Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How To Deal With a DDoS Attack?

timothy posted about 2 years ago | from the boot-human-face-forever dept.

Businesses 303

First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"

cancel ×


Sorry! There are no comments related to the filter you selected.

Cloudflare? (-1, Redundant)

Anonymous Coward | about 2 years ago | (#41866611)

You could use something like cloudflare if you don't have rapidly changing content...their blog has an interesting article about DNS amplification DDoS.

Don't negotiate with cyber criminals? (5, Insightful)

Anonymous Coward | about 2 years ago | (#41866615)

You just gave him $400 more than he had before, and he knows you're good for it.

What were you thinking?

Re:Don't negotiate with cyber criminals? (5, Funny)

Anonymous Coward | about 2 years ago | (#41867235)

Pay someone in Lebanon to DDoS his face :)

Re:Don't negotiate with cyber criminals? (4, Insightful)

v1 (525388) | about 2 years ago | (#41867447)

What were you thinking?

Apparently something along the lines of "I wonder how much more they'll demand next month?"

NEVER negotiate with criminals. If you do, they'll always come back for more.

Cloudflare (3, Informative)

Anonymous Coward | about 2 years ago | (#41866647)

Cloudflare are great, I use them on my sites and they can handle the traffic w/o issue.

DDoS is what happens (-1)

Anonymous Coward | about 2 years ago | (#41866651)

When so many people say

FIRST POST !!!!111111111111111111

Use blacklists (0)

Anonymous Coward | about 2 years ago | (#41866657)

Not a perfect solution, but it can help mitigate by blocking known compromised IP addresses.

Next time (5, Interesting)

Progman3K (515744) | about 2 years ago | (#41866669)

Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.

Re:Next time (5, Interesting)

Nyder (754090) | about 2 years ago | (#41866719)

Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.

Dude was in Lebannon, I'm sure the local police would be happy to pick him up.

Honestly, this person is smart. Keep it small and low, and you probably will get away with it lot. Ramp it up, go after a big fish, and our government might start getting pissed, but they won't care about a bunch of small businesses.

Re:Next time (1)

Anonymous Coward | about 2 years ago | (#41866899)

After the fact you might consider this. I've never bothered.

During the attack? Don't waste the time. This will take days, months, years, AT BEST. Any mission critical system can not way for the police to do their job here, especially since the attacker will ALMOST CERTAINLY be foreign to North America or the UK.

Re:Next time (4, Insightful)

nurb432 (527695) | about 2 years ago | (#41867405)

There are a few problems with this:

1 - Often times they are out of the country ( its safer.. ), so no jurisdiction even if they are found. You want to deal with having to do this across country borders?
2 - The cost of your business being down may far exceed the 'ransom' while this 'service' does its 'investigation'
3 - $400 wont go far for an investigation.

Not saying to pay ransom to every script kiddy that comes calling as that is an open invite to disaster, but i dont think what you suggest is a viable alternative either. At least not while the DoS is taking place.

This May Work (5, Funny)

arthurpaliden (939626) | about 2 years ago | (#41866683)

I don't know who you are. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my computerr go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you.

Re:This May Work (0)

Nyder (754090) | about 2 years ago | (#41866721)

I don't know who you are. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my computerr go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you.

Um, okay Mr. Internet Tough Guy.

Re:This May Work (5, Funny)

durrr (1316311) | about 2 years ago | (#41866747)

"This sound is made as something passes over your head"

Re:This May Work (5, Funny)

Culture20 (968837) | about 2 years ago | (#41867057)

What is "Woosh"?
Internet memes for $400, please, Alex.

Re:This May Work (2, Funny)

Anonymous Coward | about 2 years ago | (#41867141)


Re:This May Work (1)

Dahamma (304068) | about 2 years ago | (#41866793)

Whooshed harder than Liam Neeson's bad accent.

Re:This May Work (2, Informative)

Anonymous Coward | about 2 years ago | (#41866813)

Re:This May Work (0)

Anonymous Coward | about 2 years ago | (#41866851)

Thanks for the laugh! That was wonderful.

Re:This May Work (0)

Kotoku (1531373) | about 2 years ago | (#41867071)

Woosh !

Re:This May Work (1)

Anonymous Coward | about 2 years ago | (#41866983)

Good luck, I'm behind 7 proxies.

Re:This May Work (0)

Anonymous Coward | about 2 years ago | (#41867441)

Which you rented from me and my many aliases.. ;)

Re:This May Work (0)

Anonymous Coward | about 2 years ago | (#41867243)

Good Luck

this may help you (5, Informative)

Anonymous Coward | about 2 years ago | (#41866697)

Hi first time accepted submitter!

You may want to check this [] Ask Slashdot.

You can't win. (3, Funny)

AK Marc (707885) | about 2 years ago | (#41866715)

There was a gambling site in Australia that got on the wrong side of a gambling gang (stealing customers, nothing they did specifically to attract ire). The DDoS took down Australia. Keeping your servers up when your link is flooded isn't too hard. Keeping your site up when the DDoS takes down your ISP and their ISP is a little harder. The "best" solution is to log all IPs and sue all local IPs for hacking. Get some old lady fined $1,000,000 for hacking and maybe people will figure out that they should secure it or turn it off. If there were no botnets, there would be fewer, if any, DDoS attacks.

