×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

277 comments

Nothing for you to see here. Please move along. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10632387)

Except that I got FIRST POST!!!

-DT

Null routes? (4, Informative)

IversenX (713302) | more than 9 years ago | (#10632402)

Sure, Null Routes are great for throwing away traffic, but they don't work against DDoS (notice the extra "D"!). The whole _point_ of DDoS is that the traffic comes from so many sources that the manual work involved in blocking it is huge.

Re:Null routes? (4, Insightful)

antifoidulus (807088) | more than 9 years ago | (#10632423)

Not to mention that the zombies you are blocking may very well be potential customers(note that they are attacking gambling sites), never a good idea to block your customers.....though educating them might not hurt.

Re:Null routes? (3, Insightful)

Rares Marian (83629) | more than 9 years ago | (#10632566)

Exactly why is letting a DDoS crush your service to everyone when they attack on of your sites better than blocking customers in one group?

Re:Null routes? (0)

Anonymous Coward | more than 9 years ago | (#10632695)

I believe Null routing is still used. What they do is assigned the source address an AS of 666. This gets propagated through the BGP routing tables. Not all but many ISPs will null route anything with a 666 AS. This allows for attacks to be stopped closer to the source. I have no idea how wide spread this is, does it extend past north america? is it used in europe or anywhere else...

Re:Null routes? (1, Insightful)

icedivr (168266) | more than 9 years ago | (#10632760)

You don't null route the source of the traffic, you null route the destination. As the route propagates through BGP, routers across the world suddenly start returning 'no route to host' type messages, thus rendering a DDoS ineffective.

Re:Null routes? (4, Informative)

tomstdenis (446163) | more than 9 years ago | (#10632761)

Um you can easily do an hour ban on excessive hits from a given IP. Write a module for Apache that counts the hits from a given IP. If it hits a certain threshold [say > 100 hits a minute or >x KB per second] then it simply adds the ip to a firewall [ipchains, netfilter, etc].

By making the banning automated you can easily cope with a DDoS.

Some other things to help cope

- Make small pages, well compressed images

- Don't make highly detailed pages you can get to without loging in first [e.g. avoid server cpu load]

- Load balance ;-)

Tom

Re:Null routes? (1)

Shakrai (717556) | more than 9 years ago | (#10632951)

Some other things to help cope

Make small pages, well compressed images

Don't make highly detailed pages you can get to without loging in first [e.g. avoid server cpu load]

...

That sounds more like a lesson in how to survive a slashdotting then a DDoS. Or are they one in the same?

Pay up (5, Funny)

Anonymous Coward | more than 9 years ago | (#10632409)

Pay up or I'll suggest a /. article about you, and you know the editors will accept it too!

Send money, or else. (3, Funny)

Kenja (541830) | more than 9 years ago | (#10632415)

If you dont send 1,500$ to the following PayPal acount I will post an article about your company on Slashdot.

Re:Send money, or else. (5, Interesting)

LiquidCoooled (634315) | more than 9 years ago | (#10632572)

Its amusing to note peoples reactions when they hear that XYZ is suffering a DDOS attack.
They invariably open the browser and attempt to open the site.
Its natural human instinct, they open it, say "Yup, its still down" and either click refresh a few times, or close it.

Watching how slash/fark folks handle flooding a site is similar.

Worldpay and Paypal, that hurt bad (1)

Sadiq (103621) | more than 9 years ago | (#10632424)

I had friends who ran e-commerce sites that lost anything from several hundred dollars to several thousand from WorldPay and Paypal outages. The question is, what happens when this becomes more widespread? Especially considering that more and more reliance is starting to be put on e-commerce.

Re:Worldpay and Paypal, that hurt bad (4, Insightful)

eln (21727) | more than 9 years ago | (#10632611)

Your friends are obviously not real e-commerce people. Everyone who has ever worked in tech support knows that all businesses lose millions of dollars a second every time anything related to their Internet service goes down.

Re:Worldpay and Paypal, that hurt bad (1, Insightful)

aputerguy (692233) | more than 9 years ago | (#10632864)

Everyone who has ever worked in tech support knows that all businesses lose millions of dollars a second every time anything related to their Internet service goes down. Millions of dollars a second??? A bit of an exxageration... Actually losses are always less than the hype since you need to think about losses in net contribution dollars (not gross revenues) and also consider only true lost (vs. deferred sales). Outages both planned and unplanned are an unfortunate fact of life. One tries to minimize them when at all possible but the losses are typically manageable and are for better or worse part of the cost of doing business on the Internet.

How long... (5, Funny)

Tyndmyr (811713) | more than 9 years ago | (#10632428)

Ever been tempted to track the random people who attempt to hack/spam you, and beat them senseless? If only we could network this...I'll beat the people that live near me, and we can all post our catches on a forum somewhere...

