homepage Welcome to WebmasterWorld Guest from 54.225.57.156
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

This 54 message thread spans 2 pages: 54 ( [1] 2 > >     
DDos Blackmail. Pay or your server goes down.
I didn't pay and in the afternoon the attack started.
jecasc




msg:4218279
 3:51 pm on Oct 18, 2010 (gmt 0)

This morning I received an email. Somebody threatened to take my server down with a DDos Attack if I don't pay a certain amount of money. I thought it was a simple SPAM Scaremail and didn't think much about it. In the afternoon however traffic to my website suddenly spiked until it was not available anymore. Luckily my hosting company offers a pretty good service and automatically transfered my whole website to an high performance server. So after half an hour my website was available again, though slower. The DDos attack continues however. Website is quite slow.

Any ideas what to do in such a situation? Besides the obvious - like contacting the police.

My hosting company says the high performance server is pretty much the best they can offer, this would be about all they can do in such an event.

What would you do? Pay the money? Prepare yourself for the next wave?

Any ideas how to prepare for the worst case? Get a second hoster so I can reroute traffic? Block certain IP ranges? I am a little at loss here. Don't have much experience for such cases.

 

tangor




msg:4218286
 4:01 pm on Oct 18, 2010 (gmt 0)

I have no quick answers as I do not know how your site is hosted or whether you have access to the tools or not, however, an interesting article by Steve Gibson [crime-research.org...] (PDF) documents some of the difficulties in dealing with this (dated 2001... things have changed since then). Posted for info on the nature of DDoS attacks only.

rocknbil




msg:4218301
 4:14 pm on Oct 18, 2010 (gmt 0)

Memorable article from 2003 [csoonline.com]

Not a lot of help, I know, but could give you some ideas on where to look.

jecasc




msg:4218371
 5:57 pm on Oct 18, 2010 (gmt 0)

Thanks for your input. Interesting read. One piece of advice to all: If you do get such an email contact your server admin immediately and don't dismiss it as hoax or spam. Could have saved me the downtime if I had contacted my webhoster immediately so he could have moved my website to a high performance server before the attack started.

Anybody know where I can find lists with foreign IP ranges? Since I sell 99% in Europe I thought it would perhaps be a good idea to block the rest of the world for some time to limit the scale of the attack. On the other hand - what happens if I accidently block Google and other search engines...

kaled




msg:4218777
 10:36 am on Oct 19, 2010 (gmt 0)

Reply to the email as follows...

Thank you for persuading my host to upgrade my server. When you get bored and give up my website will absolutely fly.

Cheers!

If you're not going to pay, you may as well wind them up a bit. Incidentally, I doubt that your host would have moved your website to another server before the attack started - they would simply have waited to see if it was the real thing like you did.

Kaled.

jecasc




msg:4218807
 12:16 pm on Oct 19, 2010 (gmt 0)

I doubt that your host would have moved your website to another server before the attack started


I guess they would - the upgrade is not free I have to pay for the high performance server. Also the upgrade is only temporarily.

At least I had an all time high in hits yesterday.
1,4 million hits instead of the normal 35,000
40,000 MB of traffic instead of the normal 200 MB

Today I received another email. They would continue the attacks until I payed. The next wave hit a few hours ago, so far everything is working fine. Since the amount they want is relativly low I am probably not the only one they are targeting. Seems to me like routine bulk business.

LifeinAsia




msg:4218881
 3:23 pm on Oct 19, 2010 (gmt 0)

If you're not going to pay, you may as well wind them up a bit.

Say you'll pay, get their bank information, then forward it to the next Nigerian scammer e-mail you get.

jdMorgan




msg:4218888
 3:52 pm on Oct 19, 2010 (gmt 0)

Can your host provide a firewall to discard these requests?

Do all or most of the requests have anything in common -- User-agent? Page requested? HTTP-Referer headers? Missing or incorrect headers for the claimed user-agents?

Based on the above, you can often mitigate the effects of DOS attacks by refusing connections if something about the requests are identifiable or identifiably wrong. And in addition, if the requests are always for the same page or pages, you can temporarily replace those pages with smaller and/or static versions in order to reduce wasted bandwidth and server load due to script execution and database lookups.

Collect and use all of the information you can get from your raw server access and error logs. Consider adding code to the pages they hit to collect and record the additional HTTP headers sent by clients but not usually recorded in standard log files.