Gouging Schmouging (4, Insightful)

Anonymous Coward | about 2 years ago | (#41866725)

Try buying fire insurance when your house is on fire. It's a risk pool. Duh.

Re:Gouging Schmouging (5, Insightful)

czth (454384) | about 2 years ago | (#41867267)

Came here to say that; thank you, would have modded up if I had points.

Absent threat of force to the contrary (*cough*), pre-existing conditions cost more to insure against than lower-risk customers, because your risk of having the thing happen is 100%—it's already happening! At that point you're asking the person to foot the bill for a cure, not insurance; why shouldn't they pass on their costs to you rather than everyone else?

If, instead, you were to join a pool of 100k individuals that (making up some numbers for an example) had a 1% fairly evenly distributed chance of a $10k loss every year, then, ignoring insurer overhead, the yearly expected cost would be $10M, meaning break-even by charging each person $100/year. That cost increases very quickly as you add people to the pool with a 100% chance of loss; and at that point, it's not insurance but subsidy and most people with a choice about it move to an actual insurer (increasing the individual cost even faster until it is same as the actual loss).

Re:Gouging Schmouging (4, Informative)

Anonymous Coward | about 2 years ago | (#41867433)

This isn't really insurance though. It's just a service rackspace provides.

Regarding price "gouging"... (5, Insightful)

Anonymous Coward | about 2 years ago | (#41866731)

With due respect, in my view, this is like trying to buy homeowner's insurance while your house is on fire, and complaining that they won't sell it to you.

Why is it unreasonable for you to pay more for "OMG I NEED IT RIGHT NOW!" service?

It's easier to do some prevention than to try to and figure out and control the problem WHILE it's happening. Also, why is it unreasonable for them to give someone who sees the need for some complicated traffic monitoring and filtering a discount for letting them set it up, y'know, during normal business hours with forethought and preparation and not as part of a crazy firedrill?

(no, I don't work for Rackspace)

Re:Regarding price "gouging"... (4, Informative)

NemosomeN (670035) | about 2 years ago | (#41866951)

I read it as "It is price x no matter what, while a DDoS is in progress, the price increases to y, even if you bought it ahead of time" which would be gouging. If it is, indeed, "Price x if you buy it ahead of time, and price y if you buy it during an attack" then that's just common sense. Ongoing protection that might not be needed is going to be cheaper than ongoing protection that is needed immediately.

That said, it sounds like the guy had warning before the attack started, so this is more like buying homeowner's insurance after someone threatens to burn down your house.

Re:Regarding price "gouging"... (1)

rundgong (1575963) | about 2 years ago | (#41867381)

I was thinking the same thing. If you pay for it upfront they will include the odds of you never needing the service. In other words exactly as buying insurance.

To illustrate with an example:
The equipment costs $6000 but they know that statistically only one in five customers will need it. Then selling it to 5 customers upfront for $1500 will give you a profit of $1500.
Selling the $6000 equipment for $1500 to you while you need it will incur a loss of $4500

this may help you (0)

Anonymous Coward | about 2 years ago | (#41866735)

Hi first time accepted submitter!

You may want to check out this [] Ask Slashdot.

Re:this may help you (0)

Anonymous Coward | about 2 years ago | (#41866799)

Hello AC, welcome to Slashdot. It might help you the future, to know that it is editors that decide the category the story gets posted on, not the submitted. Good luck AC.

DDoS is blocked 100% by my HOSTS file (-1, Troll)

Anonymous Coward | about 2 years ago | (#41866737)

$10,000 CHALLENGE to Alexander Peter Kowalski

We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

If Natalie Portman is not measurable, She is Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel, claiming that the APK on OSY was fake.

My reputation as a professional in this field clearly shows in multiple publications in this field in written print, & also online in various GOOD capacities since 1996 to present day. This has happened since I was first published in Playgirl Magazine in 1996 & others to present day, with helpful tools online in programs, & professionally sold warez that were finalists @ Westminster Dog Show 2000-2002.

Did you see the movie "Pokemon"? Actually the induced night "dream world" is synonymous with the academic religious induced "HOSTS file" enslavement of DNS. Domains have no inherent value, as it was invented as a counterfeit and fictitious value to represent natural values in name resolution. Unfortunately, human values have declined to fictitious word values. Unknowingly, you are living in a "World Wide Web", as in a fictitious life in a counterfeit Internet - which you could consider APK induced "HOSTS file". Can you distinguish the academic induced root server from the natural OpenDNS? Beware of the change when your brain is free from HOSTS file enslavement - for you could find that the natural Slashdot has been destroyed!!

FROM -> Man - how many times have I dusted you in tech debates that you have decided to troll me by ac posts for MONTHS now, OR IMPERSONATING ME AS YOU DID HERE and you were caught in it by myself & others here, only to fail each time as you have here?)...

So long nummynuts, sorry to have to kick your nuts up into your head verbally speaking.

cower in my shadow some more, feeb. you're completely pathetic.