If only it were that simple.

Re:How long... (5, Funny)

YankeeInExile (577704) | more than 9 years ago | (#10632509)

While fantasizing about vigilanteism is entertaining, it really is not a good idea, just because of the lack of control.... to-wit:

Hey, HeadCrackers Ltd. I was recently DDoSed by a group of hackers, led by someone who uses the slashdot handle Tyndmyr. I don't know anything else about him, but I would really appreciate it if someone would lop off a few fingers. Not only did he totally scrag my website "e-My-pretty-pony", costing me millions of dollars in lost sales revenue overnight, but he sent henchmen to my house who dyed my cat blue! I really hate him! MURDER! DEATH! KILL!
I think this should illustrate the potential for abuse.

HAND

Re:How long... (4, Funny)

eln (21727) | more than 9 years ago | (#10632651)

Oh that's it, Tyndmyr is totally dead. I'm so sick of that bastard pulling this crap. Your wish is my command. Tomorrow Tyndmyr's cat will be purple with pink polka dots.

Re:How long... (1, Funny)

multiplexo (27356) | more than 9 years ago | (#10632618)

Ever been tempted to track the random people who attempt to hack/spam you, and beat them senseless?

Yes, and I've thought of doing more than that. I wonder how the cracking community would respond if one of their members, such as the Russian guy mentioned in this article, were slowly tortured on a video that was then distributed over the net. I think if you were to take one of these guys and cut his fingers off with a pair of bolt cutters, and then burn his eyes out with a torch, and then deafen him by playing 100 decibel music into his ears as well as cutting his balls off and scarring his body by writing "We 0wnz0r you" on his body with a paintbrush dipped in acid that perhaps these crackers might think about finding honest work.

Re:How long... (0)

Anonymous Coward | more than 9 years ago | (#10632885)

I am always heartened when I see a post by someone who thinks like I do.

You clearly understand the value of deterrence.

Make the ramifications of being caught doing something like this so horrible that anyone even suggesting doing it would be told "Oh no. That's a bad, bad idea and we want no part of it. Please remove yourself from our presence immediately. We want nothing more to do with you."

Re:How long... (1, Funny)

Anonymous Coward | more than 9 years ago | (#10633009)

Dear Mr. Multiplexo,

We would like to invite you to join our interrogation efforts in Iraq. Please contact me as soon as possible.

Sincerely,
Donald H. Rumsfeld
Secretary of Defense

Re:How long... (2, Funny)

Ced_Ex (789138) | more than 9 years ago | (#10632712)

Nothing funnier than computer nerds threatening other computer nerds!

But good idea though. I can video tape it and we solve two problems. 1. We get rid of hacks/spam. 2. We profit on the videos!

Sidenote: Wasn't there a video clip with some guy getting his buddy to hit him in the face with a keyboard?

I'm sure YOU'D know about it, huh, michael? (-1, Offtopic)

Greg Lake (825508) | more than 9 years ago | (#10632432)

Would it be that hard to email site owners a few hours in advance before each story runs? Slashdot stories are often already days late, so I don't think warning webmasters before the inevitable slashdotting would make much difference. Besides, you could just cache a copy of the page.

Yeah, yeah, there's all that BS about copyright concerns but it's never been a problem for Google or Coral Cache, has it? Mirroring material on Slashdot would cut out the middle man with virtually no risk of being bitched at for shutting down entire networks. Plus, mirroring content on Slashdot means that there's no chance for a webmaster to do a bait-and-switch with goatse or something like that.

mirroring content on Slashdot = more 503 errors (0)

Anonymous Coward | more than 9 years ago | (#10632559)

Plus, mirroring content on Slashdot means that there's no chance for a webmaster to do a bait-and-switch with goatse or something like that.

Are you kidding? Nobody'd ever see Slashdot again. Imagine the bandwidth bills if Slashdot had to handle the slashdotting for every story, even if they could serve that type of volume, which seems doubtful!

Re:I'm sure YOU'D know about it, huh, michael? (0)

Anonymous Coward | more than 9 years ago | (#10632614)

Would it be that hard to email site owners a few hours in advance before each story runs?

That's where the extortion part comes in - want advance warning of a slashdotting? Better subscribe...

Not all attacks can be blocked. (4, Funny)

Carnildo (712617) | more than 9 years ago | (#10632441)

You can't null-route a slashdotting.

Re:Not all attacks can be blocked. (2, Insightful)

skyshock21 (764958) | more than 9 years ago | (#10632524)

You can't block incoming referrals from a particular site? I know with my website tracking software at least, it displays the referring URL. I'd figure you could set a filter based on that info... Weird.

Re:Not all attacks can be blocked. (3, Informative)

Carnildo (712617) | more than 9 years ago | (#10632583)

You can't block incoming referrals from a particular site? I know with my website tracking software at least, it displays the referring URL. I'd figure you could set a filter based on that info... Weird.

I know my web browser sets the referrer URL to that of the site I'm going to, and I suspect many other people do the same thing. It prevents blacklisting based on referrer, and it has the side benefit of allowing hotlinking from Geocities and other cheap hosting.

DOS Blackmail (5, Funny)

Anonymous Coward | more than 9 years ago | (#10632445)

Noone's going to blackmail me into using DOS again...

was that MS-DOS TRS-DOS, or Apple DOS?

Re:DOS Blackmail (0)

Anonymous Coward | more than 9 years ago | (#10632718)

Didn't you see the extra D? It must be Dr. Dos

Poor Yahoo! (-1, Redundant)

Manip (656104) | more than 9 years ago | (#10632455)

I guess Yahoo! news should have paid the /. tax, oh well ... the DDOS will continue (also known as the slashdot effect).. :)

They get rather annoying... (5, Interesting)

mc_wilson (619464) | more than 9 years ago | (#10632465)

The school network here has been getting attacked about once a week for the last month. I am really tired of the internet going down and getting 60% packet loss this often.

I am not sure why we would be getting DoS attacks at a major university. The people who run resnet have a site that says what a current problem is. Their solution to DoS attacks appears to be waiting them out. When the problem becomes "solved" the "solution" normally states "DoS attack has finished." I wish they would try something that would prevent them. Stupid CIS...

Re:They get rather annoying... (0, Troll)

bani (467531) | more than 9 years ago | (#10632617)

because you have fucktard students getting in petty little my-penis-is-bigger-than-yours battles on irc.

firewall irc from resnet and the dos attacks will stop.

The Other-Other Operation (5, Funny)

centauri (217890) | more than 9 years ago | (#10632477)

"That's a nice StarCraft server you have set up there. Be a shame if anything happened to it."

Honestly, that's what I thought when I read "extortion" and "online gaming."

For anyone who remembers (1)

Eberlin (570874) | more than 9 years ago | (#10632497)

The threat of MS-DOS is enough to blackmail me out of most anything.

On a more serious note, what's up with Denial of Service attacks anyway? I guess I'm not informed enough to really offer a technical solution -- but on the client side, DDOS attacks are made with zombie bots/machines...which means an army of unpatched boxen. It's one thing to get yourself flooded out of IRC by some "crew" but a completely different thing to have major sites get killed because of an exploit infecting thousands of machines which should have been patched months ago.

Then again, maybe it's a new bit of revenue for the OSDN folks -- subscribe or your site shall know the power of a good slashdotting. :)

Re:For anyone who remembers (1)

SilentT (742071) | more than 9 years ago | (#10632696)

On a more serious note, what's up with Denial of Service attacks anyway? I guess I'm not informed enough to really offer a technical solution -- but on the client side, DDOS attacks are made with zombie bots/machines...which means an army of unpatched boxen. It's one thing to get yourself flooded out of IRC by some "crew" but a completely different thing to have major sites get killed because of an exploit infecting thousands of machines which should have been patched months ago.

Yeah, Windows users are really terrible about keeping their boxes secure. I'm just proud that, as part of the open source community [slashdot.com] , my box never causes any problems for other people's servers.

/sarcasm

Re:For anyone who remembers (0)

Anonymous Coward | more than 9 years ago | (#10632787)

1) I didn't single out windows users as I'm sure unix boxen are rooted and used as zombies too. Stupidity is platform-agnostic.

2) You seem to have completely disregarded the other paragraph about a slashdotting.

well (2, Insightful)

Fiddy Cent (823482) | more than 9 years ago | (#10632528)

Sooner or later they're gonna try to extort the wrong people, and then Luca Brasi shows up at their doorstep.

Re:well (0)

Anonymous Coward | more than 9 years ago | (#10633072)

Luca Brasi sleeps with the fishes

DANGER WILL ROBINSON, DANGER (0, Redundant)

to_kallon (778547) | more than 9 years ago | (#10632533)

Instead of using a few machines, the extortion gangs control hundreds of thousands
with all those computers "they" could bring down the internet! OH NOES!

DDoS Extortion? (1, Funny)

Pan T. Hose (707794) | more than 9 years ago | (#10632539)

You mean so many extortion attempts at the same time that the law enforcement is unable to track them all and the victims are unable to pay so fast?

DDOS and 2nd and 3rd world countries (5, Interesting)

Monkelectric (546685) | more than 9 years ago | (#10632561)

Criminials in 2nd and 3rd world countries *LOVE* the internet because it gives them *ACCESS* to first world country victims. If a russian guy can steal 100$, thats less then a days pay for me, but 6 months salary to him.

