in Florida by any chance?
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
Null routes are indeed a terrible way to defend against DDoS attacks. ISPs nowadays are investing up to millions of dollars in *intelligent* defenses. These are mostly anomaly-based Network Intrusion Detection Systems (NIDS) from companies like Riverhead Networks, Top Layer and Vsecure Technologies sometimes referred to as "attack mitigators". Instead of a full-fledged NIDS like Snort, these systems focus primarily on DDoS attacks, and while I haven't used one professionally I have spoken with several people who have (old-school, cynical networking/unix guys) and they say that they are very good at not blocking innocent traffic.
/22...) so this is nice in that it leaves your other stuff alone.
... the success of those will always be limited by the fact that they can only reduce the load somewhat, and a bandwidth exhaustion attack won't care if your site requires a login.
Basically they look for anomolies like the rate of traffic hitting a specific site, then they start to look for patterns in the traffic (source IP, packet size, packet interval, page requested, etc.). From there the detection boxes inform a second machine that "scrubs" the traffic, in other words drops all nefarious stuff. Some of these guys sit inline (inline=the packets must physically pass through them as light/electricity) or sit off the path, but send BGP Updates to the routers passing these packets. The BGP Update technique is interesting because it allows the normal routers to send traffic destined to the IP under attack through the scrubber because the router has a very specific route to that machine, while the rest of the subnet is routed normally. Anyone familiar with BGP knows that you advertise the biggest supernet possible (/20,
I'm sure some products use null routing at the end of this process, but it isn't some geek sitting at a keyboard typing in IPs. It's intelligent automation (at least one product actually checks to see if its remedy fixed the problem, and if it didn't it undoes the fix). I can tell you for a fact that AT&T is deploying a bunch of these attack mitigators (Riverhead - now part of Cisco) in their routing core.
As for writing an Apache module or taking steps on the actual target web site
1) Log zombie IP.
2) Expoit zombie using the same exploit used to 'zombify' it in the first place.
3) Patch zombie machine.
4) Repeat.
Is this feasible?
Theres always DDOS extortion attempts on IRC, like this case...
<h4ckrr> gimme opz or i fl00d u!
<Daishi> no
*h4ckrr has quit (Ping timeout)
(\_/)
(O.o) This is Bunny. Add Bunny to your signature
(> <) to help him achieve world domination.
First license would be free if you can pass the multiple-choice test. If it's revoked, you have to take a class and pay $50 to have it reinstated. Reasons for revocation would include, among other things, having your system compromised and used to attack other systems. That'd take care of all those zombie systems in one easy step. Having your Internet license revoked more than three times would be grounds for revoking your breeding license (Which will have somewhat more stringent entry requirements to begin with.)
Other countries which my regime has not yet assimilated will not be left out. They can either adopt my policies or have their traffic signed by a generic key when it enters my country. Of course, if the generic key gets revoked, everyone using it will be out of luck...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
There can only be so many zombies out there. Sure, the number is growing, but one can probably pick them out of a crowd over time. Why not have an RBL for zombies... when X clients to the RBL report getting hit by the same zombie (before getting swamped, or after the DDOS finishes), add it to the RBL. Then perhaps we could start thinking about routering off IPs listed in the RBL, subnet blacklisting when a DDOS starts, or other countermeasures.
Cutting an infected machine off from the net entirely isn't such a bad option... having an infected machine spewing out spam and DDOS is similar to an HIV patient in a bordello...
Unfortunately Lativa is not in Russia.
Sig, we don't need no stinking Sig!
Back when SCO was claiming they were being DDoSed, many experts made claims that resulted in stories like the following:
The debate touches on more subjects than we could possibly cover here, but experts are claiming that SCO could have taken countless preventative measures to stop the attack affecting their services.
(see here)
Groklaw had a bunch of "experts" claiming it was easily stopped, as well, and suggested it was faked by SCO.
The truth is, as people here have pointed out, that it really doesn't matter what preventative action you take; if your pipe is full, your pipe is full, even if you drop all the packets when they hit your routers.
You can't easily beat a bandwidth saturating attack.
-Dan
Our CC processing company is getting HAMMERED again today with a DDOS. Now how am I going to process those fraudulant Nigerian orders?
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
Tell me (and the rest of Slashdot) a little more about how your service works. I work for an ecommerce provider with some money to throw at the problem, if you really can make it go away. I tend to think in technical terms, though, so you won't make a sale here unless I really end up feeling like I understand how you can help.
The amazing Trevor Blake posted this fine news up to http://www.amsam.org/ recently..
- ddosfaq.html#3.04 /content/cutting_edge.guest.html4 /content/cutting_edge.guest.html
Rush Limbaugh Coordinates Denial of Service Attack
Transcripts from Rush Limbaugh's own Web site from his show confirm that he coordinated a Denial of Service attack on a third party's Web site. This is a crime punishable by up to 5-10 years incarceration, according to one source[1]. The victim of this attack has elected to
not seek legal compensation, but that does not make the attack any
less illegal.
Rush Limbaugh, September 28, 2004:[2] "Let's shut this website down,
folks. Shall we? [...] I don't often suggest this kind of thing, but
this could be fun here. [...] And, you know, we've shut down the
server, folks. That's why you can't get through. Don't tell me the
address is wrong, that's what happens when you ask about five million
people to go to the same website at once, you shut it down, that was
the objective here. We want them to get all excited and say wow, our
website is taking off. Essentially in the computer world what we've
created here is a DOS, a denial of service attack, so many people
trying to get in at one time."
Rush Limbaugh, September 30, 2004:[3] "And so when I heard about this
I thought we'd have a little fun with it. [...] I said, 'Let's go shut
'em down, folks,' meaning not put 'em out of business, but let's just
flood them with activity knowing full well that that's always gonna
happen when I give a web address here and suggest people go look at
it. There are simply too many millions of people here, and this is
obviously a small website. Shut it down for awhile. "
[1] http://www.seifried.org/security/network/20020305
[2] http://www.rushlimbaugh.com/home/daily/site_09280
[3] http://www.rushlimbaugh.com/home/daily/site_09300
Poor little clams! Snap! Snap! Snap! Poor little clams! Snap! Snap! Snap! Poor little clams! Snap! Snap! Snap!