Slashdot Mirror
Taking on an Online Extortionist
An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"
Mirror here.
Very true, this post could have much worse consequences than they could ever throw at you.
I have determined that my personal website would stand for less than 4 seconds if it were to receive a propper slashdotting.
Needless to say I don't take threats like this very seriously. Here are the options I see:
1. Give in and pay up like a good pansy
2. Form a team of cyber attack monkeys to do your bidding
3. Launch a counter offensive with a team of script kiddies and their IRC Bots
4. Contact the authorities and report the threat, block the IPs delivering said packets, carefully monitor your servers like a good admin, and prevent the traffic that you deem as harmful.
If they really threw all that much at you, it would take a very sophisticated attack to not leave a large enough trail to figure out where it came from and actually do something about it.
This sig has been removed pending an investigation.
They prefer to use cracked ICQ accounts because it adds some misdirection to point to an existing entity, an older account may be less likely to be instantly shut off by automatic processes, and well, they're L33T H4X0RZ and cracking is what they like to do (at least the kids working for the extortionists -- the folks running the show are probably pretty rational organized crime types).
I am no longer wasting my time with slashdot
"We shall not flag nor fail. We shall go on to the end. We shall fight in France and on the seas and oceans; we shall fight with growing confidence and growing strength in the air. We shall defend our island whatever the cost may be; we shall fight on beaches, landing grounds, in fields, in streets and on the hills. We shall never surrender and even if, which I do not for the moment believe, this island or a large part of it were subjugated and starving, then our empire beyond the seas, armed and guarded by the British Fleet, will carry on the struggle until in God's good time the New World with all its power and might, sets forth to the liberation and rescue of the Old."
But when you're running your own server, and it normally gets 50 hits/day, and then suddenly a Slashdot listing hits it with millions of hits in one day, well, that's harder to prepare for, because 1) you often don't know you're going to be on /. until it's already happened, and 2) is it even worth preparing for? It's just one or two days, and then things will go back to normal. More hardware and bandwidth may cost lots of money, money that you're not going to spend just so people can see pictures of whatever neat thing you did.
Really, the only sites that get /.ed are the smaller ones. The larger ones already have the hardware and bandwidth needed to handle it. Sure, a /.ing probably shows up on their mrtg reports, but it's probably just a 20% or so increase in traffic, not a 1000x fold increase.
Looks like you don't understand how DDOSs work. They get a whole lot of hijacked computers with DDOS trojans installed on them. MSIE makes this quite easy. Then they launch a DDOS at a website. You can't "block" the packets on the server because by the time your server gets them it's too late -- they have already clogged up your pipe. In fact, the traffic will probably overwhelm your ISP unless they are very large. The only place to block them would be on the ISPs main router, and that's pretty hard to do given that there could be thousands of different bots and they aren't that terribly different from ordinary users (other than the amount of traffic they generate).
This is an appeal to network admins working at ISPs, whether large or small. You have a responsibility to make sure that spam/attack zombies don't exist on your networks. These days it's a trivial task to check to make sure you're not part of the problem. This can be scripted so that you receive periodic reports of problem hosts on your system, which you can then firewall, disconnect, or restrict access to.
There are so many blacklists these days, so just use rsync to grab fresh copies of AHBL, CBL, DSBL, SORBS, whatever. Then run through grepcidr to see if any IPs from your network(s) are on the blacklists. So easy, and you'll be protecting both yourself and others from malicious zombies.
If they really threw all that much at you, it would take a very sophisticated attack to not leave a large enough trail to figure out where it came from and actually do something about it.
Not really.
a) 0wn a bunch of zombie machines. This is what they do in their free time while chatting on irc.
b) Go to college computer lab.
c) Initiate attack.
From a victim's standpoint, you're not going to be able to track much more than the zombies. The zombies aren't going to be keeping logs of who spurs them into action (which is often via a non-standard method... you're not going to find someone making a TCP connection to those machines). Even if, somehow, you were able to actually figure out the initiating machine, the individual doing it could go through any number of proxies (these people generally 0wn several shell accounts also). And on top of that, like I said, they can log in from a lab or whatever with little to no accountability or identification whatsoever.
Remember that the site in this article was getting hit with over 3 gigabits of traffic a second under the pressure of a DDoS composed of an estimated 35k bots. Now imagine that your average dedicated server account comes with a 10 megabit pipe. It would take a lot fewer consistent requests to slow everything to a crawl. And often these sites are on shared servers, competing with anywhere from 5-200 other sites for the pipe and the processing power.
