Slashdot Mirror
DDoS Extortion Attempts On the Rise
John Flabasha writes "There's an excellent article that originated on the LA Times and was syndicated to Yahoo News about DDoS attacks on online gaming and one of the solutions out there. Since when did ISP null routes go out of style?" We've run a number of previous stories about DoS blackmail attempts, like this one or this one.
Sure, Null Routes are great for throwing away traffic, but they don't work against DDoS (notice the extra "D"!). The whole _point_ of DDoS is that the traffic comes from so many sources that the manual work involved in blocking it is huge.
With great numbers come great responsibility!
Pay up or I'll suggest a /. article about you, and you know the editors will accept it too!
If only it were that simple.
Support more choices in goverment-Vote 3rd party.
You can't null-route a slashdotting.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Noone's going to blackmail me into using DOS again...
was that MS-DOS TRS-DOS, or Apple DOS?
The school network here has been getting attacked about once a week for the last month. I am really tired of the internet going down and getting 60% packet loss this often.
I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...
Aston Games
"That's a nice StarCraft server you have set up there. Be a shame if anything happened to it."
Honestly, that's what I thought when I read "extortion" and "online gaming."
Don't blame me, I voted for Durga.
I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.
Religion is a gateway psychosis. -- Dave Foley
Its amusing to note peoples reactions when they hear that XYZ is suffering a DDOS attack.
They invariably open the browser and attempt to open the site.
Its natural human instinct, they open it, say "Yup, its still down" and either click refresh a few times, or close it.
Watching how slash/fark folks handle flooding a site is similar.
liqbase
I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.
It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.
Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.
Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.
-AutoNiN
Just to clarify for everyone, this is extortion against online *gambling* companies, not online gaming.
:)
You can call gambling "gaming" in the offline world, but not the online -- "online gaming" is already taken
Your friends are obviously not real e-commerce people. Everyone who has ever worked in tech support knows that all businesses lose millions of dollars a second every time anything related to their Internet service goes down.
When ever we make someting available to the general public there is a matter of time until some jirk finds a way to cause problems. The internet has been around for about 30 years and has been popular for about 10 years. So after this short time we have turned a means of comunication ( And what a lot of people think as a step to peace ) into a complete war zone. And because no one directly (Indirectly some one may) gets hurt, and it is a lot harder to track someone down, they will attack sites and ingage in Mob beheavior much more esially then in real life. So a person who is on the outside will seem like an ordanry citizan when on the internet becomes a massive crime lord extrorting thousands of dollars from companies. They should bring back public flogging as a form of punishment, it seems a suitable punishment for a criminal who comits his crime in anonmity.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
As much as I hate to suggest it, it seems like underground vigilantism may be the only way to deal with the problem currently.
It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).
At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.
The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...
Hunt your preferred prey at Aliens vs Predator MUD. Join the war at avpmud.com port 4000
Or at least, I like to think I'm not very good. There's so much to know, and I only know a tiny part of it.
My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"
I like to respond, "Nothing."
But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?
I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --
I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.
I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.
I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.
I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.
Is there any way to win?
Is there any way I can tell my boss something other than "nothing?"
Save me Slashdot! Pleeeeease!?
There's a couple of problems with handling the issue on the victim-side. Generally, a DDOS attack is a flood of packets with spoofed IP's (thus my eariler comment). This makes back-tracking or attacker isolation next to impossible to do. And since most attackers aren't following RFC 3514 (http://slashdot.org/articles/03/04/01/133217.shtm l) the firewall can't inherently detect which packets are 'naughty' and which packets are 'nice'.
Firewalls sometimes deal with connection overload by proxying the TCP three-way handshake and only allowing the completed handshakes through to the end server. Under attack, however, the firewalls themselves can have these connection queues saturated and then they begin selectively dropping a percentage of the connection requests. Since it can't tell valid from hostile, real users experience connectivity issues.
For UDP-based protocols, used by many real-time online games, there's simply no way to stem the flood other than drop packets above a certain threshold, also causing a partial DOS for valid users.
All of these measures also cannot address the bandwidth consumption issue. This can *only* be addressed upstream.