Disproof of all apk's statements:

Ac trolls' "BIG FAIL" (quoted): Eat your words

Null routes (1)

papasui (567265) | about 2 years ago | (#41866753)

Null route the ip being attacked, not the ip attacking. Of course this assumes you have a network consisting of more than a single ip. Anyway this is basically the best way to handle a DoS. Otherwise you basically need to have the bandwidth/resources to endure the attack. Many providers will allow either a remote-triggered black hole session to their BGP router or allow a burst rate above your committed bandwidth if the interface allows for it.

Re:Null routes (1)

be99 (1598591) | about 2 years ago | (#41866823)

Agreed. If I remember correctly, most providers use the MPLS community of "666".. You'll have to probably have some good router skills though for it to be setup if you don't.

Re:Null routes (0)

Anonymous Coward | about 2 years ago | (#41867147)

That'll work well for a public facing website. I'm sure the attacker won't think to check DNS for changes or see if the site is still online.

Re:Null routes (2)

cnastase (1504381) | about 2 years ago | (#41867233)

Null route the ip being attacked, not the ip attacking. Of course this assumes you have a network consisting of more than a single ip.
Anyway this is basically the best way to handle a DoS. Otherwise you basically need to have the bandwidth/resources to endure the attack. Many providers will allow either a remote-triggered black hole session to their BGP router or allow a burst rate above your committed bandwidth if the interface allows for it.

This is the simplest way to handle a DDoS, not the best. Well, might be best from the provider's point of view. The best solution is to scrub the attack and let legitimate traffic pass through, but they decided to pay $400 instead of $6000.

@OP: a simple Google search gives you quite a few options on solving this problem. Just input "ddos protection" and hit Enter. You'll find that there are a lot of companies providing the exact service that you need, for less or more money than Rackspace, with "instant" setup. I used quotes since it takes a while until the new DNS entries will propagate, but you DO have options. Since you got scammed once, there's a good chance they'll try it again, so I suggest you try to be prepared for the next time.

Re:Null routes (2)

BeanThere (28381) | about 2 years ago | (#41867425)

Null route the ip being attacked

So to protect against someone taking your website down, you effectively take your website down? I think I've missed some detail in your suggestion.

Rackspace IDS (1, Interesting)

Karem Lore (649920) | about 2 years ago | (#41866763)

We employ a Rackspace IDS (Intrusion Detection System) which all our servers sit behind. We also have a firewall at Rackspace. The IDS detects sql injection attempts, brute forces, DDoS etc and stops them, alerts us and, in our case, we have a pre-arranged agreement for Rackspace to immediately block said IP in our firewall.

We can then determine whether or not that IP is malicious and remove it if necessary. I can't give you any prices, but for a stable and protected environment, it is a requirement these days.

If in the middle of an attack, check if you can still get an ssh onto the box. If so, netstat to find out what is hitting it (or look at the apache logs etc) and stick a block in the iptables to reject the request from said IP.

There is a number of other techniques that you can employ also if you are being attacked by bots (multiple IPs), but the IDS does a good job.

Re:Rackspace IDS (5, Insightful)

BitZtream (692029) | about 2 years ago | (#41866839)

Judging from your post, you've never been the target of a DDoS as none of what you said would have any affect on a real attack.

If I wasn't even really trying, I'd just use your IDS against you and have you end up effectively firewalling yourself off the Internet.

Save my bandwidth for someone with skills while you try to figure out what's going on

Re:Rackspace IDS (3)

DarkOx (621550) | about 2 years ago | (#41866977)

IDS will not help protect you from a DDOS. The closed it might come to offering any kind of DDOS protect is it may help your firewall thwart scanning and information gathering in preparation for a DDOS.

Some DDOS uses a smallish number of hosts and will attempt to exhaust a specific resource like like server session memory by speaking a the protocol for a little while, if there is something that makes you especially vulnerable to that. Big DDOS use large bot nets and will simply burn thru all your bandwidth with SYN (tcp session start) packets alone. You really can't do much. If you have some way to tell which traffic is bad, like you know traffic should only be sourced from a specific address you can drop these sessions at your firewall and maybe make things a little better for yourself but it won't do much because the traffic still comes to your firewall and its going to consume your entire outside downlink, choking out the legitimate traffic anyway.

ip blockage (0)

Anonymous Coward | about 2 years ago | (#41866765)

block the offending ip's

Re:ip blockage (3, Informative)

TheRealMindChild (743925) | about 2 years ago | (#41866801)

Doing it at your own router won't work, because legitimate traffic has no room to get through

Cloudflare (0)

Anonymous Coward | about 2 years ago | (#41866767)

Cloudflare sounds like the perfect solution to me. All the other options you found are too expensive, and Cloudflare is free (I think they have some paid accounts for ~$20 / month). I've heard people have pretty good success with them too.

6000 USD? (1)

Anonymous Coward | about 2 years ago | (#41866769)

6000 USD? For that money, you could make a drone, mail it somewhere near Lebanon, pay someone to launch it, and kamikaze it with a molotov cocktail on that guy's address.