And in most cases they don't need it. Why would a site used to getting 20,000 hits a day put out the money for capacity 200,000 hits in a few minutes? They try to keep enough capacity to handle 20-50% daily usage spikes, sometimes maybe even 100%, but not a gazillion percent.
Slashdot has big pipes, multiple servers, load balancing and various optimizations that your average site doesn't. They even shut down certain functions under really heavy load (ever notice that sometimes the site search is theirs and sometimes it routes you to Google?). But except when being slashdotted, the average site doesn't need those.
- Greg
Start a happiness pandemic
If your not sure who you should report this kind of stuff too (local or RCMP), you can make use RECOL.ca(Reporting Economic Crimes On-line). They can direct your complaint to the proper force/department.
In terms of the RCMP, it's usually the Commercial Crimes Division (they'll then bring the Tech. Crime guys in as needed).
I've had some experience with this, having worked at an ISP, and we got assistance from our own upstream provider (telco with terabits of connectivity) to start putting blocks in place. This filtered out a several-hundred-megabit flood on one occasion, and was demonstrated later again when Slammer hit (done on their own starting about an hour or so after the ISP world was so harshly awakened by it).
You can never go home again... but I guess you can shop there.
and a Whiz Kid
Took On an Extortionist
and Won Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this. Saturday, Nov. 22, 2003, 7:57 a.m.
Origins of an Onslaught
The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.
If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.
Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I saidGod, in hindsight, what an idiotI said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.
That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's officeshe had no interest in baby-sitting infrastructure in Costa Ricabut he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.
When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.
At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.
The Extortion Problem
We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatene
How a Bookmaker
and a Whiz Kid
Took On an Extortionist --
and Won
Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this.
CSO Magazine
May 2005
By Scott Berinato
Saturday, Nov. 22, 2003, 7:57 a.m.
Origins of an Onslaught
The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.
If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.
Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I said--God, in hindsight, what an idiot--I said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.
That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's offices--he had no interest in baby-sitting infrastructure in Costa Rica--but he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.
When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.
At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.
The Extortion Problem
We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 1
Protection rackets have territories. You pay whoever currently controls your territory. If a competing salesman comes by, you let your current "protector" know, and they duke it out. You keep paying the winner.
Depends. You can't forge tcp connections, which make really good DoS packets because they tie the target server up much more.
Granted: a raw bandwidth attack can use UDP, ICMP, or a TCP SYN, ACK, SYN-ACK or RST packet, and could be usefully forged.
There's a fairly riviting thread on the Intrusions list about a DDoS attack in Jan-Feb (may still be going on) that eventually involved some 80,000+ bots. It was defeated with Squid (on OBSD), as well as active upstream providers. The bots repeatedly went to load a file via http, which tied up the web server. Since the tcp connection was actually made, the src ip was known. The bots were apparently installed via drive-by download, rather than worm or email.
I'm the head network engineer at an isp.
2 years ago one of our customers recieved a DDOS email and he called me and asked me what he should do.
I told him to ignore it and honestly I found it quite amusing, thinking it was script kiddies.
I wasn't laughing 24hrs later as they completely saturated our pipes and our border routers (7206 VXR's at the time) were locked at 100% cpu.
I've taken serious steps since then to be ready. it wasnt a pleasant experience though and happened right in middle of business day.
I don't think we can every take away the bots (it would be nice), because we are seeing P2P bots that run encrypted communications between each other. The attacker guy just tosses his instructions into the P2P stream and they distribute over the entire network - creating a nearly headless command less network that can (once started) operate decentralized. These easy IRC bots are almost a thing of the past now. The point being, as the code base for bot networks grows they will get more complicated and more difficult to shut down.
If a blackhat geek can download source code and knows how to hack it up, he/she can do anything they want. Then it's down to just finding open machines to install their goods on. Policing the Terabits-per-second of backbone traffic for odd-ball P2P traffic like that is a bad idea.
Prolexic also gets attacks now that may not have any botnet, some Ixia (packet generator) connected in Asia-Pac blasting 600 Mbps of generated packets does the same as a 10-20k botnet. We believe to have been attacked by something similar to that at least twice.
The main problem is, there are just bad people out there and you need to create security policy that protects your business. If your revenue stream comes from your online business, then you should protect your online business and not hope your ISP will do that for you.
-Barrett
This is not to underplay the Russian fighting ability (a mere 40 of them in a grain silo held an entire German battalion at bay for 3 months at Stalingrad for instance), but in Stalin's words: "My two best generals are January and February."