There are indeed lists of country-to-IP address mappings (search for "geoip" and "ip to country"). But these lists are very long because IP address ranges are assigned in often-small blocks on an as-requested basis; No attempt is made to assign and organize IP address ranges by country. Therefore, any access-control code based on IP addresses may very well be thousands of lines long, and processing that large number of directives for each request will likely only make your problem worse.

However, there's actually quite a bit you can do to reduce the effects of a DDOS attack, you just have to collect the necessary information first.

Jim

SirGraham




msg:4219304
 3:19 pm on Oct 20, 2010 (gmt 0)

How about hosting all images on a service like Amazon Cloud or another content delivery network provider? This would not reduce the requests of course but probably get some load of your own webserver? And I am sure they wont get those providers down.
price/GB is not too expensive.

tangor




msg:4219352
 4:50 pm on Oct 20, 2010 (gmt 0)

Spreading the pain, and paying additional broadband charges, too, does not seem like a solution. Harden the site, investigate the attack, deny those, and get on with business. This, of course, does require that one either owns the site/hardware, or is working with a host willing to partner in dealing with the attack(s).

expat123




msg:4219368
 5:41 pm on Oct 20, 2010 (gmt 0)


I would hire gigenet. It works.

[gigenet.com...]

wheel




msg:4219369
 5:43 pm on Oct 20, 2010 (gmt 0)

What would you do? Pay the money? Prepare yourself for the next wave?

Pay money? Holy cow, not ever.

As tangor says, harden up and move on. You should be ready for this stuff anyway. then you can email them back and say 'kiss my monkey butt'. Well, don't do that either. But you can ignore it and move on.

I'm running in a small local election right now, and some ding dong grabbed every email of every candidate and emailed us an extensive 'you are going to die unless you pay' email. Actually made the local papers here. Spammers are funny.

jkovar




msg:4219371
 5:45 pm on Oct 20, 2010 (gmt 0)

If you pay it once, you'll pay it again, and again, and again...

incrediBILL




msg:4219373
 5:50 pm on Oct 20, 2010 (gmt 0)

What would you do?


I've been DDOS'd more than a few times so this is old hat ;)

First, I'd find a better host that can mitigate a DDOS instead of just moving you to the "high performance server". Any host worth their salt should be able to put a stop to this unless it's using a very large botnet without repeating IPs, and even then it may not be that complicated depending on the nature of the attack. Why I say move to a better host isn't because of your attack, imagine they attack someone else on your shared server or on the network. If these guys can't mitigate your attack then you'll suffer when some other site is attacked as well.

Second, I'd report it to the FBI cyber crime unit [ic3.gov] as an extortion attempt.

Lastly, ignore them. They'll get bored and move on.

You might lose a few dollars but it's cheaper than caving to extortion because extortionists might return to milk you again, and again, and...

[edited by: incrediBILL at 5:55 pm (utc) on Oct 20, 2010]

CenSin




msg:4219374
 5:50 pm on Oct 20, 2010 (gmt 0)

I thought that it's the hosting provider responsibility to deal with this attack. They have all the network monitoring tools and hardware (firewall, router, switch, etc.) level access to block them.

At least, my hosting provider do that.

expat123




msg:4219376
 5:56 pm on Oct 20, 2010 (gmt 0)

At least, my hosting provider do that.


Who is your hosting provider? Most hosting providers will null route you.

expat123




msg:4219378
 6:00 pm on Oct 20, 2010 (gmt 0)

Any host worth their salt should be able to put a stop to this unless it's using a very large botnet without repeating IPs, and even then it may not be that complicated depending on the nature of the attack.


I'd like to know which providers you are talking about. I have one of the best hosting providers and they can't provide this kind of protection.

CenSin




msg:4219381
 6:12 pm on Oct 20, 2010 (gmt 0)

@ expat123

I don't know if I am allowed to post the name here, but simple whois myname plus .com will give you some clue.

I have no deep technical experiences. So every time my free site monitoring email me that my site is down. I just simply email/inform my provider that my site/DB is down and please help me to resolve the issue.

Usually not long after that, response email arrive notify me that my site is already online. I remember, they had mentioned once that my site has experienced a DDOS attack.

expat123




msg:4219394
 6:32 pm on Oct 20, 2010 (gmt 0)

@CenSin

Your hosting provider does, in fact, claim to handle DDOS attacks. That could be a solution if it really works.

zeus




msg:4219395
 6:32 pm on Oct 20, 2010 (gmt 0)

Dont pay and make the Firewall so that a single user can only access so and so many times, I have to do with ddos attack almost everyday

CenSin




msg:4219396
 6:42 pm on Oct 20, 2010 (gmt 0)

Your hosting provider does, in fact, claim to handle DDOS attacks. That could be a solution if it really works.

