[conspire] Fighting DDoS extortion

Rick Moen rick at linuxmafia.com
Wed May 4 11:45:58 PDT 2005 

I'm posting this link because I know Bruce is interested in the subject:
http://www.mirrordot.org/stories/38209ae4a5f4e553a98d04d7086a62c2/

It's a mirror of a magazine article recently published at CSO Magazine, 
but then (oddly) no longer available at that site.  Despite having been
featured on Slashdot ;-> , the story's interesting.

As Bruce will tell you, Internet-based extortion threats against business
Web sites are endemic -- particularly against Internet casinos.  Many of
the extortionists operate in eastern Europe or other places difficult
for USA / western European countries to find and prosecute, and extract
"protection" money from businessmen by threatening to shut down their
revenue streams with DDoS (distributed denial of service) attacks
against their commerce Web sites.  The threat is credible, and the
criminals do get their money, probably generating huge revenue streams
for criminal gangs and worse people.

The referenced story is an exception -- detailing the successful if
painful steps a Costa Rica-based Web casino took to fight the threat
(which, indeed, was from Russia) without paying protection money.  

Dealing with DDoS threats has no obvious and easy solution:  The threats
tend to come from huge and changing collections ("botnets") of compromised
MS-Windows boxes that the criminals are able to use as "zombie" hosts to
attack your IPs, with the aim of overwhelming you and your upstream
provider with sheer volume of traffic, thereby taking you offline.  ISPs
tend not to be motivated to do much to help you -- it's easier for them
to just make the problem go away by null-routing you (shutting you off) 
as happened initially to this guy -- and, even if they were motivated, 
they themselves have a difficult time addressing it.  

The target in this place begged their way into a high-bandwidth hosting
outfit in Phoenix named PureGig that apparently enjoyed the challenge.
The filtering and defence software deployed there, as part of a proxy 
setup, initially included some proprietary software, but eventually 
went 100% open source.

Here's the passage describing the attack at what _seemed_ like its peak:

   But when it was first turned on, the extortionists stuffed too much
   traffic down its throat. Wilson recalls the math: "We had 100MB links
   to the DNS servers. We went from handling under 2MB per link to, all
   of a sudden, 600MB." That's six times a full load. Imagine Fenway
   Park, which holds about 35,000 people. Now imagine 200,000 people
   trying to get inside Fenway Park at one time.

But that was nowhere near the peak.  That came a while later:

   Lyon then spent Thanksgiving and Friday eating leftover turkey his
   girlfriend delivered and tweaking his system to absorb bigger DDoS
   attacks. On Friday, he believed it could handle a 1Gb attack, and he
   felt good about that. He assured a frayed Richardson that he'd never
   see an attack that big. It would take tens of thousands of zombie
   computers.

   Which is exactly what happened. It turns out the extortionists had
   more than 20,000 zombies. PureGig's data center suffered badly, which
   affected several of its ISP customers. PureGig decided to take Lyon's
   system offline to fix it.

   "The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted
   at one thing. It was going to routers, DNS servers, mail servers,
   websites.  It was like a battlefield, where there's an explosion over
   here, then over there, then it's quiet, then another explosion
   somewhere else," says Lyon. "They threw everything they had at us. I
   was just in shock."

The extortionists eventually gave up, after a war of attrition.  It's
all about economics -- shaking down easy targets that have money to pay.
The target in this case was tough, and wouldn't pay.

It's expected that botnets comprising 40,000 - 50,000 compromised
MS-Windows boxes should be at the criminals' disposal some time this
year, such that they'll be able to peak at 4-5 gigabits per second of
attack traffic -- several times as much force as was applied in this
case.

Eventually, as a result of the intended victims conducting their _own_
private sting operation, a gang of several DDoS attackers in Russia 
was arrested, and are expected to be tried in a Russian court, this
year.

But there are plenty more such gangs.  Because they're following
Sutton's Law:  Go where the money is.

More information about the conspire mailing list