Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Deal With a DDoS Attack?

Posted by timothy on from the boot-human-face-forever dept.

First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"

5 of 303 comments (clear)

  1. Don't negotiate with cyber criminals? by Anonymous Coward · · Score: 5, Insightful

    You just gave him $400 more than he had before, and he knows you're good for it.

    What were you thinking?

  2. Regarding price "gouging"... by Anonymous Coward · · Score: 5, Insightful

    With due respect, in my view, this is like trying to buy homeowner's insurance while your house is on fire, and complaining that they won't sell it to you.

    Why is it unreasonable for you to pay more for "OMG I NEED IT RIGHT NOW!" service?

    It's easier to do some prevention than to try to and figure out and control the problem WHILE it's happening. Also, why is it unreasonable for them to give someone who sees the need for some complicated traffic monitoring and filtering a discount for letting them set it up, y'know, during normal business hours with forethought and preparation and not as part of a crazy firedrill?

    (no, I don't work for Rackspace)

  3. Re:Rackspace IDS by BitZtream · · Score: 5, Insightful

    Judging from your post, you've never been the target of a DDoS as none of what you said would have any affect on a real attack.

    If I wasn't even really trying, I'd just use your IDS against you and have you end up effectively firewalling yourself off the Internet.

    Save my bandwidth for someone with skills while you try to figure out what's going on

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Your mistake by Anonymous Coward · · Score: 5, Insightful

    was RESPONDING to the guy. Even to say "no." It's like responding "unsubscribe" to a spammer.

    What you've done by replying is telling him a.) you GOT his e-mail (not by any means a sure bet with spam filters), b.) you ARE IN FACT the people who own the site in question, and c.) the REASON you're not paying is that you believe he can't carry out his threat.

    Let's say I'm this guy. I'm probably a script kiddie with a small botnet under control. I troll for small ecommerce sites (ones that are probably not profitable enough to have good defenses, but would be seriously impacted by a DDoS attack). I try to find some contact information. Again, I'm running some kind of script to troll for these, which means my sample isn't amazing and my data quality is probably questionable.

    Then I send out hundreds of e-mails. Like a spammer, I'm going for quantity. Most of these probably disappear into the ether. Whatever - I only need a few to hit a target to get paid. A few people will actually pay up from the e-mail (probably not many, but hey). Some will ignore me (and be impossible to tell from the "disappeared" group. Then there's the lunkheads like you who confirm I sent the threat to the right person and I do feel vulnerable, but I doubt your ability to follow through.

    Perfect! I train my botnet on that guy. I'm pretty much guaranteed money. The "someone offered me $600" is a bluff, of course - no one offered him anything, and it's all profit to him. But it sets a nice mental scale for you, so that you'll foolishly think you "got off easy" giving him $400 (when you could have given him $0).

    Again, this is a VOLUME play. He has enough bots to DDoS SOMEONE, but not to DDoS EVERYONE. You were attacked for one reason - because you responded.

    Sure, there was network engineering involved, but make no mistake - you got SOCIAL engineered here, first and foremost. Fix THAT, not your network.

  5. Re:Gouging Schmouging by czth · · Score: 5, Insightful

    Came here to say that; thank you, would have modded up if I had points.

    Absent threat of force to the contrary (*cough*), pre-existing conditions cost more to insure against than lower-risk customers, because your risk of having the thing happen is 100%—it's already happening! At that point you're asking the person to foot the bill for a cure, not insurance; why shouldn't they pass on their costs to you rather than everyone else?

    If, instead, you were to join a pool of 100k individuals that (making up some numbers for an example) had a 1% fairly evenly distributed chance of a $10k loss every year, then, ignoring insurer overhead, the yearly expected cost would be $10M, meaning break-even by charging each person $100/year. That cost increases very quickly as you add people to the pool with a 100% chance of loss; and at that point, it's not insurance but subsidy and most people with a choice about it move to an actual insurer (increasing the individual cost even faster until it is same as the actual loss).