Well,at least that's what they said once in response email when I can't access my site.

I am hosting in there since 2004 (I can't remember exactly), they already know that I am not capable of handling some serious technical issue.

With only raw log files to analyze, don't expect to troubleshoot that issue in short period. Better leave it to the datacenter guys at your provider to do that.

incrediBILL




msg:4219403
 7:06 pm on Oct 20, 2010 (gmt 0)

Most hosting providers will null route you.


Nothing wrong with that if they fix the problem while you're null routed and restore service quickly.

If they just null route you and go back to drinking coffee, you need a new host.

CenSin




msg:4219405
 7:15 pm on Oct 20, 2010 (gmt 0)

If they just null route you and go back to drinking coffee, you need a new host.

Am I the only one who think that this is a very funny comment? :D

Karma




msg:4219407
 7:20 pm on Oct 20, 2010 (gmt 0)

Just wondering, from a spammers pov - how much effort is involved to perform a DDoS attack on a website?

What, if anything, would make their lives harder and possibly forcing them to move on to someone else?

If you're not going to pay, you may as well wind them up a bit.


Bad advice, if you're not going to pay you'll be wanting them to move on, not get them mad and come back when they have more resources.

iThink




msg:4219408
 7:21 pm on Oct 20, 2010 (gmt 0)

If you pay it once, you'll pay it again, and again, and again...


These criminals operate as groups and typically share lists of soft targets, the so called low hanging fruits. There are several "security" forums out there that are in this type of business. So once one gang has extorted money from you, others will make even higher demands.

Your best bet is to hope that they will just get bored/tired and leave for other low hanging fruits. Chances are that you will receive a few more threatening emails. Don't answer any such emails, instead prepare for a bigger DDOS attacks and hope for the best.

expat123




msg:4219414
 7:31 pm on Oct 20, 2010 (gmt 0)

Nothing wrong with that if they fix the problem while you're null routed and restore service quickly.

If they just null route you and go back to drinking coffee, you need a new host.


Most hosting providers are not equipped to handle DDOS attacks. They can't stop a sophisticated DDOS attack. It requires special infrastructure and skills.

In my experience, they null route and suggest you wait it out.

maximillianos




msg:4219424
 7:40 pm on Oct 20, 2010 (gmt 0)

We have had a few attacks over the years. Most recently was last Winter. Fortunately the attacker was using a pattern in the user-agent that we could program apache to ignore.

We then took it a step further and blocked all international traffic, as the bulk seemed to come from outside the US. We have a indexed flat file country-ip mapping that seems to work very fast. It helped eliminate the problem. We have not had any trouble since (knock on wood!). We did upgrade to a monster server (Dual quad-core processors and 10 GB of RAM). Not much slows the server down now a day. Plus we put many of our pages in RAM (using memcache) which also helps alleviate spikes.

CenSin




msg:4219427
 7:44 pm on Oct 20, 2010 (gmt 0)

In my experience, they null route and suggest you wait it out.

And they claimed that they are one of the best hosting providers?

expat123




msg:4219428
 7:48 pm on Oct 20, 2010 (gmt 0)

And they claimed that they are one of the best hosting providers?


I use Rackspace. They are one of the best.

Yes, there are some basic things they can do like improving server performance but that is not the same as DDoS protection.

CenSin




msg:4219436
 8:02 pm on Oct 20, 2010 (gmt 0)

Yes, there are some basic things they can do like improving server performance

I will remember your provider, if I need them later on.

In my case, as I remembered once, I once has emailed my provider to ask why my page so slow to load? [It's probably my internet access that suck]
They investigate, and turn out that the DB server is slow, then offer to migrate to other faster DB server. I said as long as it's free plus they keep minimum downtime and pick the quite period of activity, then feels free to do it. The next morning my DBs (15 of them) have moved to other server.

Things like this is very useful for someone like me that don't want to be bother by any deep technical and infrastructure problems.

[edited by: CenSin at 8:24 pm (utc) on Oct 20, 2010]

This 54 message thread spans 2 pages: 54 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved