[conspire] Fighting DDoS extortion

Tony Godshall togo at of.net
Wed May 4 14:19:43 PDT 2005 


So they presumably have the IP addresses of 40-50,000
compromised Windows boxes.  Does it make any sence to alert
the ISPs of these Windows boxes?  Obviously many will be
dynamic, and many ISPs will take no action, but if attackees
did this consistently, wouldn't it eventually help? 

According to Rick Moen,
> I'm posting this link because I know Bruce is interested in the subject:
> http://www.mirrordot.org/stories/38209ae4a5f4e553a98d04d7086a62c2/

Geez, they're cookie-happy.

> It's a mirror of a magazine article recently published at CSO Magazine, 
> but then (oddly) no longer available at that site.  Despite having been
> featured on Slashdot ;-> , the story's interesting.
> 
> As Bruce will tell you, Internet-based extortion threats against business
> Web sites are endemic -- particularly against Internet casinos.  Many of
> the extortionists operate in eastern Europe or other places difficult
> for USA / western European countries to find and prosecute, and extract
> "protection" money from businessmen by threatening to shut down their
> revenue streams with DDoS (distributed denial of service) attacks
> against their commerce Web sites.  The threat is credible, and the
> criminals do get their money, probably generating huge revenue streams
> for criminal gangs and worse people.
> 
> The referenced story is an exception -- detailing the successful if
> painful steps a Costa Rica-based Web casino took to fight the threat
> (which, indeed, was from Russia) without paying protection money.  
> 
> Dealing with DDoS threats has no obvious and easy solution:  The threats
> tend to come from huge and changing collections ("botnets") of compromised
> MS-Windows boxes that the criminals are able to use as "zombie" hosts to
> attack your IPs, with the aim of overwhelming you and your upstream
> provider with sheer volume of traffic, thereby taking you offline.  ISPs
> tend not to be motivated to do much to help you -- it's easier for them
> to just make the problem go away by null-routing you (shutting you off) 
> as happened initially to this guy -- and, even if they were motivated, 
> they themselves have a difficult time addressing it.  
> 
> The target in this place begged their way into a high-bandwidth hosting
> outfit in Phoenix named PureGig that apparently enjoyed the challenge.
> The filtering and defence software deployed there, as part of a proxy 
> setup, initially included some proprietary software, but eventually 
> went 100% open source.
> 
> Here's the passage describing the attack at what _seemed_ like its peak:
> 
>    But when it was first turned on, the extortionists stuffed too much
>    traffic down its throat. Wilson recalls the math: "We had 100MB links
>    to the DNS servers. We went from handling under 2MB per link to, all
>    of a sudden, 600MB." That's six times a full load. Imagine Fenway
>    Park, which holds about 35,000 people. Now imagine 200,000 people
>    trying to get inside Fenway Park at one time.
> 
> But that was nowhere near the peak.  That came a while later:
> 
>    Lyon then spent Thanksgiving and Friday eating leftover turkey his
>    girlfriend delivered and tweaking his system to absorb bigger DDoS
>    attacks. On Friday, he believed it could handle a 1Gb attack, and he
>    felt good about that. He assured a frayed Richardson that he'd never
>    see an attack that big. It would take tens of thousands of zombie
>    computers.
> 
>    Which is exactly what happened. It turns out the extortionists had
>    more than 20,000 zombies. PureGig's data center suffered badly, which
>    affected several of its ISP customers. PureGig decided to take Lyon's
>    system offline to fix it.
> 
>    "The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted
>    at one thing. It was going to routers, DNS servers, mail servers,
>    websites.  It was like a battlefield, where there's an explosion over
>    here, then over there, then it's quiet, then another explosion
>    somewhere else," says Lyon. "They threw everything they had at us. I
>    was just in shock."
> 
> The extortionists eventually gave up, after a war of attrition.  It's
> all about economics -- shaking down easy targets that have money to pay.
> The target in this case was tough, and wouldn't pay.
> 
> It's expected that botnets comprising 40,000 - 50,000 compromised
> MS-Windows boxes should be at the criminals' disposal some time this
> year, such that they'll be able to peak at 4-5 gigabits per second of
> attack traffic -- several times as much force as was applied in this
> case.
> 
> Eventually, as a result of the intended victims conducting their _own_
> private sting operation, a gang of several DDoS attackers in Russia 
> was arrested, and are expected to be tried in a Russian court, this
> year.
> 
> But there are plenty more such gangs.  Because they're following
> Sutton's Law:  Go where the money is.
> 
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/cgi-bin/mailman/listinfo/conspire

-- 

-- Tony Godshall

More information about the conspire mailing list