Friday, September 16, 2005
“We wouldn't want anything ta happen ta da network, now would we”
“I would like to thank you for not keeping your end of the deal and making this upcoming weekend an enjoyable one for me.” The extortionists demanded $75,000, but then seemed to disregard the money. “I do not care how long I have to destroy your business and I will. You will learn the hard way that you do not make a deal and then f*** around with us … Let the games begin.”
Richardson would soon learn they were not bluffing. They could destroy his business, and they were going to try. For BetCris to survive, Lyon's slapdash system in Phoenix, which was just starting to find its purchase, would have to stand up to the biggest DDoS attack any of them had ever seen.
The DNS servers that had overloaded in Phoenix were brought back online in a couple of hours, after Lyon and Wilson adapted some filtering scripts and increased the size of their network pipes.
Lyon then spent Thanksgiving and Friday eating leftover turkey his girlfriend delivered and tweaking his system to absorb bigger DDoS attacks. On Friday, he believed it could handle a 1Gb attack, and he felt good about that. He assured a frayed Richardson that he'd never see an attack that big. It would take tens of thousands of zombie computers.
Which is exactly what happened. It turns out the extortionists had more than 20,000 zombies. PureGig's data center suffered badly, which affected several of its ISP customers. PureGig decided to take Lyon's system offline to fix it.
“The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else,” says Lyon. “They threw everything they had at us. I was just in shock.”
How a Bookmaker and a Whiz Kid Took On an Extortionist
I've dealt with this type of attack before, but not to this extent. It's scary to think that not only are these attacks getting more sophisticated, but larger in scope, with twenty, thirty, fourty thousand zombie machines (machines the crackers control) sending bogus traffic to a target site.
Smirk is having me do more network related jobs here at The Company with an eye to prevent such attacks (or suvive such attacks) but it looks like it takes a huge infrastructure to fend off these things. G has mentioned that Cisco has configuration options in their routers to help fend off this stuff, and I suspect it's within the several feet of documentation he left behind. Looks like I'll be spending quite a bit of time reading up on this.