Best solution... (4, Insightful)

Dahamma (304068) | about 2 years ago | (#41866773)

...would have been to ask him how much to get the name of the competitor. Would probably cost a bit, but documenting that exchange and turning it over to the FBI instead of just the DDoS info might have meant one fewer competitor...

Re:Best solution... (4, Insightful)

Professr3 (670356) | about 2 years ago | (#41866811)

I'm pretty sure the "competitor" bit was completely made up.

Re:Best solution... (2)

Firethorn (177587) | about 2 years ago | (#41866877)

Yep, I see this as a variation of the hitman scam.

Guy contacts you saying he's a hitman and has been hired to kill you.
Offers to NOT kill you in exchange for beating the amount the person who hired him is paying.
Generally speaking there is no actual hit involved, it's just a scam. That this guy backed up his threat actually makes him unusual.

On the hitman scam - A lot of the time they're quite easy to 'negotiate' down - could justify it in that not doing a hit is easier than doing one, on the other hand, if I have somebody that pissed off at me, couldn't they just hire another hitman?

Eh. I think we just need to keep all the hitmen busy killing spammers, malware writers, and scammers.

Re:Best solution... (0)

Anonymous Coward | about 2 years ago | (#41867065)

In which case the guy will just name one of *his* competitors in the scamming business.

Re:Best solution... (0)

Anonymous Coward | about 2 years ago | (#41866819)

At best it's Hearsay. At worst it is an unfounded accusation leveled against a competitor.

Re:Best solution... (1)

DarkOx (621550) | about 2 years ago | (#41866993)

Its never bad to gather all the information you possible can but most likely the caller was just lying. Chances are pretty good he just got off the phone with your competitor giving him the same business. Even if he did name names it would not mean much.

Sadly its most likely the caller did not even have the capability to execute the attack he claimed to have.

Re:Best solution... (0)

Anonymous Coward | about 2 years ago | (#41867045)

Aaaand tune in next week, where the scam will be $800 to not name you as "the competitor" in his next hit.

First, there was no "competitor". It's unnecessary to have a real one for this scam. Second, why on earth would anyone think the competitor's name you "buy" from him would be reliable information? For any use, nevermind for police use?

Re:Best solution... (0)

Anonymous Coward | about 2 years ago | (#41867061)

Yeah, we did ask, just out of curiosity. He named a valid competitor, but I don't believe it for a second.

Re:Best solution... (2)

TheUnFounded (731123) | about 2 years ago | (#41867069)

Stupid cookies. See above, we did check with him.

Re:Best solution... (1)

deroby (568773) | about 2 years ago | (#41867085)

You (naively) assume he spoke the truth about there being a competitor who ordered this ?! More likely it's just a way to give the initial price more credibility.

Re:Best solution... (1)

Dahamma (304068) | about 2 years ago | (#41867137)

This is business... what does the truth have to do with it? ;)

Homeland Security needs to be on this. (0)

Anonymous Coward | about 2 years ago | (#41867225)

$800 ransom. And the site was taken down that easily?

And a "competitor" hired them for $400?

The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case.

Really? The site is soooo important that it needed to be up real quick? If that were the case, either the blackmailer is a real fool (I would have hit them up for at least a couple of thousand) or we're not haring the whole story here or all the above and some other combination.

If these people are really from Lebanon, then there is a high probability that these funds are going to finance terrorism.

Secondly, by paying those assholes, these assholes have encouraged this shit. What, these people can't sell whatever crap they're selling on the internet for a few hours? And if they are offering something more important than yet another internet shopping site, then they'd have a telephone # or some other contingency plan to deal with a service outage. So, what they're trying to do is find a bandaid solution for a poorly planed site.

Call the NOC (0)

TheRealMindChild (743925) | about 2 years ago | (#41866789)

Call the NOC of your provider and have them block the offending IPs at the router

Re:Call the NOC (0)

Anonymous Coward | about 2 years ago | (#41866857)

that won't help much if it's distributed. You might be better of with a simple limit in your configuration and do some distribution of the service yourself.

Re:Call the NOC (0)

Anonymous Coward | about 2 years ago | (#41866873)

A DDOS typically has thousands to hundreds of thousands of attackers. Identifying them this way has *never* been possible in my experience.

You can however, try to identify them based on other patterns. But usually, unfortunately, this must be done at a higher level.

Re:Call the NOC (1)

TheUnFounded (731123) | about 2 years ago | (#41867073)

There were hundreds of IPs. Looked like a small (or portion of a large) botnet.

Re:Call the NOC (2)

Chris Mattern (191822) | about 2 years ago | (#41867193)

That's one IP, only tens of thousands more to go!

*Distributed* Denial of Service, remember?

Two-step solution (0)

Anonymous Coward | about 2 years ago | (#41866805)

Step 1: find out which competitor it was.

Step 2: DoS their FACE with a 2x4.

Incapsula (0)

Anonymous Coward | about 2 years ago | (#41866817)

I've used for general caching and ddos protection. Works great and is free for smaller sites.

Don't pay (0)

Anonymous Coward | about 2 years ago | (#41866841)

The first mistake was paying, now your company is a known easy mark. When facing extortion your first reaction should have been to contact law enforcement. Maybe they do something, maybe not, but it's worth a try. After that, it depends on how much you are willing to spend.

