Slashdot Mirror
Ask Slashdot: How To Deal With a DDoS Attack?
First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"
You just gave him $400 more than he had before, and he knows you're good for it.
What were you thinking?
Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.
I don't know the meaning of the word 'don't' - J
I don't know who you are. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my computerr go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you.
Undetectable Steganography? Yep, there's an app fo
Hi first time accepted submitter!
You may want to check this Ask Slashdot.
With due respect, in my view, this is like trying to buy homeowner's insurance while your house is on fire, and complaining that they won't sell it to you.
Why is it unreasonable for you to pay more for "OMG I NEED IT RIGHT NOW!" service?
It's easier to do some prevention than to try to and figure out and control the problem WHILE it's happening. Also, why is it unreasonable for them to give someone who sees the need for some complicated traffic monitoring and filtering a discount for letting them set it up, y'know, during normal business hours with forethought and preparation and not as part of a crazy firedrill?
(no, I don't work for Rackspace)
Judging from your post, you've never been the target of a DDoS as none of what you said would have any affect on a real attack.
If I wasn't even really trying, I'd just use your IDS against you and have you end up effectively firewalling yourself off the Internet.
Save my bandwidth for someone with skills while you try to figure out what's going on
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Option a) Your best bet is go strait to law enforcement. The FBI is actually very interested in these sorts of things even if you are small fry. This might not be a such a hot idea though if the group extorting you actually has some capability. Usually they will set up a string, and track the money when you pay.
Option b) Just shut up and pay up. Never taken this approach myself. I assume it makes the problem go away for a while anyway. I imagine said problems come back for another fix later, and I'd wonder if the attacker ever really had the capability.
Option c) pay the back bone provider, ie ATT&T or whoever is your ISPs, ISP for their DDOS protection services. They actually DO have the resources to protect you from a DDOS. Everything else anyone else is selling is just snake oil because a large enough botnet can simply use all the bandwidth weather you attempt to ack tarpit, or not; They unanswered SYNs alone will consume your entire pipe. This option is terribly expensive, might be worthwhile if you are running a large and inadequately distributed eCommerce site or similar.
Option d) Distribute the hell out of your site. This leads to all sorts of complexity around replication and have the big CDN providers host all your static content and resources. This may help depending on the type of attack. You will want make sure your DNS resources are also well distributed you will basically use fast-flux DNS yourself to stay ahead of your attackers. Essentially you keep changing IPs every 300 seconds or so. You will have challenges preserving sessions and for lots of services its not viable, for WWW it can be made to work. Again this is serious money and time. It might be cheaper than Option c, if you want you are trying to be available for is a small amount if high dollar transactions, as opposed to a higher volume smaller dollar situation.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
was RESPONDING to the guy. Even to say "no." It's like responding "unsubscribe" to a spammer.
What you've done by replying is telling him a.) you GOT his e-mail (not by any means a sure bet with spam filters), b.) you ARE IN FACT the people who own the site in question, and c.) the REASON you're not paying is that you believe he can't carry out his threat.
Let's say I'm this guy. I'm probably a script kiddie with a small botnet under control. I troll for small ecommerce sites (ones that are probably not profitable enough to have good defenses, but would be seriously impacted by a DDoS attack). I try to find some contact information. Again, I'm running some kind of script to troll for these, which means my sample isn't amazing and my data quality is probably questionable.
Then I send out hundreds of e-mails. Like a spammer, I'm going for quantity. Most of these probably disappear into the ether. Whatever - I only need a few to hit a target to get paid. A few people will actually pay up from the e-mail (probably not many, but hey). Some will ignore me (and be impossible to tell from the "disappeared" group. Then there's the lunkheads like you who confirm I sent the threat to the right person and I do feel vulnerable, but I doubt your ability to follow through.
Perfect! I train my botnet on that guy. I'm pretty much guaranteed money. The "someone offered me $600" is a bluff, of course - no one offered him anything, and it's all profit to him. But it sets a nice mental scale for you, so that you'll foolishly think you "got off easy" giving him $400 (when you could have given him $0).
Again, this is a VOLUME play. He has enough bots to DDoS SOMEONE, but not to DDoS EVERYONE. You were attacked for one reason - because you responded.
Sure, there was network engineering involved, but make no mistake - you got SOCIAL engineered here, first and foremost. Fix THAT, not your network.
