Ransom DDoS attack - need help!

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Wed Dec 9 15:31:33 UTC 2015

hi jean-f

On 12/08/15 at 11:46pm, Jean-Francois Mezei wrote:
> Since the OP mentioned a "ransom" demand (aka: extortion), should law
> enforcement be contacted in such cases ?

simply saying "these bozo's are attempting to extort $100 from me"
with their email demands probably will not get the law enforcements attention

yes ... only after you have done everything you can and ready to take
the attackers to court but need law enforcement to haul them into court
and/or seize their computers for evidence

- (ntpdate/ntpd) sync your clock so that your logs have accurate time 

- check the ip# of the email servers and routers it came thru

  you may or may not need to worry about spoof'ed ip# since they 
  want you to get hold of them to give um the $$

- contact the abuse at -the-ISP  for each of those routers and servers
	- traceroute the IP# of the mail servers 
	- "whois IP#" and contact each of the ISPs

- contact the ISPs that provide connectivity to your "drop off point"
  of where you "supposed to pay up" ... we're assuming that the
  dropoff point is NOT controlled/owned by the ddos attackers

- since you know what time/date/etc that they threaten to attack,
  you should verify your data on the backup systems
  ( build a clone and keep it offline )

  everybody ( you, the ISP, cops, etc ) can all be watching the 
  DDoS attacks and tracing it back to the originating script kiddie
  or the entire extortion network

  you should also get secondary connectivity to watch the DDoS attacks
  in progress and trace it back to the originating source

  let them attack ( the honeypot ) so you can trace it back...

  tarpit all the tcp-based services so that you have 2minutes to 
  trace the attacks back to them ... they cannot "hang up" until 
  the tcp connection attempts times out

- when everything is setup ... tell the DDoS attackers the $$$
  is ready for pickup and watch the DDoS attackers attempt to
  collect the $$$ that doesn't really exist

> Is there any experience doing this ? 


> Are they any help ?

nope if you don't have the info they want see .. 

you should make it easy for them to take action to get court orders 
to haul them in

yup ... if the cops are trying to collect evidence "on the DDoS attackers"
you'd be in luck

yup ... if the DDoS attackers are large enough and/or if they're attacking 
the high profile victims

> In North america, would that mean FBI in USA and RCMP in Canada, or
> local police force which then escalates to proper law enforcement agency ?

escalation starts with you to provide all the necessary info ...
nobody else will be doing that work for you

get hold of the security dept of your ISP  and any other ISP
along the traceroute and whois iP# way back to the DDoS attackers 

ISPs probably have their favorite agents they like to work with
to chase down the xxx-most-wanted DDoS attackers

magic pixie dust
# DDoS-Mitigator.net

More information about the NANOG mailing list