Slashdot Mirror
Taking on an Online Extortionist
An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"
"We will fight them in the CAT5, on the routers, in the packets. We will never surrender"
:)
Or however he said it
I enjoy large posteriors and I cannot prevaricate.
"They threw everything they had at us. I was just in shock."
I guess that includes getting a mention on Slashdot?
Troc
Troc's dubious podcast and blog: http://www.trocnet.net
Seems kinda brutal to hit them with another DDOS.
Slashdot's name? When my compiler sees
It makes me wonder if this new anti-DDoS company can somehow establish relationships with ISPs to track back the zombies and get them shut down more quickly? Seems that would be the sanest and most effective tool -- take away the bots. No bots -- no botnet -- no attacks.
John
Mirror here.
If they actually get money, they'll do it again and again.
Any measure of success will encourage more of the same behaviour.
Glad to see someone standing up to these thugs. I remember a few years ago, the ISP that I admin'd hosted the connection for http://www.defcon.org/. We had someone start a Smurf attack from the Con, targetting our inbound T3's. We were able to track it down, and actually snatch him out of his seat right there at the con. He promptly apologized (I think, he only spoke german, IIRC). The look on his face was priceless. Oh, did I mentioned that me, and everyone else at the company carry Glock 19's? Yeah, we didn't have any more problems for the rest of the con. Everyone was on their best behaviour. A bunch of fine, upstanding individuals. :)
I would think in the situation that the e-mail was ignored, it would enrage the extortionist into firing a warning shot, one that would for SURE get the guy's attention. In fact, from the article, it looks like that is sort of what happened. He didn't respond, just first sought consultation and alerted his ISP. Then the extortionist sent a second threat, but not until he had crashed a few ISP servers to get some attention.
They prefer to use cracked ICQ accounts because it adds some misdirection to point to an existing entity, an older account may be less likely to be instantly shut off by automatic processes, and well, they're L33T H4X0RZ and cracking is what they like to do (at least the kids working for the extortionists -- the folks running the show are probably pretty rational organized crime types).
I am no longer wasting my time with slashdot
Find out where they live and call their mom.
This is where R'ingTFA comes in...
If no joy from the authorities, I'm sure your local newsrag would be glad to shame the cops into doing something. Of course, if the extortionist is overseas, things might be a little difficult.
Again, this is where R'ingTFA comes in. I'd also add that one downside of moving your business to an unregulated third world country is that neither the local journalists nor the local cops are especially interested in your gringo problems. I don't understand why Scotland Yard bothered with him.
Extorting a gambling site? That strikes me as a LLM (life limiting move, c.f. career limiting move).
Many gambling sites still have connections to, shall we say, respectible businessmen of the Italian or Asian pursuasion, who are used to handling such matters extra-legally.
You might just wake up one day with your computer's monitor (cables severed with an ax) in bed with you.
Or Guido and Nunzio standing over you, giving you tips on the finer points of extortion while they wait for the concrete to set.
www.eFax.com are spammers
Actually, in relation to that, what happens when your spamfilter marks such an email as spam. I guess you can say that's a major false positive.
Some ISPs are doing customer-level ingres filtering -- e.g. if the "other end" of the cable modem gets a packet whose src address is not that of the cable modem, drop it on the floor, it's forged.
The ease of infecting home XP systems remotely means you sometimes find teenagers with tens of thousands of zombie computers at their control. They can sell them to spammers, too.
The ease of doing massive DDoS attacks is why I stopped running an IRC server, and also stopped a research project I was doing related to inter-protocol messaging. It wasn't worth the hassle.
Fighting back is hard if you don't know who to fight, but in the case of extortion, (1) document everything on paper, (2) keep timestamped printed IRC logs of all conversations, and full email printouts; (3) ask some other people to print copies of their IRC logs when appropriate. Then contact the RCMP (or if you are in the USA, the FBI, but in the USA you need to show financial damage of $5,000 or more). Don't wait until it's all over before contacting them.
Good luck!
Liam
Live barefoot!
free engravings/woodcuts
Wormholes.
The thing with these DOS extortionist is that unlike the mafia or other groups they do not protect you from other extortinist. If you pay them thay can stop their attact, but if someone else try to attack you they cannot do anyting.
