Ransom DDoS attack - need help!
All, I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me. A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious. Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps. I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email. Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it! Thanks
Sounds like lizardSquad may be at it again On Dec 3, 2015 8:53 AM, "halp us" <throwaway1958251@gmail.com> wrote:
All,
I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me.
A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps.
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email.
Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it!
Thanks
Can you provide some additional details? Is it someone claiming association with a known group like DD4BC or the Armada Collective or unbranded? Cheers, CBaker On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds <josh@kyneticwifi.com> wrote:
Sounds like lizardSquad may be at it again On Dec 3, 2015 8:53 AM, "halp us" <throwaway1958251@gmail.com> wrote:
All,
I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me.
A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps.
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email.
Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it!
Thanks
None of those names you just mentioned have made the international news. On Dec 3, 2015 8:59 AM, "Chris Baker" <cbaker@dyn.com> wrote:
Can you provide some additional details? Is it someone claiming association with a known group like DD4BC or the Armada Collective or unbranded?
Cheers, CBaker
On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds <josh@kyneticwifi.com> wrote:
Sounds like lizardSquad may be at it again On Dec 3, 2015 8:53 AM, "halp us" <throwaway1958251@gmail.com> wrote:
All,
I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me.
A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps.
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email.
Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it!
Thanks
OSINT has a plethora of detail available: http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130 http://www.ibtimes.co.uk/armada-collective-who-are-hackers-extorting-bitcoin... http://www.bloomberg.com/news/articles/2015-09-09/bitcoin-ddos-ransom-demand... On Thu, Dec 3, 2015 at 10:04 AM, Josh Reynolds <josh@kyneticwifi.com> wrote:
None of those names you just mentioned have made the international news. On Dec 3, 2015 8:59 AM, "Chris Baker" <cbaker@dyn.com> wrote:
Can you provide some additional details? Is it someone claiming association with a known group like DD4BC or the Armada Collective or unbranded?
Cheers, CBaker
On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds <josh@kyneticwifi.com> wrote:
Sounds like lizardSquad may be at it again On Dec 3, 2015 8:53 AM, "halp us" <throwaway1958251@gmail.com> wrote:
All,
I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me.
A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps.
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email.
Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it!
Thanks
On 3 Dec 2015, at 15:15, halp us wrote:
Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps.
They lie. The largest attacks we've seen from these threat actors are in the ~60gb/sec range - which is nothing to shake a stick at, mind. Many times, they don't follow through. But you're right to be prepared. See these two presos: <https://app.box.com/s/2kpbqfdl1ko3qhfhe4y8ekd1rvj24vfd> <https://app.box.com/s/r7an1moswtc7ce58f8gg>
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons).
All this super-secret squirrel stuff doesn't help, it's actually a hindrance. The short answer is 'upstream ACLs'. Nevertheless, contact me 1:1 and I'll work to hook you up with the right folks. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
The last I spoke with NTT they said the largest they ever saw was > 300GB and most of the time they don't follow through. They threaten 100 networks and hope that x% will pay them off 'just in case' On Thu, Dec 3, 2015 at 10:20 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 3 Dec 2015, at 15:15, halp us wrote:
Based on certain details that I can't reveal here, we believe the
magnitude of the upcoming attack may be in the several hundred Gbps.
They lie. The largest attacks we've seen from these threat actors are in the ~60gb/sec range - which is nothing to shake a stick at, mind.
Many times, they don't follow through. But you're right to be prepared.
See these two presos:
<https://app.box.com/s/2kpbqfdl1ko3qhfhe4y8ekd1rvj24vfd>
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
I would really appreciate help in a few areas (primarily with certain
provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons).
All this super-secret squirrel stuff doesn't help, it's actually a hindrance. The short answer is 'upstream ACLs'.
Nevertheless, contact me 1:1 and I'll work to hook you up with the right folks.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos protection. Don't pay up, use ddos protection. Clay On Thu, Dec 3, 2015 at 3:11 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 4 Dec 2015, at 2:38, Dovid Bender wrote:
The last I spoke with NTT they said the largest they ever saw was > 300GB
That wasn't DD4BC or Armada Collective.