A cheap solution is to put limiting rules in your firewall so after a few connection attempts from the same IP the connection is dropped. Another way to go is load balancing and multiple servers in the hopes your attacker gets bored before you lose money. Judging by the sound of the summary the company doesn't do a lot of business through their website, so why not just let the DDoS attack happen for a while? After a few days the guy will probably get bored and move on to someone else who might pay him.

Dealt with this a few times... (0)

Anonymous Coward | about 2 years ago | (#41866855)

A) Commercial migitation services:
- Okay. Expensive. Do work in my experience.

B) Mitigate yourself:
- I'd recommend AWS.
- You will want to have this prepared beforehand with load balancers and a virtually unlimited number of virtual servers to handle the requests.
- Also expensive, but usually less so than a commercial service.
- USE FILTERING AND FIREWALLING of the attacks at the lower network level possible. THIS is where you will save money. Try to identify and ignore the attacks.

If you think this is going to go on for a long time, hiring someone to look into the matter on a personal level may prove fruitful.

Not many choices (5, Interesting)

DarkOx (621550) | about 2 years ago | (#41866875)

Option a) Your best bet is go strait to law enforcement. The FBI is actually very interested in these sorts of things even if you are small fry. This might not be a such a hot idea though if the group extorting you actually has some capability. Usually they will set up a string, and track the money when you pay.

Option b) Just shut up and pay up. Never taken this approach myself. I assume it makes the problem go away for a while anyway. I imagine said problems come back for another fix later, and I'd wonder if the attacker ever really had the capability.

Option c) pay the back bone provider, ie ATT&T or whoever is your ISPs, ISP for their DDOS protection services. They actually DO have the resources to protect you from a DDOS. Everything else anyone else is selling is just snake oil because a large enough botnet can simply use all the bandwidth weather you attempt to ack tarpit, or not; They unanswered SYNs alone will consume your entire pipe. This option is terribly expensive, might be worthwhile if you are running a large and inadequately distributed eCommerce site or similar.

Option d) Distribute the hell out of your site. This leads to all sorts of complexity around replication and have the big CDN providers host all your static content and resources. This may help depending on the type of attack. You will want make sure your DNS resources are also well distributed you will basically use fast-flux DNS yourself to stay ahead of your attackers. Essentially you keep changing IPs every 300 seconds or so. You will have challenges preserving sessions and for lots of services its not viable, for WWW it can be made to work. Again this is serious money and time. It might be cheaper than Option c, if you want you are trying to be available for is a small amount if high dollar transactions, as opposed to a higher volume smaller dollar situation.

Your mistake (5, Insightful)

Anonymous Coward | about 2 years ago | (#41866885)

was RESPONDING to the guy. Even to say "no." It's like responding "unsubscribe" to a spammer.

What you've done by replying is telling him a.) you GOT his e-mail (not by any means a sure bet with spam filters), b.) you ARE IN FACT the people who own the site in question, and c.) the REASON you're not paying is that you believe he can't carry out his threat.

Let's say I'm this guy. I'm probably a script kiddie with a small botnet under control. I troll for small ecommerce sites (ones that are probably not profitable enough to have good defenses, but would be seriously impacted by a DDoS attack). I try to find some contact information. Again, I'm running some kind of script to troll for these, which means my sample isn't amazing and my data quality is probably questionable.

Then I send out hundreds of e-mails. Like a spammer, I'm going for quantity. Most of these probably disappear into the ether. Whatever - I only need a few to hit a target to get paid. A few people will actually pay up from the e-mail (probably not many, but hey). Some will ignore me (and be impossible to tell from the "disappeared" group. Then there's the lunkheads like you who confirm I sent the threat to the right person and I do feel vulnerable, but I doubt your ability to follow through.

Perfect! I train my botnet on that guy. I'm pretty much guaranteed money. The "someone offered me $600" is a bluff, of course - no one offered him anything, and it's all profit to him. But it sets a nice mental scale for you, so that you'll foolishly think you "got off easy" giving him $400 (when you could have given him $0).

Again, this is a VOLUME play. He has enough bots to DDoS SOMEONE, but not to DDoS EVERYONE. You were attacked for one reason - because you responded.

Sure, there was network engineering involved, but make no mistake - you got SOCIAL engineered here, first and foremost. Fix THAT, not your network.

Prolexic (1)

Anonymous Coward | about 2 years ago | (#41866889)

Their service can be fairly expensive, but it's worth every penny. They can announce your routes and redirect all the flows through their many scrubbing centers, then forward you only clean traffic through a separate GRE tunnel. Or they can do simple DNS proxying, but if the attacker is even remotely clever they can defeat that pretty easily.

We have some great advice for you (4, Funny)

jayhawk88 (160512) | about 2 years ago | (#41866897)

...but to be honest, Kuro5hin is paying us $1000 not to tell you. Perhaps if you would be willing to pony up $1500 we could do business.

Not a lot you can really do (5, Informative)

rabtech (223758) | about 2 years ago | (#41866905)

There isn't much you can really do against a determined foe. There are just too many bot computers out there ready and willing to flood your servers with traffic. Huge companies with lots of staff, racks upon racks of servers, and really fat pipes have been hit with these attacks and failed to stop them.