But when you're running your own server, and it normally gets 50 hits/day, and then suddenly a Slashdot listing hits it with millions of hits in one day, well, that's harder to prepare for, because 1) you often don't know you're going to be on /. until it's already happened, and 2) is it even worth preparing for? It's just one or two days, and then things will go back to normal. More hardware and bandwidth may cost lots of money, money that you're not going to spend just so people can see pictures of whatever neat thing you did.
Really, the only sites that get /.ed are the smaller ones. The larger ones already have the hardware and bandwidth needed to handle it. Sure, a /.ing probably shows up on their mrtg reports, but it's probably just a 20% or so increase in traffic, not a 1000x fold increase.
This is an appeal to network admins working at ISPs, whether large or small. You have a responsibility to make sure that spam/attack zombies don't exist on your networks. These days it's a trivial task to check to make sure you're not part of the problem. This can be scripted so that you receive periodic reports of problem hosts on your system, which you can then firewall, disconnect, or restrict access to.
There are so many blacklists these days, so just use rsync to grab fresh copies of AHBL, CBL, DSBL, SORBS, whatever. Then run through grepcidr to see if any IPs from your network(s) are on the blacklists. So easy, and you'll be protecting both yourself and others from malicious zombies.
That's the trick. Most people would say "bigger servers" and "bigger bandwidth". But I know the real reason. Notice how you get 'Service Unavailable'? Every so often? I found that if more than 50 people are accessing Slashdot at the same time, that their database cannot handle it. In reality, this site is hosted on an Amiga. Only 50 users you say? That can't be.... just look at my User ID!
All the 813,621 users before you don't really exist. These messages are randomly generated geek buzzwords. "Users" are given personalities, ranging from "Linux lover" to "Windows loser", from "I'm just a troll" to "IAARS", from "Funny" to "I take myself serious, but no one else does".
Those "personalities" alter the pre-populated phrase list according to topic (actually, I am not even sure the topic matters). Think of it as an advanced Turing simulation.
I was fooled for my first three months. Then, I saw the predictable responses, and realized that there was no actual intellegence here. Just the occassional real life person who wanders in and is fooled for a while. The auto-misspell feature was a nice addition, I have to admit.
Want proof? Pick a user id. Peruse messge list. Notice the lack of variety? Notice the lack of real meaning behind each message? And when there is real content, try browsing earlier messages. You will find phrases ripped verbatim from an earlier post.
Of course, you may also be a bot. CommanderTaco is always making tweaks to the message generation algorithm (though his posts, too, are mostly generated by code). I will have to peruse your message history when I am done posting here.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Okay, I first read that as "Online Exorcist." I'm thinking, how does THAT work? TO: Satan@littlegirlshead.com
From: Father Mayai (Yes, you may!)
Subject: Notice of Eviction
But like I said, he's cleaned up his act in recent months, so I no longer have a beef with him. Some folks, on the other hand, still hold this against him--which isn't an entirely unreasonable position to take.
Obliteracy: Words with explosions
If only there was some kind of online medium for news articles where answers to questions like these could be answered!
... without concern for U.S. bookmaking laws
Oh wait...
You can send us $40K by Western Union [and] your site will be protected
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans
Lyon says, "I could have left it alone, but I had gotten attached, and I started investigating. I came up with some interesting techniques to trace back the attacks." He turned over his work to several law enforcement agencies, but he never heard about it again.
"Um, hello - FBI? Hi. Yes I run a website gambling business offshore in Costa Rica and I just got threated by someone who says they will shut me down unless I wire fourty thousand via Western Union to someone in Belarus who *click* Hello?"
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Dane-geld
:)
(A.D. 980-1016)
IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:--
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation to a rich and lazy nation,
To puff and look important and to say:--
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to says:--
"We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!"
- Rudyard Kipling
Anyone willing to try their hand at "updating" this to fit online extortion? This could be lots of fun
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
and a Whiz Kid
Took On an Extortionist
and Won Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them. If you collect revenue online, you'd better read this. Saturday, Nov. 22, 2003, 7:57 a.m.
Origins of an Onslaught
The e-mail began, "Your site is under attack," and it gave Mickey Richardson two choices: "You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months," or, "If you choose not to pay...you will be under attack each weekend for the next 20 weeks, or until you close your doors."