Hitler wasted time putting down a silly uprising in the Balkans when he should have been invading, thereby delaying operations for a crucial six weeks and ensuring the Russian winter played a decisive role.
--- Hot Shot City is particularly good.
SQL Slammer worked by infecting computers over ports that barely need to be open to the immediate local network, let alone open to some guy in a Belgian basement. The port exploited was used to tell prospective SQL clients where to connect for their SQL needs, which if needed to be done remotely should've been done so over VPN.
In this case, boneheaded admins should've received the mother of all wakeup calls.
1) If /. has linked to your site, that means your site still needs to serve up the main page. You could coralize your images and such and save some bandwidth that way, but if your web server can't even serve that first page under the load, you're screwed. And if you do find yourself /.ed, and go and coralize your site real quick, then it'll be a while before the traffic slacks off enough for the coral servers to even reach your site to get the images that you've coralized.
Many sites do replace their fancy dynamic pages with a `hi slashdotters!' page after getting /.ed ... saves a lot of cpu on the box. But if what's special about your site is the dynamic aspect of it, well, that won't work.
2) Coral won't do files over 50 or 100 MB. So if you've got some large download, you'd better set up a Bit Torrent instead ... and fast.
3) Currently, Coral uses some non-standard ports that some places may not be able to access due to restrictive firewalls. I understand that this is to change.
4) Coral uses some DNS tricks that don't work with the entire world. Specially, Windows DNS servers tend to have problems with it.
But still, mentioning coral as a way of reducing the /. effect is an excellent idea. It's not the perfect solution, but it's pretty good.
He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I said--God, in hindsight, what an idiot--I said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
Is this guy's last name really 'The Easy Bum'? Wow, lol.
The speech was even better:
"we shall fight on beaches, landing grounds, in fields, in streets and on the hills. We shall throw bottles on them if that is what we have"
The sentence about bottles was actualy cut out by the BBC censor because the humor was too black. (UK had very few heavy arms left after fiasco in France.)
I doubt that we will ever figure out - and I suspect that even if we did figure out we couldn't do much about it
3 digit amateurs :-)
Yes, OpenBSD.
Free and it does stateful inspection.
Early in his political career he said many many things considered politically incorrect (especially about women). As he got older he toned it down a lot more, although, I don't know if that's because he had a change of heart or just didn't want to deal with the hassle of offending people.
Certainly, he was no saint...not even close. Nor was he trying to be. He was simply trying to save his country and he was the perfect man for the job at the time.
Any man who afflicts the human race with ideas must be prepared to see them misunderstood. -- H. L. Mencken
Usually in states that permit using deadly force to stop a crime you either have to believe your life is in danger or someone else's life is in danger. This would include using deadly force to stop first degree arson (setting fire to an inhabited building) but not necessarily other felonies. Enforcement varies depending on the local district attorney and law enforcement so depending on the location, you could find yourself in a lot of legal trouble even if what you did was expressly permitted under the law.
A majority of the time spent in CCW classes is for studying the laws that apply in these situations.
This is plain wrong. I lived in Texas and this is NOT legal. To have a justifiable shooting, the person must be in your house or attempting to break into your house while you are there. Just like other states, if you shoot someone in the back as they are trying to escape, you are breaking the law.
Texas Penal Code 9.42 B (when deadly force is allowed)
to prevent the other who is fleeing immediately after committing burglary, robbery, aggravated robbery, or theft during the nighttime from escaping with the property;
Try reading the law sometime. I won't quote the whole law, but it really means what it looks like. Shooting them in the back is ok based on the way the law is written.
Despite what the press would have you believe, most of us in TX are just like you and me.
I was born and raised in TX and lived 26 years there. What the people are like there is irrelevant to what the law says.
Learn to love Alaska
Aside from that, your philosophy leaves a huge gaping hole in the murder laws. Suppose you want someone dead. You give them a nice gift. As they are walking away, you shoot them in the back of the head and kill them. You are arrested and claim they were running away with your property.
That is why the law doesn't work the way you claim. When someone claims self-defense, they are generally prosecuted anyway. In most states, if you claim self-defense the burdon of proof is on you to prove that your life was in immediate danger (the prosecution only has to prove that you killed the person, which you will confess to in order to claim self-defense). If you fail to prove that your life was in danger, you will be convicted of murder.
Actually, anyone with a UID below 4 or 5000 or so probably dates back to the early days before /. had accounts, and you really can't tell all that much about who came first or anything with numbers that low. I mean, I signed up the day they announced that that they were offering accounts, and I ended up with this crappy four-digit number! :)