I don't have the link anymore, but MSNBC did a writeup on my mother who some russian jerkoffs tried to extort. They basically got her with a fish page, we caught on and shut down her accounts. Then they sent threats saying unless we sent money they would this and that, then when that didn't work they sent messages *BEGGING* for us to send them 150$ claiming they were poor and destitute and it was nothing to us.

Re:DDOS and 2nd and 3rd world countries (0)

Anonymous Coward | more than 9 years ago | (#10632633)

Why would someone flaimbit this. Reading a first person account of a DDOS issue is more informative.

The internet has brought a bunch of countries together, in which everyone can now share ideas, information and do pretty much anything together. Along the same lines we are now sharing the same problems, crime included.

exactly (2, Informative)

bani (467531) | more than 9 years ago | (#10632709)

for some reason people in many 2nd and 3rd world countries are raised on propaganda (often from their government) believing that every single american is a millionaire.

Re:exactly (1, Insightful)

Monkelectric (546685) | more than 9 years ago | (#10632824)

Oh they are actually -- and thats the reason for a lot of the animosity towards us right now (in addition to our screwups as of late). They are grown up being told we are this wealthy and technologically advanced country (true and true) and that if we *WANTED* to we could solve the problems of their country easily (not true), and it is only because we are too selfish (half true) and too busy with our luxury to notice their suffering (not true) to beset upon them with our benevolence.

3rd world scams 1st world ONLINE (0)

Anonymous Coward | more than 9 years ago | (#10632996)

Oh they are actually -- and thats the reason for a lot of the animosity towards us right now (in addition to our screwups as of late). They are grown up being told we are this wealthy and technologically advanced country (true and true) and that if we *WANTED* to we could solve the problems of their country easily (not true), and it is only because we are too selfish (half true) and too busy with our luxury to notice their suffering (not true) to beset upon them with our benevolence

hey, i've been in the third world. it doesn't matter if you're a millionaire or whatever, if you're from the first world, you are a TARGET FOR their desires for MONEY. I've heard of third world neighborly families KIDNAPPING each other's kids FOR MONEY. ANY person in the third world who has computer access is a potential scammer online. That's why it's so dangerous now. If the third world can be in DIRECT ACCESS to the first and second world nations, then all of us in the first world are vulnerable to their nastiness. I've told friends and relatives to NOT DO BUSINESS ONLINE ANYMORE AND NOT PUT THEIR PERSONAL/FINANCIAL INFO ONTO THEIR COMPUTERS WHICH IS SILLY (as we never had to do that before and you'd think YOUR computer is yours to do with as you will) BUT IT IS NECESSARY NOW. I've had one friend of a friend phished already and advising him how to handle his keylogger and securing his personal/financial info and computer.

Re:DDOS and 2nd and 3rd world countries (0)

Anonymous Coward | more than 9 years ago | (#10632856)

You have a point, but claiming that $100 is 6 months salary to a Russian shows your ignorance. That MIGHT pay the month's rent in a small town for a small apartment, but that's all.

random figures stated as fact - film at 11... (5, Informative)

cliveholloway (132299) | more than 9 years ago | (#10633027)

Pull your head out of your ass and check before you state a wild guess as a fact:

"The average Russian salary is about $245 a month, but most state sector workers earn only a little more than a half of that."

So an average Russian earns $1470 in 6 months. Well, you were only out by a factor of 15 - source [smh.com.au] .

You don't have anything to do with elections in Florida by any chance?

cLive ;-)

IP Spoof Filtering... (5, Interesting)

Autonin (322765) | more than 9 years ago | (#10632577)

I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.

It's a fairly simple concept, but a lot of work to do it with routers. Every customer end-point should have ACL's on them that block any traffic coming out of their segment that isn't assigned to their IP space. This keeps end-points honest, regardless of what IP's they try to use, which also makes zombie isolation a lot easier. They have to use their own IP, or at least a valid IP on their network, just to affect the target they are trying to attack.

Apparently this is such a Herculean effort, however, that no ISP's I know of do this consistantly. There's really no upside for them anyway, except for a warm fuzzy that they're contributing to the health of the Internet.

Maybe if these sort of extortion schemes happen enough, proper pressure can be brought to bear on the ISP's to do this.

Re:IP Spoof Filtering... (1)

fredrated (639554) | more than 9 years ago | (#10632634)

How would this affect 'legitimate' spoofing?

I consult with an ASP and they often need to send out emails in the name of their customers. They are worried that spoof-blocking will make them less able to meet their customers needs.

FredRated

Re:IP Spoof Filtering... (0)

Anonymous Coward | more than 9 years ago | (#10632639)

Define "customer end-point".