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 03/12/2015 08:15, halp us wrote:
a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
bear in mind that if you pay a ransom like this: 1. you're opening up a bank account for them to dip into whenever they feel they need more money. 2. you're perpetuating the problem of ddos-or-ransom by turning it into a viable business. If you believe that someone who issues a ransom threat will stop if you pay them off, you're smoking crack. Nick
On 3 Dec 2015, at 22:26, Nick Hilliard wrote:
If you believe that someone who issues a ransom threat will stop if you pay them off, you're smoking crack.
+1 These attacks aren't rocket-science to defend against. OP, ping me 1:1. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Dec 3, 2015, at 10:26 AM, Nick Hilliard <nick@foobar.org> wrote:
On 03/12/2015 08:15, halp us wrote:
a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
bear in mind that if you pay a ransom like this:
1. you're opening up a bank account for them to dip into whenever they feel they need more money.
Most of these types of service ransom deals are conducted via bitcoin. So I don’t see how this could be the case unless you mean to say that appeasing your attackers is a bad idea because they might just be emboldened enough to try and extort you again whenever the piggy bank is beginning to run dry.
I believe that is what he meant, yeah. Figurative opening of the bank account - showing them that you're willing to pay makes you a target for future payments as well. On Thu, 03 Dec 2015, Daniel Corbe wrote:
On Dec 3, 2015, at 10:26 AM, Nick Hilliard <nick@foobar.org> wrote:
On 03/12/2015 08:15, halp us wrote:
a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
bear in mind that if you pay a ransom like this:
1. you're opening up a bank account for them to dip into whenever they feel they need more money.
Most of these types of service ransom deals are conducted via bitcoin. So I don’t see how this could be the case unless you mean to say that appeasing your attackers is a bad idea because they might just be emboldened enough to try and extort you again whenever the piggy bank is beginning to run dry.
Talk to your upstream provider. They may already have mitigation in place (e.g. Arbor devices). If not, then if you know much about this anticipated attack (and you seem to have some details) they can certainly implement ACLs and other moderating tools. Regardless, contact the FBI or similar LEA and get them involved: extortion and threats for now, and if they follow through then you have civil and very possibly criminal proceedings to look forward to. I also highly recommend you contact EFF. Start at eff.org --patrick darden -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of halp us Sent: Thursday, December 03, 2015 2:15 AM To: nanog@nanog.org Subject: [EXTERNAL]Ransom DDoS attack - need help! All, I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me. A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious. Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps. I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email. Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it! Thanks
On Thu, 3 Dec 2015 03:15:04 -0500 halp us <throwaway1958251@gmail.com> wrote:
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email.
Hello, Sorry for your troubles. I'm happy to try to put you in touch with people we know or specific providers that may be particularly important for you, given the path attack traffic may follow to you. Generally, however, you need to be working with your upstream providers or peers. Those are your best friends that are best able to mitigate traffic from reaching you or to help trace back where it is coming from. We also operate a free community service called UTRS, which is essentially just a community remote triggered black hole (RTBH) service. Depending on the attack and where it is coming from, it may be of some help. It is another tool in the tool box that is relatively easy to get going. Technical details and sign up form here: <https://www.cymru.com/jtk/misc/utrs.html> <http://www.team-cymru.org/UTRS/> In case an attack does come, you must be able to provide some profile of the attack traffic for others to help. A sample of the attack traffic (e.g. a pcap, flow data, logs), including any characteristics that might help others help you mitigate is important. This includes source network, IP address(es) (but they may be spoofed), protocol, port, packet size, payload, etc... anything that may uniquely identify the traffic. Keep track of the time an attack starts and let people know what time zone you're working in, or convert to UTC (preferred).
Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it!