There isn't much you can really do against a determined foe. There are just too many bot computers out there ready and willing to flood your servers with traffic. Huge companies with lots of staff, racks upon racks of servers, and really fat pipes have been hit with these attacks and failed to stop them.
Now there are a few things you can do to help... You'll note that these things are all extremely important for high-volume sites or major legit traffic spikes:
Have a switch in your website app that turns off all dynamic access, logins, session state, content generation, Ajax loading, etc and just serves static pages. This should also disable any kind of downloads unless you are already serving them from a CDN. If you are under attack (or just get featured on slashdot) throw the switch. Your website won't be terribly functional, but it will still be up. If you want to get fancy, have several levels of degradation where you can progressively turn features off to lighten database loads, etc. but without throwing up error pages or just having the site completely fall down. (ex if your sidebar typically shows recent comments via a database query, then just show a cached set of comments only updated once per day. Now every page access is using one less database query.) This is super critical because the first resource to be exhausted will be your database's ability to answer queries. The second will be your web server's ability to track session state and process requests. Especially if your site does anything even mildly complicated.
If your OS/Webserver/app support it, turn on kernel caching, install a cache plugin, etc. Especially make sure the parts of your pages, images, etc that can be cached are cached. If the under attack flag is set, vastly increase the cache timeouts. Make sure proxy caching is enabled too so any clients behind ISP proxies, etc don't hit your systems. Serve jQuery, fonts, etc from Google's CDN. That's just good practice anyway and free.
If possible, use a CDN for images and other content. CloudFlare is a good one. Companies like Dediserve offer cheap CDN. There are thousands of others. If the panic switch is set, you can even serve the static pages off the CDN if you structure things correctly. These help offset bandwidth saturation.
Take the time to setup a VM of at least your basic site and keep it on standby at Amazon/Azure. If you are under attack or heavy load, spin up a bunch of nodes using that VM image. If you leave your load balancing running on their systems 24/7 then it is trivial to add nodes to the pool. Running a bunch of extra servers for just a few minutes or hours shouldn't cost a ton and will encourage all but the most determined script kiddies to find an easier target once they see your site is still up.
The most common resources exhausted during an attack (in order):
1. Database servers
2. Web server CPU load or memory
3. Bandwidth
4. Load balancers
Again, like I said, none of this will stop a determined attacker with a million node DDoS botnet... But it will make you a less vulnerable target.
Natural != (nontoxic || beneficial)
Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.
I'm not convinced - putting an order in for a service which you don't immediately need means that the provider (Rackspace) has time to plan and implement the change at their leisure. It may only take one or two people a couple of minutes, but it is undoubtedly a change on an appliance somewhere, or maybe even a physical network change if you're just "wired in" to their Internet feed. There may be an outage for you as well, meaning it has to be coordinated amongst yourself and someone doing the work. Then the whole thing needs to be tested as functional, which is very easy to do when you aren't being attacked. So the base price of $1500 seems justified.
In contrast, when you're under attack, you're basically asking your provider to "assemble the troops" on your behalf - it's an emergency change, which needs to be performed the moment you request it regardless of which other customers are being worked on. Not to mention it is significantly more complex to do this while you are being attacked.
So I think Rackspace is perfectly justified. If you want your provider to be at your beck and call 24/7 for complex changes, you're going to pay a premium. At least they have this as an option - most other hosting providers would just terminate your contract because you are now a "high risk" (expensive) customer.
Came here to say that; thank you, would have modded up if I had points.
Absent threat of force to the contrary (*cough*), pre-existing conditions cost more to insure against than lower-risk customers, because your risk of having the thing happen is 100%—it's already happening! At that point you're asking the person to foot the bill for a cure, not insurance; why shouldn't they pass on their costs to you rather than everyone else?
If, instead, you were to join a pool of 100k individuals that (making up some numbers for an example) had a 1% fairly evenly distributed chance of a $10k loss every year, then, ignoring insurer overhead, the yearly expected cost would be $10M, meaning break-even by charging each person $100/year. That cost increases very quickly as you add people to the pool with a 100% chance of loss; and at that point, it's not insurance but subsidy and most people with a choice about it move to an actual insurer (increasing the individual cost even faster until it is same as the actual loss).
Offer the Lebanese hacker an extra $1,000 or so for documented evidence of the competitor hiring him for the DDoS. Let the attack carry on unabated. Sue the competitor for tortious interference, and ask the judge for a massive amount of punitive damages. Get paid about 1000X the amount you lost due to the DDoS attack.