[olug] DoDNS extortion

[Patrick McNeil]

Well, you are correct that this is a crime (extortion) and should be
reported to the FBI or at least local authorities.  Let me know if you
would like a contact at the local FBI office.

As for protecting against a DDOS attack there are several options:
1.  Host your DNS with different providers / connections.  But this isn't
really complete protection because if you host with a N providers with a
DS-3 for example, it will just take more DOS zombies to bring you down. 
But if you are hosting with a co-location provider, they most likely
already have countermeasures in place (or could put them in place at your
request) to help limit the damage.  Also, most co-location providers have
security people that are trained in detecting and countering these types
of attacks.

2.  There are IDS options you can look at, but with DNS being UDP the
there is no three way hand shake for the connection that needs to be
initiated and therefore it is easier to spoof addresses.  The IDS could
easily generate the list of attacking hosts and alter the firewall to
block the attacking hosts (assuming the connections aren't from spoofed
addresses).

3.  Depending upon what is actually happening (i.e. does the server go
down, or is just DNS un-available), you can try implementing limits on the
number of connections allowed, but this will only help if the servers
actually go down, but not help if the DNS is just unresponsive or
unavailable.

Other options that really don't work (unless you have a stupid attacker):
1.  Looking at the source addressess and blocking them at the router. 
This doesn't work during most DDOS attacks because there are generally
1,000s of hosts (again, unless the attacker is stupid in which case there
may only be a few hosts or a few subnets which can be easily blocked (and
tracked back)).
2.  Multiple Internet connections to the same servers.  This really
doesn't work unless you have large pipes (read greater than DS3) because
multiple T1s don't really help things too much because they are easy to
over run.  The only exception is when the DDOS zombie army that is
attacking you is very small or all coming from the same subnets.

I would really recommend getting the local authorities or the FBI involved
in this.  Although they are legally limited on what they can do without a
warrant, they could point you in the right direction and help track down
information you don't have access to (i.e. agree to pay them and find out
where to send the check to).

Patrick

Eric Penne said:
> A friend of mine just had her company attacked by a Denial of DNS
> (DoDNS).  Apparently the attackers emailed the bosses demanding $10,000
> or they would launch this DoDNS for the next month.  If they paid the
> money they would "protect" them for a year.  Is this straight out of the
> movies?
>
> Has anybody else had this issue?
>
> What are the best ways or other ways to protect yourself against this
> type of attack?
> Multiple DNS servers on different connections is one thing I was
> thinking of.  Manually blacklisting the IP addresses at the route seems
> like a slow and painful way of doing this.
>
> I assume this is a crime that probably should be reported to the FBI
> because it almost certainly crosses state lines.  Any thoughts?
>
> Later
> Eric Penne
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
>