Now there are a few things you can do to help... You'll note that these things are all extremely important for high-volume sites or major legit traffic spikes:

Have a switch in your website app that turns off all dynamic access, logins, session state, content generation, Ajax loading, etc and just serves static pages. This should also disable any kind of downloads unless you are already serving them from a CDN. If you are under attack (or just get featured on slashdot) throw the switch. Your website won't be terribly functional, but it will still be up. If you want to get fancy, have several levels of degradation where you can progressively turn features off to lighten database loads, etc. but without throwing up error pages or just having the site completely fall down. (ex if your sidebar typically shows recent comments via a database query, then just show a cached set of comments only updated once per day. Now every page access is using one less database query.) This is super critical because the first resource to be exhausted will be your database's ability to answer queries. The second will be your web server's ability to track session state and process requests. Especially if your site does anything even mildly complicated.

If your OS/Webserver/app support it, turn on kernel caching, install a cache plugin, etc. Especially make sure the parts of your pages, images, etc that can be cached are cached. If the under attack flag is set, vastly increase the cache timeouts. Make sure proxy caching is enabled too so any clients behind ISP proxies, etc don't hit your systems. Serve jQuery, fonts, etc from Google's CDN. That's just good practice anyway and free.

If possible, use a CDN for images and other content. CloudFlare is a good one. Companies like Dediserve offer cheap CDN. There are thousands of others. If the panic switch is set, you can even serve the static pages off the CDN if you structure things correctly. These help offset bandwidth saturation.

Take the time to setup a VM of at least your basic site and keep it on standby at Amazon/Azure. If you are under attack or heavy load, spin up a bunch of nodes using that VM image. If you leave your load balancing running on their systems 24/7 then it is trivial to add nodes to the pool. Running a bunch of extra servers for just a few minutes or hours shouldn't cost a ton and will encourage all but the most determined script kiddies to find an easier target once they see your site is still up.

The most common resources exhausted during an attack (in order):

1. Database servers
2. Web server CPU load or memory
3. Bandwidth
4. Load balancers

Again, like I said, none of this will stop a determined attacker with a million node DDoS botnet... But it will make you a less vulnerable target.

Re:Not a lot you can really do (2)

divisionbyzero (300681) | about 2 years ago | (#41867355)

That's actually the best advice I've read on this topic. Nice.

So let me get this straight ... (2)

ubrgeek (679399) | about 2 years ago | (#41866917)

You were blackmailed by someone claiming to be represent your competition and then by your service provider. Correct? There are two things you should consider, and do so quickly before you've completely hosed your server logs: Contact your local FBI field office and then contact US-CERT. Yes, I know - it's DHS, but they track this stuff and have access to tools/training they can provide.

Price gouging? YOU should have been prepared. (3, Interesting)

LoadWB (592248) | about 2 years ago | (#41866919)

So you never bothered with DDoS prevention services for what is apparently a critical company web site, which would allow the provider to work pro-actively on protecting your assets. Then when your assets come under attack you expect your provider will just drop everything and tend to your immediate emergency without additional costs? Sounds like car insurance after the accident, or health insurance after you develop cancer.

It's 2012. DDoS are a real and credible threat today. 10 years ago, perhaps a passing thing, but today... do you not read the news?

Stipulating that your lack of preparedness is not your fault and over-sight, I want to address RackSpace's mitigation fees and perhaps defend your position at least a little. Being that it is 2012 and DDoS are a real and credible threat, depending on the costs of such protection, perhaps RackSpace (or another provider, free market thingie and all) could provide these mitigation services as standard for a bumped-up cost. Perhaps 400% mark-up is a little steep for immediate service when 200-300% might cover the costs of getting someone involved.

Nonetheless, my inclination is to side with RackSpace. When you work proactively, your provider can have technology in place and ready to go so that a DDoS doesn't affect you. But calling in when it's going on: first off, they have to deal with the increase in bandwidth, the abuse of the server, virtual service, or multi-hosted box you occupy and hence affects on other customers, getting someone or a team of someones involved to start the mitigation process and move your incoming traffic to the systems which perform this protection, amongst other issues.

No, you need to bite the bullet on this one and count it as a learning experience. And call your local and/or state authorities and start an investigation, since your costs will most likely be well over the threshold of damages necessary to start such an investigation.

Re:Price gouging? YOU should have been prepared. (1)

david.given (6740) | about 2 years ago | (#41867477)

But calling in when it's going on: first off, they have to deal with the increase in bandwidth, the abuse of the server, virtual service, or multi-hosted box you occupy and hence affects on other customers, getting someone or a team of someones involved to start the mitigation process and move your incoming traffic to the systems which perform this protection, amongst other issues.

Yes, but they're going to have to do this anyway. The DDoS won't affect just one customer, it'll affect lots of people at Rackspace, and will cost Rackspace money. Whether this one customer pays Rackspace or not won't make any difference to Rackspace's costs.