You should consider engaging your local federal law enforcement office. Don't expect miracles, but at least have that ball rolling. They will probably tell you not to pay, and generally you shouldn't. Keep a good evidence trail. Be vigilant, but don't panic. John
On Thu, Dec 3, 2015 at 3:15 AM, halp us <throwaway1958251@gmail.com> wrote:
A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
Hello, Are you announcing your IP addresses via BGP or does your ISP manage routing for you? If BGP, contract with a DDOS mitigator now. During an attack, you reroute the /24 containing the attacked destination to the mitigator and let them scrub the bad traffic for you. I have no idea who to recommend but I believe there was a recent discussion on nanog about just that subject. Make sure your ISP provides you with a small block of its addresses so that you can anchor the tunnel from the DDOS mitigator no matter which of your announced address blocks is attacked. And test to make sure your addresses really do reroute to the mitigator at need: your ISP can do a number of things to foul up your BGP announcement which you won't notice until you try to reroute. If not BGP, this is your ISP's problem. Notify them of the threat so that they can get ready to mitigate it. As others have said, don't pay the ransom. Even if the current thieves honor the bargain, it'll become known that you paid. That paints a great big target on your back for every other thief out there. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
hi "need help" On 12/03/15 at 03:15am, halp us wrote:
A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately.
use an email reader that allows you to see all the received email headers to see which STMP routers they came thru to reach your smtp servers contact each of the ISP that owns those IP# ranges to forewarn them of your upcoming DDoS attacks .. if you're/we're lucky, the actual DDoS attacks would pass thru the same ISPs again
Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious.
cool .. more proof that they can carry out an attacks allows you ( law enforcement and the ISP ) to track down who they are, where they come from, etc, etc, etc since you also kinda know what time/date they will be attacking, the ISP and law enforcement can be watching for the incoming attacks reverse track the originating and probably cracked routers ... and hopefully, one-in-a-million chance to find the ddos-extorter's computers if the extorter is in the same city ( your local bully ) using the same ISP, finding the extorter should be trivial you can also catch the extorter by "pretending" to have put up the $$$$ and tell the FBI/interpol/ISPs/PayPal/etc to watch the non-existent account for incoming connections from the extorter ... and keep telling the extorter the $$$ is there even if they can't seem to get their $$$
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons).
most folks would like to see that you have done your "homework" too trying to stop incoming DDoS attacks ... aka, you need to able to provide them the necessary info for them to help you ... run tcpdump and/or etherreal to capture the DDoS attacks ========== --------------------------------------------------------------------------- ALL servers are under kinda harmless script kiddie attacks every second ... - defend against those ( free ) ddos attacks scenarios # # if you cannot figure out how to stop these harmless probes, you're # gonna be in trouble when the DDoS attacks are intent on their attacks # --------------------------------------------------------------------------- Simple things you should do BEFORE getting outside DDoS mitigation help, because they will probably ask and probably perform the same thing: - prepare a ( time, $$$, technical expertise ) budget to stop that DDoS attacks - get the received headers from the extorter's emails ----------------------------------------------------- - get the ph# and email contacts of your ISP's security dept and their peers/uplinks .. similarly for the ph# of your local FBI/police dept - at a minimum, update patch all servers to today's patch releases ------------------------------------------------------------------ - "confirm" means use the FREE online test tools to test your servers - confirm your DNS servers are NOT open resolvers - confirm your SMTP servers are NOT open relays - use the NTP servers from your ISP if you're not sure if your NTPd is secure --------------------------------------------------------------------------- - install IPtables + tarpit to defend against almost all TCP-based attacks - imho, it is pointless to run iptables without tarpit support - http://NetworkNightmare.net/Tarpits/#Install --------------------------------------------------------------------------- - defending against UDP attacks requires you get help from your ISP - usually against DNS, NTP, NFS, SNMP, X11, etc - defending against ICMP attacks requires you get help from your ISP # # you cannot stop, block, prevent, mitigate UDP-based or ICMP-based # ddos attacks at your servers .. # # the ddos attack damage ( wasting your time, $$$ and bandwidth ) # is already done if it reaches your servers # - backup your user ( /home, /etc ) data ... - build a brand new server from latest distro and restore your data from backup - if you don't have time for all this DDoS stuff.... and willing to do only 1 thing, install and learn iptables with tarpits on all your servers exposed to the internet - it's trivial or NOT trivial depending on your abilities - it is trivial ( few minutes/hours work ) for those folks familiar with IPtables http://IPtables-BlackList.net - if you do decide to go with outside DDoS scrubbers, you definitely will need $$$ if you don't have the time but have the $$$, hire a couple different DDoS mitigators to help protect your boxes during the DDoS attacks # sample list of DDoS mitigator appliances http://DDoS-Mitigator.net/Competitors - few dozen other things to do to protect your servers from DDoS attacks - follow up with those nanog contacts that have offered to help ... - sit back and watch for new attacks that you haven't addressed magic pixie dust alvin http://DDoS-Mitigator.net/Mitigation-Howto
