Tuesday, November 25, 2008

Filthy Rotten Scriptkiddies - Blackmailing Siteowners

A friend of mine owns a site which has very little traffic and sells a niche product. Because he gets so little traffic, alarm bells immediately sound when suddenly there is a spike.

If there would be a spike, he would be rich probably, but the chances of that happening are very slim.

Anyway, this night, the guy called me up at 3:30 saying he received an email from some hotmail address saying something like ;

I understand how much revinue you bring in each month, I can bring that down to 0 if I wish. Think I'm kidding? Think this is a joke?


And then his demands.

So, me thinking this was indeed a joke, asking why he )(@#%()#@% woke me. But it wasn't a joke. The site was down. Very much so for 1.5 hour already. Costing my friend money.

A bit groggy from sleeping I could not imagine this being anything else than some lame DOS attack; one or a few computers bonking away on :80.

Unfortunately that was not the case at all.

This was a quite (for this kind of lame threat / blackmail) heavy DDOS. After a few minutes I already collected (and blocked) over 200 unique ips (from different classes mostly).

In this blog I have shown more than ones some ideas for catching and blocking DDOS attacks from within Linux and this one was rather a simple one and could be simply blocked using;

List of Linux tricks

Few notes here; Apache (or whatever you might use) queues all those income connections and leaves them connected even though they are blocked. Because of this,
during the attack, I run from the cron; */10 * * * * service httpd restart. Making Apache immediately kill of those bad connections, but finish off the real ones with a real response. At least you'll have service for most people using this method.

Ofcourse it required a bunch of tweaking as the attacker changed his strategy quite often to make it more difficult.

I don't get people who do this and I certainly don't understand how they can mount such a huge attack with so many different IPs.

Edit: attack has been going on for 9 hours now... site doing fine.