At some point though all the routes from the "customer end-points" you mentioned gets passed up to another router that has several other "end-points" going to it and it has to keep track of each of the valid IP ranges from all the others that go to it and so on and so on as the traffic passes from one ISP to another.

It's a great thought, but when you get to some of the core routers you are going to add a lot of stress to the processors. Not to mention the global aspect of the internet. As there is no "boss-of-the-internet" there's no way to centralize the effort.

Re:IP Spoof Filtering... (2, Insightful)

dnoyeb (547705) | more than 9 years ago | (#10632749)

Zombies don't spoof.

Re:IP Spoof Filtering... (1)

AndroidCat (229562) | more than 9 years ago | (#10632898)

They might. I've wondered if a persistant zombie port-scanner is using asymetric routing to spray packets out from zombies and catch only the responses at other IP addresses. That way (a) they don't expose the IPs of zombie machines, (b) the "bullet-proof" spoofed addresses don't have as much traffic. Maybe not.

One port scan claimed to be coming from 10.163.112.154. I don't think so.

Re:IP Spoof Filtering... (0)

Anonymous Coward | more than 9 years ago | (#10632813)

The easier way to prevent 1918 address space from traversing a network is to null route those addresses. It is relatively easy to inject them into your routing table using your IGP.

Re:IP Spoof Filtering... (1)

Florian Weimer (88405) | more than 9 years ago | (#10633039)

I agree - Null Routes aren't the answer here. But something that ISP's *can* do, and could have done all along but have yet to, is to incorporate anti-spoofing measures in their networks.

A lot of attacks come from completely legitimate sources. Some malware reads the local subnet address and subnet mask and spoofs from that range, revealing the origin of the packets. Other attacks are higher up in the protocol stack and require (among other things) a complete TCP handshake, so spoofing is no longer possible.

Nowadays, attackers have so many machines that they just don't care about revealing their real addresses anymore. You can't block tens of thousands of IP addresses efficiently, either.

In some cases, anti-spoofing filters do help, but I doubt that they would make a huge difference on the current network, even if they were universally deployed.

There's no magic solution for the DoS problem. Even plugging a Cisco Guard blade into every other Cisco router won't solve the problem (short-term mitigation is certainly possible, though).

Not knowledgable on topic but... (2)

Psychotext (262644) | more than 9 years ago | (#10632578)

...aren't there firewalls that can handle this yet? Ok, so you probably can't stop it initially but surely we have equipment capable of detecting which clients are hitting the site in an abnormal manner and ignoring their traffic - at least in the short term (Hours / Days).

That should realistically mean that whilst you might lose the site for half an hour you shouldn't be losing it for days at a time. Anything like this exist? I would have thought that the bigger gambling sites would be all over it by now.

Re:Not knowledgable on topic but... (2, Informative)

radish (98371) | more than 9 years ago | (#10632704)

The problem is that the bad traffic still has to get to your firewall, so your inbound bandwidth is still all used up. A DDoS isn't usually about overloading the app server, it's about saturating all your connections.

Re:Not knowledgable on topic but... (4, Informative)

Autonin (322765) | more than 9 years ago | (#10632748)

There's a couple of problems with handling the issue on the victim-side. Generally, a DDOS attack is a flood of packets with spoofed IP's (thus my eariler comment). This makes back-tracking or attacker isolation next to impossible to do. And since most attackers aren't following RFC 3514 (http://slashdot.org/articles/03/04/01/133217.shtm l) the firewall can't inherently detect which packets are 'naughty' and which packets are 'nice'.

Firewalls sometimes deal with connection overload by proxying the TCP three-way handshake and only allowing the completed handshakes through to the end server. Under attack, however, the firewalls themselves can have these connection queues saturated and then they begin selectively dropping a percentage of the connection requests. Since it can't tell valid from hostile, real users experience connectivity issues.

For UDP-based protocols, used by many real-time online games, there's simply no way to stem the flood other than drop packets above a certain threshold, also causing a partial DOS for valid users.

All of these measures also cannot address the bandwidth consumption issue. This can *only* be addressed upstream.

With IP spoof protection in place at end points where hostiles live, or at gateways to foreign networks, we can at least keep attackers to real IP's that we can then isolate and prosecute.

Re:Not knowledgable on topic but... (3, Funny)

Drantin (569921) | more than 9 years ago | (#10633016)

if only they would follow the rfc specifying the evil bit...

Re:Firewalls are useless against DDoS (1, Informative)

Anonymous Coward | more than 9 years ago | (#10632756)

These attacks work by consuming all your bandwidth, and possibly all your service provider's bandwidth as well. A firewall will prevent the packets from flooding your internal LAN, but won't help the internet connection one bit. If it were an attack that used a flaw in the system, such as a winnuke attack, then a firewall would help but firewalls are useless against bandwidth consumption attacks like these DDoS attacks.

Re:Not knowledgable on topic but... (1)

jaywee (542660) | more than 9 years ago | (#10632958)

The problem is that DDoS is inherent to the Internet network design - simple network flow issue. So we can't unfortunately get rid of DDoS attacks unless we somehow redesign Internet as a whole (maybe more intelligent routers?), which won't be exactly easy thing to do ...

Re:Not knowledgable on topic but... (1)

Deorus (811828) | more than 9 years ago | (#10633007)

> ...aren't there firewalls that can handle this yet?

Once upon a time (when I was an IRC user), I used to run a little forum in which people could post random stupod IRC quotes. Apparently someone got so mad about one of the quotes that they decided to hit me to death, so they distributed a worm which would simply resolve my domain and send me really huge fragmented UDP packets whose effect blocked my whole inbound traffic. I repeatedly asked my ISP to apply some QoS and lower the priority of that traffic, but they said they couldn't do anything about it. Then I realized that the worm was targeting my domain so I simply added a wildcard to resolve a CNAME to www.microsoft.com and registered another domain. A day later the traffic was gone (guess who had to deal with it)...

Clarify (5, Informative)

Kallahar (227430) | more than 9 years ago | (#10632589)

Just to clarify for everyone, this is extortion against online *gambling* companies, not online gaming.

You can call gambling "gaming" in the offline world, but not the online -- "online gaming" is already taken :)

Ah... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10632591)

I see ./ editors acknowledge dupes in their post now ;)

Sounds like he learned a lot while in IRC... (2, Interesting)

Juvenall (793526) | more than 9 years ago | (#10632603)

From the article
But that's good for his new business, Prolexic Technologies Inc., which is based in Hollywood, Fla. His sting operation for BetCRIS produced a dozen clients. Prolexic is on track to bring in $2 million this year.

"Pay us and we'll save you from DDoS". Where have I heard that before?

I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?

Re:Sounds like he learned a lot while in IRC... (2, Insightful)

Anonymous Coward | more than 9 years ago | (#10632710)

I really can't be the only one who finds it hypocritical he's starting his own protection racket, can I?

How is it a protection racket?

Comparing a security company which helps defend against DDOS attacks to the DDOS attackers themselves is like comparing a security guard whom you hire to guard your business to the local gang who shake you down for "fire insurance".

Yes, both are getting paid to prevent harm to your livelihood. But the DDOS attackers and the gang are the ones threatning that livelihood in the first place. There is absolutely no moral equivalence here.

Re:Sounds like he learned a lot while in IRC... (2, Informative)

PitaBred (632671) | more than 9 years ago | (#10632736)

It's an anti-protection 'racket' though. He learned a lot from his troubles, and is now starting a business with what he learned in order to help other people who may not have the same skills or opportunities. For a fee.
Sounds pretty much like standard capitalism to me... perhaps you're one of those people who thinks that everything should be free.
In short, yes, you are the only one who thinks it's hypocritical.

Re:Sounds like he learned a lot while in IRC... (0)

Anonymous Coward | more than 9 years ago | (#10632852)

"Pay us and we'll save you from DOS". Where have I heard that before?"

Microsoft, when you upgraded to a system based on windows NT

Re:Sounds like he learned a lot while in IRC... (0)

Anonymous Coward | more than 9 years ago | (#10632953)

You're paying for them to keep your sites running while attacks are going on. Most providers, even the likes of RackSpace, will nullroute you until the attack dies down enough for them to handle. This is crucial to gambling sites where they really, really need constant uptime to make their $$$.

This is the reason why we cant get world peace. (4, Insightful)

jellomizer (103300) | more than 9 years ago | (#10632621)

When ever we make someting available to the general public there is a matter of time until some jirk finds a way to cause problems. The internet has been around for about 30 years and has been popular for about 10 years. So after this short time we have turned a means of comunication ( And what a lot of people think as a step to peace ) into a complete war zone. And because no one directly (Indirectly some one may) gets hurt, and it is a lot harder to track someone down, they will attack sites and ingage in Mob beheavior much more esially then in real life. So a person who is on the outside will seem like an ordanry citizan when on the internet becomes a massive crime lord extrorting thousands of dollars from companies. They should bring back public flogging as a form of punishment, it seems a suitable punishment for a criminal who comits his crime in anonmity.

Time for a 'retrovirus' ? (4, Interesting)

MaineCoon (12585) | more than 9 years ago | (#10632659)

As much as I hate to suggest it, it seems like underground vigilantism may be the only way to deal with the problem currently.

It seems like we are approaching a time when the need for friendly "retroviruses" that patch/disinfect (or at least warn the user and attempt to disable invasive services) is more critical to the internet's survival than before, given law enforcement's general inability to deal with the problem (not that it is really their fault, but it is beyond their capabilities).

At a minimum, "retroviruses" that can find and identify compromised zombie systems and report them, would be useful to build reports for ISPs of infected customers, and allow them to deal with the problem. Unfortunately, most of the infected PCs are probably in countries where people don't care or can't really deal with the problem anyways (can't afford anti-virus software or are running pirated versions of Windows that they can't patch.

The only other alternative I can come up with is infrastructure changes to identify incoming attack addresses at a router, automatically report them to their source (or to something up stream), and implement blocking at that end. But that's talking expensive hardware...

Re:Time for a 'retrovirus' ? (1)

BitwiseX (300405) | more than 9 years ago | (#10632890)

Interesting thought.. \"(or at least warn the user and attempt to disable invasive services)\" I wouldn't warn the user, just SILENTLY patch/disinfect. They are just going to think scam if you "warn" them via email popup etc.

Re:Time for a 'retrovirus' ? (4, Interesting)

Croaker (10633) | more than 9 years ago | (#10632985)

Actually, there might be an easier way to take down zombie networks than creating a roaming virus... As I understand it, most zombie networks take their marching orders by watching an IRC channel on some server someplace. If you can figure out where the channel is, and can manage to compromise it, you should be able to hijack the zombie network and make it patch itself and then uninstall the viruses.

Instead of polluting the net even more with "retrovirus" traffic, this would be a surgical strike, although timing would be critical. I assume they shift IRC servers and channels fairly frequently, and the IRC servers might be well hardened.

I'm not a very good network admin (5, Interesting)

scribblej (195445) | more than 9 years ago | (#10632664)

Or at least, I like to think I'm not very good. There's so much to know, and I only know a tiny part of it.

My boss keeps coming to me with printouts of articles just like this one. Then he likes to say, "What can we do to prevent this happening to us?"

I like to respond, "Nothing."

But it's never a satisfying response. What do the slashdot network gurus do to prevent DDoS attacks on their systems?

I would suggest the standard netowrk security tips - close off any ports that aren't needed, etc --

I would suggest a null route, but that only helps against a known attacking IP address. A DDoS comes from many IP addresses.

I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one.

I would suggest getting a service provider with more bandwidth, but then the attacker will just get an equivalent number of more zombie PCs to attack from.

I would suggest a fancy setup with multiple servers at multiple Colos but then the DDoSer will just launch multiple attacks.

Is there any way to win?

Is there any way I can tell my boss something other than "nothing?"

Save me Slashdot! Pleeeeease!?

Re:I'm not a very good network admin (0)

Anonymous Coward | more than 9 years ago | (#10632869)

  1. make sure you have plenty of anal lube
  2. bend over (BOHICA)
  3. place one hand on each ass cheek
  4. spread ass cheeks [www.goat.cx]
  5. have boss apply anal lube (#1 above)
  6. let the DDOS begin!

Re:I'm not a very good network admin (3, Interesting)

Anonymous Coward | more than 9 years ago | (#10632902)

To quote WarGames:
Strange game, The only way to win is to not play.

Re:I'm not a very good network admin (1)

emidln (806452) | more than 9 years ago | (#10632916)

I woudl suggest blocking (or null routing) them ALL, but then the DDoS attacker will just go buy another set of zombie PCs and renew the attack. You can't win that one. Yes you can. Keeping a counter on hits from a particular IP isn't difficult and can be done efficiently. When it reaches a certain amount in a specified time range, blacklist the IP for a random amount of time. This deals with customers being denied access (if they are sending out packets at 100% bandwidth utilization then they aren't using their pc now or in the immediate future anyway). This also effectively prevents a DDoS when combined with spoof protection. With the backing of ISPs using anti-spoofing filtering, this could effectively eliminate a DDoS.

Re:I'm not a very good network admin (0)

Anonymous Coward | more than 9 years ago | (#10632992)

I've seen somewhat smaller websites handle a (probably weak) ddos attack by doing two of the things you suggested, getting multiple servers and a bigger pipe. It's expensive I'm sure, but it might be the only way for most of us. It's more brute force defense, than sophisticated.

If my website ever came under a ddos I would probably just deny world permissions and wait it out (seems like a funny "solution" since that's what the attackers would want in the first place). However I don't make any money on my site. If my site was a source of revenue, I would probably just fold and go with the expensive option.

If you're a ddos attacker and you attack a site, I really doubt it's very satisfying if you only managed to make the target spend more money to vastly improve the sites performance. Also don't forget they have a cost associated with making the attack as well, and your solution scales a hell of a lot better than theirs does.

start by reading the artical (0)

Anonymous Coward | more than 9 years ago | (#10633023)

One of the guys getting attacked got fed up, and started a company to deal with this. Contact him for help. Part of what he is doing is pretending to be one of these guys, getting their confidence and collecting evidence. Then he forwards that info to the police. You should be helping him out.

Why not just block the method of communication? (2)

hrieke (126185) | more than 9 years ago | (#10632705)

So most of these bots use IRC to get their marching orders- so why not disrupt that method of communication?
This can be done on the ISP level, or at a personal level by blocking ports or what have you- or even by DDoS'ng known IRC servers themselves (a taste of their own meds?).

Just a thought

Re:Why not just block the method of communication? (1)

BitwiseX (300405) | more than 9 years ago | (#10632929)

\"or even by DDoS'ng known IRC servers themselves\" It's not Dalnet's fault anymore than it's the fault of the person's zombied PC. Don't shoot the (packet) messenger! Let's just all start DDoSing each other! It'll be like a TCP/IP Food Fight!

Re:Why not just block the method of communication? (0)

Anonymous Coward | more than 9 years ago | (#10632932)

An ISP blocking IRC would really upset people who use it for legit means. [Sidebar: are there any legit users of IRC left?]

If you tried to target the specific channel, you'd have to know the bots were there so you could go in and see where they were reporting to. That's ok for some individuals who want to track how things are done, but if you know the bot is there, why not just shut it down while you are there?

Re:Why not just block the method of communication? (1)

wizkid (13692) | more than 9 years ago | (#10633026)

There's also the backup irc channels. If I wrote a bot, I'd set it up so that if it couldn't talk to the primary channel, it would switch to the secondary. I loose an IRC channel, I update my bots with a new primary and secondary (or more) backup channels. These thieving bastards aren't going to loose there networks over an IRC server.

My Draconian Solution (1)

DelawareBoy (757170) | more than 9 years ago | (#10632776)

Hold the people with the unpatched boxes responsible for the attack. Especially if a patch has been made available. If not, blame Microsoft.

Re:My Draconian Solution (1)

m2bord (781676) | more than 9 years ago | (#10633042)

oh..screw it...just blame microsoft.

why?

because installing their patches is like a round of russian roulette.

sometimes the patch works perfectly on install, sometimes it brings down the whole system, sometimes it does something else that's worse...like force you to fdisk and start over.

i haven't installed sp2 because i know five people who have installed it and three have had bad experiences and two have had positive experiences.

so...i wait until there's more info on how to fix the problems...meantime, i have an unpatched machine guarded only by zone-alarm and my common sense (which obviously isn't that great because i'm still using ms).

if ms made these patches better and safer (which i'm not even sure if that's possible), we probably wouldn't be having this discussion.

Money laundering services (5, Informative)

Animats (122034) | more than 9 years ago | (#10632800)

Extortion scams like that require a money laundering service to process the payments. e-Gold is apparently popular.

Another is WebMoney [wmtransfer.com] , mentioned on the spammer board SpamForum.biz [spamforum.biz] . It's a anonymous money transfer service in Moscow. Elaborate crypto. Special downloaded applications. Schemes for transferring money between customers, and finally out into the banking system. Accounts can be in euros, dollars, rubles, or hryvnias. Address is supposedly 71 Sadovnicheskaya Street, Moscow, Russia, 115035. Same address as the "Three Monkeys", which is a gay nightclub.

There are a number of services like this. They come and go. There's Gold-Cash [gold-cash.biz] , in Latvia. There's EvoCash [evocash.com] , at an undisclosed "offshore" location. (Well, there was EvoCash; they ceased operations on October 19th.) They even have a trade association [gdcaonline.org] , which rates services as "Platinum", "Gold", "Silver", "Copper", "Carbon", or "Chlorine", which gives a hint of the problems in this area.

Then there are brokers who transfer money between these services. These can be used to perform the "rinse cycle" in money laundering. But that's another story.

I wish (0)

Anonymous Coward | more than 9 years ago | (#10632868)

Man I wish someone would DDOS this site... That way people might turn to kuro5hin which in my opinion is a much better and not ran by nerds with penis envy who have to have their little kingdom to control.....

DDoS Heart Attack (2, Interesting)

Grokko (193875) | more than 9 years ago | (#10632954)

If one were to know the irc channel that a DDoSer uses to communicate with the zombie machines, is it possible to spam the channel with commands that will physically shut down the zombies, like a poweroff command in Linux, thus mitigating the effect?

It could be a Denial of Denial of Service Attack, or DoDos. I confess I might be simplifying the issue too much.

In this case, you'd have to:

1. Identify a DDoS is in progress.
2. Pick one of the zombie IP addresses.
3. Identify the type of DDoS it is performing, by trying all known ones (if it is out there in quantity, it is likely known).
4. Find it's IRC channel and spam it with poweroff commands.
5. DDoS stops happening.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...