hi lyndon On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote:
On Dec 3, 2015, at 5:00 PM, alvin nanog <nanogml@Mail.DDoS-Mitigator.net> wrote:
run tcpdump and/or etherreal to capture the DDoS attacks
<face palm> Of course! If we had only thought of this sooner! </face palm> :-)
yupperz.. the problem is, capturing is nice, you have all this data ... now what ,, all that tcpdump jibberish needs to be converted and presented in a format suitable for the bean counters to allocate $$$ to mitigate and minimize the effects of the "free n hopefully relatively harmless" DDoS attacks occuring every second lets assume required services are properly configured and excluded - acl's only for your own dns queries - ssh only from specific ip# - ntp to/from your isp lets assume you allow incoming ssh only from w.x.y.z ... all other connections are DoS attacks tcpdump -n -l ! host w.x.y.z and port 22 lets assume mail is your mail server .. all traffic NOT on port 25 are DoS attacks tcpdump -n -l host mail.example.com and ! port 25 lets assume www is your web server .. all traffic NOT on port 80 are DoS attacks tcpdump -n -l host mail.example.com and ! port 80 if you are running all the services ( mail + apache + mysql ) on one servr the remaining tcp connections are DoS attacks tcpdump -n -l host mail.example.com and \( ! port 80 and ! port 80 and ! port 3306 \) lets assume dns is your dns server .. i consider all tcp traffic from outside as DoS attacks tcpdump -n -l tcp host dns.example.com to see possible udp attacks .. don't forget to exclude your own DNS and NTP queries tcpdump -n -l udp to see possible icmp attacks tcpdump -n -l icmp too many gazillions options makes the world go round n round ... - where does it end :-) ... it doesn't ... if you get a screenful of data flying by of stuff you don't recognize, you're probably under light DDoS attacks magic pixie dust alvin http://DDoS-Mitigator.net/cgi-bin/IPtables-GUI.pl
On 4 Dec 2015, at 9:34, alvin nanog wrote:
all that tcpdump jibberish
Is entirely unnecessary, as well as being completely impractical on a network of any size. Reasonable network access policies for the entities under attack plus flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good start, along with this: <http://www.merit.edu/mail.archives/nanog/msg03776.html> This business of attempting to use packet captures for everything is the equivalent of your doctor attempting to diagnose the reason you're running a fever by using an electron microscope. Start with the BCPs, then move to the macroanalytical. Only dip into the microanalytical when required, and even then, do so very selectively. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
hi ya roland On 12/04/15 at 11:09am, Roland Dobbins wrote:
On 4 Dec 2015, at 9:34, alvin nanog wrote:
all that tcpdump jibberish
Is entirely unnecessary, as well as being completely impractical on a network of any size.
up to a point, probing around at the packet level is un-necessary depending on what one is looking for as the end result
Reasonable network access policies for the entities under attack plus flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good start, along with this:
flows may address some of the DDoS issues but might not cover all the various DDoS attacks and mitigation options and still stay within the victims possibly non-existent DDoS mitigation budgets
This business of attempting to use packet captures for everything is the equivalent of your doctor attempting to diagnose the reason you're running a fever by using an electron microscope.
sometimes, one does need to be able to crawl, before walking, before running track vs running marathons or find someone that can run for you in the case of ddos mitigation, no one solution can mitigate against all the possible various attacks... mitigation is a multi-layered solutions - who-what-when-where-how-why-etc: - one does need to know what servers, ports and hw is being attacked it makes DDoS mitigation a lot easier if you know what is under attack and orders of magnitude less expensive to mitigate - one does need to know who is attacking if one cannot defend against low level script kiddie ddos attacks, it's unlikely one will survive a ddos attacks from a more skilled attacker determined to take out a server or break in etc if you can and have defended against all the basic script kiddie ddos attacks, then it might make it easier to find the next set of the various ddos mitigation options you need to take - one does need to know how often, what time, they are attacking if they are attacking after hours, some folks might not care compared to they attacking during regular business hours - one does need to know how much traffic the attacks are costing you in terms of time and loss of productivity due to wasted bandwidth even at 10% of your bandwidth used up by useless DDoS traffic is still noticibly annoying if you were to looking to increase network performance - nobody can really say why they are attacking, other than are you a low level fruit for easy picking or a target'd victim for many reasons ( paid ransom before, high profile servers, a bank, govt servers, etc ) .. pay once and all the other DDoS ransom attackers will come knocking to collect their share
Start with the BCPs, then move to the macroanalytical. Only dip into the microanalytical when required, and even then, do so very selectively.
