Golden Disney-versary

We just spent three days in Disneyland in Anaheim. The first day of our visit happened to be on the opening day of Disneyland’s many-month-long celebration of its golden anniversary. The day prior, May 4th, the amusement park was closed to the general public in preparation for the 5th — in reality, that was when the celebrities got their turn at checking out the upgrades.

Photo © Richard D. LeCour

As expected, the lines to get into Disneyland were horrific even at 8:00 in the morning when we arrived. They extended all the way from the gates to the gates at the far end of the open space into the small California Adventure park.

Most of the Fantasyland rides had something painted gold in honor of the 50th anniversary. The Dumbo ride had one of the flying Dumbos that are actually ridden in decked in gold, while the Peter Pan ride had a flying boat parked outside near the line entrance on which children could climb and have their pictures taken. Likewise, a whirling teacup and one of the merry-go-round horses were painted gold. Even one of the Autopia cars was specially painted. I didn’t notice any differences on the Matterhorn or Mr. Toad’s Wild Ride. Cinderella’s castle was, of course, bedecked in golden accents, unveiled early that first morning.

The biggest disappointment of our trip was that Cinderella’s castle was off-limits the entire time, thanks primarily to news shows and media events surrounding the gala celebration. Was it fair that the Regis and Kelly show was allowed to set up almost 24 hours in advance of their live show, depriving the thousands of visitors access to the symbol of Disneyland? Not at all.

The four-year-new Disney’s California Adventure themepark, while showing off a few creative inspirations, was little more than Santa Cruz Beach Boardwalk meets Frontier Village which is dating MGM Studios — with the Tower of Terror thrown in. Speaking of which, the Orlando-based MGM Studios version of the Tower of Terror was much better.

Even after three days of crowds, lines, and sprinkling rain.. even after failed access to the castle, expensive food, and the whiny attitudes of children young and old… even after all that, I’m ready to go back. I miss it already!



DDOS Cyber-Extortion

In a recent survey by Carnegie Mellon University researchers, 17 out of 100 small and mid-size businesses reported being targeted by cyber-extortionists.

I recently stumbled upon a news article about one such extortionist who threatened an online gaming website in 2003: “Your site is under attack… You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months,” or, “if you choose not to pay… you will be under attack each weekend for the next 20 weeks, or until you close your doors.”

The website owner, Mickey Richardson, asked his network admin if they should be concerned. The reply he received was “We should be safe. I think our network is nice and tight.” When the attack finally came, the website crashed hard. Standard DoS (Denial of Service) attack prevention software failed after 10 minutes. The website crashed. His ISP crashed. His ISP’s ISP then crashed. Another e-mail arrived. “I guess you have decided to fight instead of making a deal. We thought you were smart… You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday.”

The site stayed down during most of the respite that followed, and could only be brought up for short periods of time. At some point, the downtime was the result of his ISP deciding to null-route the site’s traffic. Null-routing means the ISP collects all of the traffic going to a site and drives it into the ground. This frees up the ISP’s pipes when a site it hosts is receiving massive amounts of DoS attack traffic; even if the extortionists stopped attacking, the site would stay down.

A consultant they hired had an interesting plan: build a system that would absorb huge DoS attacks. An ISP in Phoenix with a 10Gbps (ten gigabits per second) pipe eventually reluctantly agreed to host it. The system intercepted traffic intended for the website, diverted it to the ISP in Phoenix, null-routed the bad traffic, and sent legitimate traffic to the website. The system did a lot of other stuff too: monitoring, capacity planning, logging and analysis. But when it was first turned on, the extortionists stuffed too much traffic down its throat. The servers were overloaded. The website owner’s decision not to pay the extortionists was affecting other websites that shared the same ISP and were also experiencing network problems. He started getting calls from friendly competitors saying, “We paid. Just pay. We’re going down because of you.”

Another email arrived. “I would like to thank you for not keeping your end of the deal and making this upcoming weekend an enjoyable one for me.” The extortionist demanded $75,000, but then seemed to disregard the money: “I do not care how long I have to destroy your business and I will. You will learn the hard way that you do not make a deal and then fûçk around with us…. Let the games begin.”

A DoS attack is most effective using zombies, exposed and unprotected computers hacked without their owner’s knowledge. With a zombie network in place, the only issue left is scale. The more zombies there are in a network, and the more aggregate upstream bandwidth they have, the swifter and more severe havoc they can wreak. A zombie network with several hundred computers can generate hundreds of megabytes of traffic per second, enough to knock a small network offline. It turns out the extortionists had more than 20,000 zombies.

After days of severe battling, suddenly the attacks stopped. Another email: “I tried getting to your site today and I could not. I thought with all the money you spent you would not have these problems anymore. I guess you wasted your money instead of keeping your word. Good luck. P.S. I bet you feel real stupid that you did not keep your word. I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked.” It was a bluff. The website was up. The extortionists couldn’t get to it because they were blocked. The website owner hadn’t paid them a dime. They made no more threats. They couldn’t because they couldn’t back them up with action. The extortionists had lost. And yet, the e-mail was not far off. Mickey figures it cost him a million dollars in lost revenue and IT investments to win the war.

Update

Three guys in Russia were caught and charged in connection with the DDoS assault on Mickey’s betting site, including Ivan Maksakov, a 22-year-old student at the Balakov Institute of Engineering, Technology, and Management. According to the Russian newspaper Kommersant, Ivan was sentenced to eight years behind bars and ordered to pay a fine of 100,000 рубле (just under USD$4,000)