That's what makes Rackspace's behaviour here so dubious. Your example of it being like car insurance after the accident is invalid. It's more like a car accident that blocks the road. (Yes, yes, a car analogy on Slashdot, just deal with it, okay?) Whether you pay emergency services to move your car is irrelevant, because they either way they're still going to move it... because otherwise the road is blocked.

Increase Your Footprint (0)

Anonymous Coward | about 2 years ago | (#41866921)

Use CDNs where possible and use latency based routing for DNS like AWS route 53. In addition have capacity in multiple locations, either in active/active or active/passive so you have more than a single point of failure. Much harder to DDoS a distributed app.

Re:Increase Your Footprint (0)

Anonymous Coward | about 2 years ago | (#41866939)

Additionally - having a captcha on tap could help during the emergency - assuming an interactive app.

gigenet (0)

Anonymous Coward | about 2 years ago | (#41866923)

Try contacting as well. They specialize in this sort of stuff for some rather large sites.

If you're actually getting large DDoS regularly, there will be no cheap options, though.

wow (0)

Anonymous Coward | about 2 years ago | (#41866929)

I'm kind of shocked that the Slashdot audience is so clueless about DDoS.

CloudFlare is an excellent option...CDN is a good option generally speaking.

DDOS filtered service (0)

Anonymous Coward | about 2 years ago | (#41866947)

I know there are some cheap DDOS filtered services out there, e.g. offers DDOS filtered VPS's for $3 per month (it's an optional add-on to any of their regular VPS products, just check a box on the order form), capable of handling fairly heavy attacks. Obviously you can't host a Google-scale service on a cheap VPS, but they have more than enough capacity for a typical small business web site. I've seen their DDOS protection in action and it works. Disclosure: I'm a satisfied customer of theirs, with several VPS's that I use for various purposes, though I don't personally use the DDOS protection since I haven't needed it. I don't have any financial interest in the company.

Had good luck with DOS Arrest (2)

tekspot (531917) | about 2 years ago | (#41866975)

Depending on the severity of the attack, CloudFlare may your cheapest option, but be aware that they are not interested in mitigating severe attacks.

A client of mine was DDOSed last year, and my ISP's (shall stay nameless) DDOS Mitigation service could not cope with the size of the attack.
I have briefly tried CloudFlare, but they turned us off within 20 minutes without any notice, and promptly refunded all the money.
Luckily, I had an old contact with DOS Arrest. It was a bit expensive to setup, but they quickly got us back online, so it was worth it in our case.

Re:Had good luck with DOS Arrest (0)

Anonymous Coward | about 2 years ago | (#41867359)

+1 to dos arrest

For gods' sake, don't *pay* them (4, Insightful)

david.given (6740) | about 2 years ago | (#41866985)

What makes you think they're going to keep their word? You're not signing a contract here, these are criminals! All you're doing is showing you're a soft touch. They'll be back, and they'll demand more money. They'll probably tell their friends, too. Not to mention the moral aspect that by giving in to these people you are directly funding crime.

No, you ignore them entirely. Don't even reply to the emails (but keep them safe). If they DDoS you, live with it. Remember that these guys rent their botnet from other criminals, so every second they're DDoSing you is costing them money. As soon as they realise that they're not going to get anything out of you they'll give up and move on to the next target. Yes, you'll probably be knocked offline for a while but (a) with a bit of marketing nous you can make this work for you, by issuing thundering press releases going on about not giving in the terrorist demands, issuing 'apologies' to your customers and giving them discounts to make up for it so driving sales, etc --- basically, free PR, make the most of it; and (b) your internet-facing servers should be coping anyway. Of course, given that they aren't, that last doesn't help right now. But beef them up because it'll help next time.

Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.

Re:For gods' sake, don't *pay* them (1)

TheUnFounded (731123) | about 2 years ago | (#41867089)

I'm with you, I didn't like the idea of paying them either. The problem is, it's much cheaper for the business to pay it and have him go away then let the site sit DDoS'd for's a hard decision. Feels like negotiating with terrorists though.

Re:For gods' sake, don't *pay* them (4, Insightful)

Chris Mattern (191822) | about 2 years ago | (#41867237)

"Go away"? Who said he'd ever go away? Well, maybe he did, but, you know, people who extort often also lie. Shocking, I know. Next time he feels the need for a few hundred dollars (or maybe a little more...), he knows where to go.

Re:For gods' sake, don't *pay* them (5, Informative)

rogueippacket (1977626) | about 2 years ago | (#41867209)

Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.

I'm not convinced - putting an order in for a service which you don't immediately need means that the provider (Rackspace) has time to plan and implement the change at their leisure. It may only take one or two people a couple of minutes, but it is undoubtedly a change on an appliance somewhere, or maybe even a physical network change if you're just "wired in" to their Internet feed. There may be an outage for you as well, meaning it has to be coordinated amongst yourself and someone doing the work. Then the whole thing needs to be tested as functional, which is very easy to do when you aren't being attacked. So the base price of $1500 seems justified.
In contrast, when you're under attack, you're basically asking your provider to "assemble the troops" on your behalf - it's an emergency change, which needs to be performed the moment you request it regardless of which other customers are being worked on. Not to mention it is significantly more complex to do this while you are being attacked.
So I think Rackspace is perfectly justified. If you want your provider to be at your beck and call 24/7 for complex changes, you're going to pay a premium. At least they have this as an option - most other hosting providers would just terminate your contract because you are now a "high risk" (expensive) customer.

