Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taking on an Online Extortionist

Posted by timothy on from the and-shove-it dept.

An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"

4 of 784 comments (clear)

  1. Re:oblig Churchill by sqlgeek · · Score: 5, Informative

    "We shall not flag nor fail. We shall go on to the end. We shall fight in France and on the seas and oceans; we shall fight with growing confidence and growing strength in the air. We shall defend our island whatever the cost may be; we shall fight on beaches, landing grounds, in fields, in streets and on the hills. We shall never surrender and even if, which I do not for the moment believe, this island or a large part of it were subjugated and starving, then our empire beyond the seas, armed and guarded by the British Fleet, will carry on the struggle until in God's good time the New World with all its power and might, sets forth to the liberation and rescue of the Old."

  2. Re:Curious by dougmc · · Score: 5, Informative
    But how does slashdot itself cope with the high traffic?
    Lots of bandwidth, lots of hardware. Since it gets `slashdotted' every single day, it'll be pretty easy to predict how much traffic you'll get tomorrow -- approximately the same as you got yesterday, perhaps a bit more.

    But when you're running your own server, and it normally gets 50 hits/day, and then suddenly a Slashdot listing hits it with millions of hits in one day, well, that's harder to prepare for, because 1) you often don't know you're going to be on /. until it's already happened, and 2) is it even worth preparing for? It's just one or two days, and then things will go back to normal. More hardware and bandwidth may cost lots of money, money that you're not going to spend just so people can see pictures of whatever neat thing you did.

    Really, the only sites that get /.ed are the smaller ones. The larger ones already have the hardware and bandwidth needed to handle it. Sure, a /.ing probably shows up on their mrtg reports, but it's probably just a 20% or so increase in traffic, not a 1000x fold increase.

  3. HALF of the article -- anyone get mopre by Anonymous Coward · · Score: 5, Informative
    Online Extortion How a Bookmaker
    and a Whiz Kid
    Took On an Extortionist
    and Won Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this. Saturday, Nov. 22, 2003, 7:57 a.m.
    Origins of an Onslaught

    The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."

    Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.

    If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.

    Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I saidGod, in hindsight, what an idiotI said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.

    As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.

    That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's officeshe had no interest in baby-sitting infrastructure in Costa Ricabut he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.

    When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.

    At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.

    The Extortion Problem

    We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatene

  4. Re:oblig Churchill by Mathieu+Lu · · Score: 5, Informative

    3 digit amateurs :-)