Ransom DDoS attack - need help!

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Fri Dec 4 01:00:16 UTC 2015

hi "need help"

On 12/03/15 at 03:15am, halp us wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. 

use an email reader that allows you to see all the received email headers
to see which STMP routers they came thru to reach your smtp servers

contact each of the ISP that owns those IP# ranges to forewarn them of
your upcoming DDoS attacks .. if you're/we're lucky, the actual DDoS
attacks would pass thru the same ISPs again

> Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.

cool .. more proof that they can carry out an attacks allows you ( law enforcement
and the ISP ) to track down who they are, where they come from, etc, etc, etc

since you also kinda know what time/date they will be attacking, the ISP and
law enforcement can be watching for the incoming attacks reverse track the
originating and probably cracked routers ... and hopefully, one-in-a-million
chance to find the ddos-extorter's computers

if the extorter is in the same city ( your local bully ) using the same ISP, 
finding the extorter should be trivial

you can also catch the extorter by "pretending" to have put up the $$$$
and tell the FBI/interpol/ISPs/PayPal/etc to watch the non-existent account
for incoming connections from the extorter ... and keep telling the
extorter the $$$ is there even if they can't seem to get their $$$

> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I can't
> reveal here for obvious reasons).

most folks would like to see that you have done your "homework" too 
trying to stop incoming DDoS attacks ... aka, you need to able to provide 
them the necessary info for them to help you ...

run tcpdump and/or etherreal to capture the DDoS attacks


ALL servers are under kinda harmless script kiddie attacks every second ...
- defend against those ( free ) ddos attacks scenarios
	# if you cannot figure out how to stop these harmless probes, you're
	# gonna be in trouble when the DDoS attacks are intent on their attacks

Simple things you should do BEFORE getting outside DDoS mitigation help, 
because they will probably ask and probably perform the same thing:

	- prepare a ( time, $$$, technical expertise ) budget to stop that DDoS attacks

	- get the received headers from the extorter's emails

	- get the ph# and email contacts of your ISP's security dept and 
	their peers/uplinks  .. similarly for the ph# of your local FBI/police dept

	- at a minimum, update patch all servers to today's patch releases

	- "confirm" means use the FREE online test tools to test your servers
	- confirm your DNS servers are NOT open resolvers
	- confirm your SMTP servers are NOT open relays

	- use the NTP servers from your ISP if you're not sure if your NTPd is secure

	- install IPtables + tarpit to defend against almost all TCP-based attacks
	-	imho, it is pointless to run iptables without tarpit support
	-	http://NetworkNightmare.net/Tarpits/#Install

	- defending against UDP attacks requires you get help from your ISP
		- usually against DNS, NTP, NFS, SNMP, X11, etc

	- defending against ICMP attacks requires you get help from your ISP
	# you cannot stop, block, prevent, mitigate UDP-based or ICMP-based
	# ddos attacks at your servers .. 
	# the ddos attack damage ( wasting your time, $$$ and bandwidth ) 
	# is already done if it reaches your servers

	- backup your user ( /home, /etc ) data ...
	- build a brand new server from latest distro and restore your data from backup

- if you don't have time for all this DDoS stuff.... and willing to do only 1 thing,
  install and learn iptables with tarpits on all your servers exposed to the internet

	- it's trivial or NOT trivial depending on your abilities
	- it is trivial ( few minutes/hours work ) for those folks familiar with IPtables


- if you do decide to go with outside DDoS scrubbers, you definitely will need $$$

if you don't have the time but have the $$$, hire a couple different DDoS mitigators
to help protect your boxes during the DDoS attacks

	# sample list of DDoS mitigator appliances

- few dozen other things to do to protect your servers from DDoS attacks

- follow up with those nanog contacts that have offered to help ...

- sit back and watch for new attacks that you haven't addressed

magic pixie dust

More information about the NANOG mailing list