With IP spoof protection in place at end points where hostiles live, or at gateways to foreign networks, we can at least keep attackers to real IP's that we can then isolate and prosecute.
-AutoNiN
Another is WebMoney, mentioned on the spammer board SpamForum.biz. It's a anonymous money transfer service in Moscow. Elaborate crypto. Special downloaded applications. Schemes for transferring money between customers, and finally out into the banking system. Accounts can be in euros, dollars, rubles, or hryvnias. Address is supposedly 71 Sadovnicheskaya Street, Moscow, Russia, 115035. Same address as the "Three Monkeys", which is a gay nightclub.
There are a number of services like this. They come and go. There's Gold-Cash, in Latvia. There's EvoCash, at an undisclosed "offshore" location. (Well, there was EvoCash; they ceased operations on October 19th.) They even have a trade association, which rates services as "Platinum", "Gold", "Silver", "Copper", "Carbon", or "Chlorine", which gives a hint of the problems in this area.
Then there are brokers who transfer money between these services. These can be used to perform the "rinse cycle" in money laundering. But that's another story.
Pull your head out of your ass and check before you state a wild guess as a fact:
"The average Russian salary is about $245 a month, but most state sector workers earn only a little more than a half of that."
So an average Russian earns $1470 in 6 months. Well, you were only out by a factor of 15 - source.
You don't have anything to do with elections in Florida by any chance?
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
Yes, there are legit IRC users left. Its my primary method of communication with the people who host services on my equipment, or to coordinate upgrades, or whatever we need to do that requires real time communication.
To attack IRC servers just because thats the place where the bots go, is assanine and illegal. Some servers have 5000+ users on them, and the people who own/run those servers have enough problems as it is dealing with attacks from packet monkeys.
How would you like it if I DDoS'd your server because one of your users sent out spam? You'd probably be screaming bloody murder to the FBI about it.
Unless you are willing to allow other people to do the same things you want do to them at the exact same levels, don't even suggest that attacks are a way of dealing with a problem.
Brielle
Null routes are indeed a terrible way to defend against DDoS attacks. ISPs nowadays are investing up to millions of dollars in *intelligent* defenses. These are mostly anomaly-based Network Intrusion Detection Systems (NIDS) from companies like Riverhead Networks, Top Layer and Vsecure Technologies sometimes referred to as "attack mitigators". Instead of a full-fledged NIDS like Snort, these systems focus primarily on DDoS attacks, and while I haven't used one professionally I have spoken with several people who have (old-school, cynical networking/unix guys) and they say that they are very good at not blocking innocent traffic.
/22...) so this is nice in that it leaves your other stuff alone.
... the success of those will always be limited by the fact that they can only reduce the load somewhat, and a bandwidth exhaustion attack won't care if your site requires a login.
Basically they look for anomolies like the rate of traffic hitting a specific site, then they start to look for patterns in the traffic (source IP, packet size, packet interval, page requested, etc.). From there the detection boxes inform a second machine that "scrubs" the traffic, in other words drops all nefarious stuff. Some of these guys sit inline (inline=the packets must physically pass through them as light/electricity) or sit off the path, but send BGP Updates to the routers passing these packets. The BGP Update technique is interesting because it allows the normal routers to send traffic destined to the IP under attack through the scrubber because the router has a very specific route to that machine, while the rest of the subnet is routed normally. Anyone familiar with BGP knows that you advertise the biggest supernet possible (/20,
I'm sure some products use null routing at the end of this process, but it isn't some geek sitting at a keyboard typing in IPs. It's intelligent automation (at least one product actually checks to see if its remedy fixed the problem, and if it didn't it undoes the fix). I can tell you for a fact that AT&T is deploying a bunch of these attack mitigators (Riverhead - now part of Cisco) in their routing core.
As for writing an Apache module or taking steps on the actual target web site
My regime plans to overthrow your regime using rhetoric and innuendo, and replace it with a mildly anarchistic commune run by warlords and charismatic pop idols. Then we will declare your supporters as non-humans, and hunt you through the streets.
:->
I intend to make this country profitable by selling the right to watch the country on television to countries like Russia and China. This effectively combines their dislike of Americans with their youths addiction to our media.
Just kidding.
- sarcasm is just one more service we offer -