yup... selective and escalate the migitation process and procedure magix pixie dust alvin
Side question: Since the OP mentioned a "ransom" demand (aka: extortion), should law enforcement be contacted in such cases ? Is there any experience doing this ? Are they any help ? In North america, would that mean FBI in USA and RCMP in Canada, or local police force which then escalates to proper law enforcement agency ?
On 9 Dec 2015, at 11:46, Jean-Francois Mezei wrote:
Since the OP mentioned a "ransom" demand (aka: extortion), should law enforcement be contacted in such cases ?
Yes.
Is there any experience doing this ?
Yes.
Are they any help ?
Operationally, no. Investigatively, possibly.
In North america, would that mean FBI in USA and RCMP in Canada
Yes.
or local police force which then escalates to proper law enforcement agency ?
If you're asking about US and/or Canada, the relevant national LEA generally applies. In other jurisdictions, it's situationally-specific. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
hi jean-f On 12/08/15 at 11:46pm, Jean-Francois Mezei wrote:
Since the OP mentioned a "ransom" demand (aka: extortion), should law enforcement be contacted in such cases ?
simply saying "these bozo's are attempting to extort $100 from me" with their email demands probably will not get the law enforcements attention yes ... only after you have done everything you can and ready to take the attackers to court but need law enforcement to haul them into court and/or seize their computers for evidence - (ntpdate/ntpd) sync your clock so that your logs have accurate time - check the ip# of the email servers and routers it came thru you may or may not need to worry about spoof'ed ip# since they want you to get hold of them to give um the $$ - contact the abuse@-the-ISP for each of those routers and servers - traceroute the IP# of the mail servers - "whois IP#" and contact each of the ISPs - contact the ISPs that provide connectivity to your "drop off point" of where you "supposed to pay up" ... we're assuming that the dropoff point is NOT controlled/owned by the ddos attackers - since you know what time/date/etc that they threaten to attack, you should verify your data on the backup systems ( build a clone and keep it offline ) everybody ( you, the ISP, cops, etc ) can all be watching the DDoS attacks and tracing it back to the originating script kiddie or the entire extortion network you should also get secondary connectivity to watch the DDoS attacks in progress and trace it back to the originating source let them attack ( the honeypot ) so you can trace it back... tarpit all the tcp-based services so that you have 2minutes to trace the attacks back to them ... they cannot "hang up" until the tcp connection attempts times out - when everything is setup ... tell the DDoS attackers the $$$ is ready for pickup and watch the DDoS attackers attempt to collect the $$$ that doesn't really exist
Is there any experience doing this ?
yup...
Are they any help ?
nope if you don't have the info they want see .. you should make it easy for them to take action to get court orders to haul them in yup ... if the cops are trying to collect evidence "on the DDoS attackers" you'd be in luck yup ... if the DDoS attackers are large enough and/or if they're attacking the high profile victims
In North america, would that mean FBI in USA and RCMP in Canada, or local police force which then escalates to proper law enforcement agency ?
escalation starts with you to provide all the necessary info ... nobody else will be doing that work for you get hold of the security dept of your ISP and any other ISP along the traceroute and whois iP# way back to the DDoS attackers ISPs probably have their favorite agents they like to work with to chase down the xxx-most-wanted DDoS attackers magic pixie dust alvin # DDoS-Mitigator.net
participants (16)
-
A.L.M.Buxey@lboro.ac.uk
-
alvin nanog
-
Chris Baker
-
Clay Curtis
-
Daniel Corbe
-
Darden, Patrick
-
Dovid Bender
-
halp us
-
Jean-Francois Mezei
-
John Kristoff
-
Josh Reynolds
-
Lyndon Nerenberg
-
Nick Hilliard
-
Roland Dobbins
-
Stephen
-
William Herrin