Ransom DDoS attack - need help!
alvin nanog
nanogml at Mail.DDoS-Mitigator.net
Wed Dec 9 15:31:33 UTC 2015
hi jean-f
On 12/08/15 at 11:46pm, Jean-Francois Mezei wrote:
> Since the OP mentioned a "ransom" demand (aka: extortion), should law
> enforcement be contacted in such cases ?
simply saying "these bozo's are attempting to extort $100 from me"
with their email demands probably will not get the law enforcements attention
yes ... only after you have done everything you can and ready to take
the attackers to court but need law enforcement to haul them into court
and/or seize their computers for evidence
- (ntpdate/ntpd) sync your clock so that your logs have accurate time
- check the ip# of the email servers and routers it came thru
you may or may not need to worry about spoof'ed ip# since they
want you to get hold of them to give um the $$
- contact the abuse at -the-ISP for each of those routers and servers
- traceroute the IP# of the mail servers
- "whois IP#" and contact each of the ISPs
- contact the ISPs that provide connectivity to your "drop off point"
of where you "supposed to pay up" ... we're assuming that the
dropoff point is NOT controlled/owned by the ddos attackers
- since you know what time/date/etc that they threaten to attack,
you should verify your data on the backup systems
( build a clone and keep it offline )
everybody ( you, the ISP, cops, etc ) can all be watching the
DDoS attacks and tracing it back to the originating script kiddie
or the entire extortion network
you should also get secondary connectivity to watch the DDoS attacks
in progress and trace it back to the originating source
let them attack ( the honeypot ) so you can trace it back...
tarpit all the tcp-based services so that you have 2minutes to
trace the attacks back to them ... they cannot "hang up" until
the tcp connection attempts times out
- when everything is setup ... tell the DDoS attackers the $$$
is ready for pickup and watch the DDoS attackers attempt to
collect the $$$ that doesn't really exist
> Is there any experience doing this ?
yup...
> Are they any help ?
nope if you don't have the info they want see ..
you should make it easy for them to take action to get court orders
to haul them in
yup ... if the cops are trying to collect evidence "on the DDoS attackers"
you'd be in luck
yup ... if the DDoS attackers are large enough and/or if they're attacking
the high profile victims
> In North america, would that mean FBI in USA and RCMP in Canada, or
> local police force which then escalates to proper law enforcement agency ?
escalation starts with you to provide all the necessary info ...
nobody else will be doing that work for you
get hold of the security dept of your ISP and any other ISP
along the traceroute and whois iP# way back to the DDoS attackers
ISPs probably have their favorite agents they like to work with
to chase down the xxx-most-wanted DDoS attackers
magic pixie dust
alvin
# DDoS-Mitigator.net
More information about the NANOG
mailing list