Offline Extortion…
Stumbled upon a news article about an extortionist who threatened an online gaming website, saying “Your site is under attack… You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months,” or, “if you choose not to pay… you will be under attack each weekend for the next 20 weeks, or until you close your doors.”
Ðámn! Having experienced my own versions of cyber-crazies, I found that opening paragraph very interesting.
The guy asked his network admin if they should be concerned. The reply he received was “We should be safe. I think our network is nice and tight.” When the attack finally came, the website crashed hard. Standard DoS (Denial of Service) attack prevention software failed after 10 minutes. The website crashed. His ISP crashed. His ISP’s ISP then crashed. Another e-mail arrived. “I guess you have decided to fight instead of making a deal. We thought you were smart… You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday.”
The site stayed down during most of the respite that followed, and could only be brought up for short periods of time. At some point, the downtime was the result of his ISP deciding to null-route the site’s traffic. Null-routing means the ISP collects all of the traffic going to a site and drives it into the ground. This frees up the ISP’s pipes when a site it hosts is receiving massive amounts of DoS attack traffic; even if the extortionists stopped attacking, the site would stay down.
A consultant they hired had an interesting plan: build a system that would absorb huge DoS attacks. An ISP in Phoenix with a 10Gbps (ten gigabits per second) pipe eventually reluctantly agreed to host it. The system intercepted traffic intended for the website, diverted it to the ISP in Phoenix, null-routed the bad traffic, and sent legitimate traffic to the website. The system did a lot of other stuff too: monitoring, capacity planning, logging and analysis. But when it was first turned on, the extortionists stuffed too much traffic down its throat. The servers were overloaded. The website owner’s decision not to pay the extortionists was affecting other websites that shared the same ISP and were also experiencing network problems. He started getting calls from friendly competitors saying, “We paid. Just pay. We’re going down because of you.”
Another email arrived. “I would like to thank you for not keeping your end of the deal and making this upcoming weekend an enjoyable one for me.” The extortionists demanded $75,000, but then seemed to disregard the money: “I do not care how long I have to destroy your business and I will. You will learn the hard way that you do not make a deal and then fûçk around with us…. Let the games begin.”
A DoS attack is most effective using zombies, exposed and unprotected computers hacked without their owner’s knowledge. With a zombie network in place, the only issue left is scale. The more zombies on a network, and the more aggregate upstream bandwidth they have, the swifter and more severe havoc they can wreak. Several hundred computers could generate 100MB of traffic, enough to knock a small network offline. It turns out the extortionists had more than 20,000 zombies.
After days of severe battling, suddenly, the attacks stopped. Another email: “I tried getting to your site today and I could not. I thought with all the money you spent you would not have these problems anymore. I guess you wasted your money instead of keeping your word. Good luck. P.S. I bet you feel real stupid that you did not keep your word. I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked.” It was a bluff. The website was up. The extortionists couldn’t get to it because they were blocked. The website owner hadn’t paid them a dime. They made no more threats. They couldn’t because they couldn’t back them up with action. The extortionists had lost. And yet, the e-mail was not far off. He figures it cost him a million dollars in lost revenue and IT investments to win the war.
Ouch!
The end result was that three guys in Russia were caught and charged with the DoS assault.