Richardson runs BetCris.com, an online wagering site, one of hundreds of sites ensconced in Costa Rica that take bets from Americans (and others around the world) without concern for U.S. bookmaking laws. Richardson received the e-mail just as he and his competitors were preparing for the year's busiest wagering season. With pro and college football, pro and college basketball and other sports in full swing, and with Thanksgiving and Christmas about to create plenty of free time, BetCris and the others stood to rake in millions over the holidays. Richardson was even planning an advertising blitz for the season to drive new traffic to his site.
If BetCris went down, he knew his customers would find another online bookie, "which will cost you tens of thousands of dollars in lost wagers and customers," the extortionists reminded him.
Despite all that, the e-mail didn't have the fearsome effect on Richardson that the extortionists hoped it would. He just asked his network administrator, Glenn Lebumfacil, if they should be concerned. "I saidGod, in hindsight, what an idiotI said, 'We should be safe. I think our network is nice and tight,'" recalls Lebumfacil.
As a precaution, Richardson alerted his ISP, but essentially, he says, "We kind of fluffed it off." The veteran bookmaker didn't panic because, in fact, he had dealt with online extortionists before. Two years earlier, hackers crashed BetCris.com with a denial-of-service (DoS) attack, and then demanded by e-mail a $500 protection fee in eGold (an online form of trading bullion). Richardson paid without a second thought. Compared to downtime, $500 was trivial.
That first attack got his attention, though. Richardson consulted another industry veteran who confessed to having a similar problem, and who told Richardson to call a consultant named Barrett Lyon in Sacramento, Calif. Lyon didn't come to BetCris's officeshe had no interest in baby-sitting infrastructure in Costa Ricabut he did recommend some off-the-shelf products that had recently been developed specifically to fight DoS attacks. Lyon thought (actually he hoped) that he'd never hear from them again. Richardson and Lebumfacil were confident they had protected themselves.
When the attack finally came on that Saturday in November, sometime after that first e-mail but before 11:30 a.m., BetCris crashed hard. The off-the-shelf products Lyon had recommended survived less than 10 minutes. BetCris's ISP crashed, and then the ISP for BetCris's ISP crashed. Richardson ran to the IT department, where Lebumfacil was watching the biggest DoS attack he'd ever seen. He remembers feeling sick to his stomach.
At 1:03 p.m., another e-mail arrived. "I guess you have decided to fight instead of making a deal. We thought you were smart.... You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday." Then they knocked BetCris.com offline again.
The Extortion Problem
We know this about online extortion: It happens. Evidence of its prevalence or damage is speculative and anecdotal but useful nonetheless in guiding CSOs to understand the nature of the crime. Anecdotally, experts from law enforcement and information security consultants believe that perhaps one in 10 companies has been threatene
Hey, leave me out of this! I can't even get my own articles accepted.
Dewey, what part of this looks like authorities should be involved?
God knows your /. ID is low enough that it might be true.
... dangerous. :)
Watch it with the age slurs there, sonny. That could get
Starting Feb 2004, my site was hit by a powerful DDoS attack. It knocked out my web server and it nearly took out my web host's switch in the data center. I never got any demands or letters or figured out who caused it.
Anonymizer.net tried to help me by putting my domain behind a series of rotating proxy servers. Their whole network crashed after 6 hours and they had to stop helping me.
Finally my web host hit on the right idea. I set up a half dozen virtual private servers (VPS) at Globalservers.com (same company that hosts about.com and freeservers) and my host installed a proxy server on each one called twhttpd and set them all to route traffic to and from my web server at his data center.
Then I set up an account at ZoneEdit and added all the IPs for the proxy servers with a failover system. Every time the bastards knocked out one of the proxy servers, ZoneEdit would detect that the server was borked and switch to another one. With the load reduced, the dead proxy came back on its own a few minutes later.
After about 6 months of this, they finally gave up and I won.
Only on
When they fire that warning shot, you dump all the attacking IPs to a log and circulate the list to AHBL, Spamhaus, CBL etc so that the extortionist's zombie network is now worth half of what it was before. Zombies are only worth anything if they are novel. And you tell the extortionist that for each additional shot, their botnet monetary value will decrease by 10% or whatever.
...is submitting a story to /. the last revenge of the DDOS extortioner?
All's true that is mistrusted
From a purely economic standpoint, it makes me wonder who's the real "extortionist"...
Have fun: Join D.N.A. (National Dyslexics Association)