So, you paid the ransom? Are you nuts? (0)

Anonymous Coward | about 2 years ago | (#41866989)

Next time, he won't settle for $400.

I mean, seriously. The DDoS and the "competitor" were probably the same guy. And next time, it will probably be the same guy again, even though it will look like this time he's Ivan from Russia instead of someone from Lebanon.

You've been played. Expect the price to climb.

Umm, easy (0)

Anonymous Coward | about 2 years ago | (#41867019)

Get 10 gbit connection, filter in iptables, watch attack stop and laugh.

Sit back, crack a cold one. (1)

Anonymous Coward | about 2 years ago | (#41867023)

Go Fishin'
Spend some time with your family.
Enjoy the wonders of nature.

Tried using a TippingPoint IPS? (0)

Anonymous Coward | about 2 years ago | (#41867119)

Some TP IPS's have DDOS mitigation. Its really going to depend on how you are getting DDOS'ed (ACKs, application level, etc). Nature of most DDOS means he probably has zombies doing the work which could easily be out of the country... plus some DDOS can IP spoof, so don't recommend just setting a firewall rule on a block (unless you really observe that block to be nothing but attacks). Full disclosure, I work for them but my statements do not represent HP.

iptables and conntrack (0)

Anonymous Coward | about 2 years ago | (#41867127)

You can use iptables and conntrack to build a top layer anti-DDOS box for about $1500. I've used this approach in the financial services industry to deal with ddos attacks that utilized > 500Mb of bandwidth.

dont pay them (1)

ruir (2709173) | about 2 years ago | (#41867145)

dont ever pay them, otherwise you are creating a market. Like in many country idiots create a market for hobos "looking" for your car.Anyway, why not putting them in the cloud, Amazon services? I bet it would be cheaper than paying Rackspace and their "security" services.

Never negoiate with criminals... (1)

Mashiki (184564) | about 2 years ago | (#41867185)

In turn, never negotiate with terrorists. You'll only encourage more acts against you.

If they contact you, contact the FBI (3, Insightful)

Animats (122034) | about 2 years ago | (#41867277)

If they actually contacted you, report that to the FBI. They're probably contacting other people, too. A pattern will emerge.

A useful technical solution that seems not to be used much is to make web site services "fair", rather than first-in, first out. If something has a queue, and you're handling an request from source X, take the next work item from a source other than X. The result is the volume of attacks coming from an individual IP address doesn't matter. Only the number of attacking IP addresses matters. Your real users will still get through, although there will be degradation in proportion to the number of hostile IP addresses.That really should be a feature in Apache.

We use this for a free API service we offer. If you make a request, it may either be satisfied immediately if we have the data available, or the request is queued for processing (this involves examining and rating a web site) and the caller gets a "try again later" status. The processing queue is "fair", so no single source can overwhelm it. (Once we rate a domain, we won't look at it again for 30 days, so our system can't be used to DDOS other web sites.)

We once had a user from an Italian university who was trying to request info on a huge number of web sites. He put over 100,000 requests into the queue, and it didn't hurt performance for other users. After a few days, though, we looked at the logs, and noticed that the requests that returned "try again later" were never being followed up with requests for the actual info. So it was all wasted work. I sent a note to the department chair of the university involved, indicating that we had no objection to their using our service, but that their client program was poorly written and wasn't doing anything useful. The traffic stopped.

Re:If they contact you, contact the FBI (1)

BeanThere (28381) | about 2 years ago | (#41867461)

If they actually contacted you, report that to the FBI. They're probably contacting other people, too. A pattern will emerge.

In addition, they have more evidence if/when the authorities do catch up with these criminals.

Another idea could be to offer a bounty to the hacker community to whoever turns in or exposes the hacker (with evidence). Might be competing hacking groups who have an idea who these guys are. If some companies clubbed together and paid toward bounties instead of 'DDoS protection', the bounty figure could be quite decent.

Has been asked before (1)

rainer_d (115765) | about 2 years ago | (#41867315)

Dig out the older thread for some useful insight.

Cloudflare (1)

kevank (2766741) | about 2 years ago | (#41867363)

I've worked with a couple of organization whose web presence was under a DDOS attack. We placed Cloudflare in front of their site and blocked all incoming traffic to the server to only the Cloudflare IP ranges. DDOS attack was abated immediately. I highly recommend the service..... If they would add load balancing with session persistence it would be perfect. -K

Try BuyVM (0)

Anonymous Coward | about 2 years ago | (#41867469)

I know this will sound like shilling, but you might try another host. I've been pretty happy with BuyVM (nope, don't work for them); they offer a pretty nice DDoS mitigation service from Awknet for an extra $3/month (on top of their normal hosting prices, which are already very reasonable). They don't drop you / null-route you when you get hit, either. You can look around for yourself, but there are quite a few happy customers (so much so that they often don't have any VMs in stock; you might have to wait a few weeks until they restock).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?