OcUK DDoS attack - £10,000 reward

Jez · 21 Jan 2009 at 21:03

Garp said:
That you know of. It's easy to spot the bad malware, you start getting problems. The decent stuff, like the ones behind Storm, are completely invisible to users. You won't even know its there.

I would notice the activity on my network...

Glaucus · 21 Jan 2009 at 21:04

bigredshark said:
I'll be shocked if anyone gets caught, you can count the number of people who get successfully prosecuted for these attacks on your fingers. So long as you're not criminally stupid you'll get away with it...

of course, but what does that have to do with anything?

krooton · 21 Jan 2009 at 21:05

Maccy said:
No, suspended.

They'll never make it stick

Trifid · 21 Jan 2009 at 21:05

Out of interest, could the malware be placed in a image? I noticed at work I was getting block notifications from a JPG hosted on members.lycos?

Strife212 · 21 Jan 2009 at 21:07

I'm going to have to say a prosecution for a DDOS attack is unlikely to happen.

Unless OcUK have suspicions that its someone in the UK it isn't happening full stop, and even if it is, its very hard to gather enough evidence for serious action to be taken.

rz30 · 21 Jan 2009 at 21:10

ahhh, i was going to make a post today complaing why the forums are always down!

Strife212 · 21 Jan 2009 at 21:10

I've found info stating that it is a lot of sites that are being hit, its not specific to OcUK apparently.

Edit: False alarm, old news from a previous attack :/

icey_haj · 21 Jan 2009 at 21:12

Strife212 said:
I've found info stating that it is a lot of sites that are being hit, its not specific to OcUK apparently.

Edit: False alarm, old news from a previous attack :/

lol yeh, I read that and then I realised it's from like 2004 or something

JimAroo · 21 Jan 2009 at 21:12

Trifid said:
Out of interest, could the malware be placed in a image? I noticed at work I was getting block notifications from a JPG hosted on members.lycos?

Think you are referring to Iframe DDoS attacks, yes DDoS attacks can be carried out through images too, by using an iframe and a meta refresh.

There are hundreds of different ways.

bigredshark · 21 Jan 2009 at 21:13

Garp said:
These days it takes a lot more than a single PC, plus if the attack is coming from a single PC it's easier to track, even with a fake address. Networks guys at ISPs despise DoS attacks and actively track unusual traffic patterns, working in conjunction with colleagues at other ISPs.

Filtering out the attack traffic is difficult to achieve as it looks exactly like any normal handshake transaction. Most anti-DoS systems, such as the ones produced by Riverhead Networks (now part of Cisco) analyse the traffic headed to the targetted server and look for unusual patterns and filter out those bits. The cost for such solutions can often be rather prohibitive, and is only useful if it has an idea of what a 'normal' traffic pattern looks like. Typically you'd want to run one for 24 hours watching a server during normal load for it to be able to filter out attack traffic effectively.

Not these days, our edge IDP is exceptionally effective at filtering out DDOS attacks, even without a prior snapshot of traffic levels. A few years ago TopLayer led the market for these sort of products (and they were much as you say - expensive and limited in usefulness) but it's come on leaps and bounds now the big boys have products out there.

We've started about three months ago offering DDOS protection as standard on all hosting solutions and it's glanced off a few attacks without breaking a sweat, very impressive stuff.

One of those attacks was opening close on 100k new sessions every second and the server response time stayed consistent with it's normal levels. I was surprised it was so effective!

I am mildly surprised that OCUKs hosts don't have some protection in place to be honest.

Trifid · 21 Jan 2009 at 21:13

JimAroo said:
Think you are referring to Iframe DDoS attacks, yes DDoS attacks can be carried out through images too, by using an iframe and a meta refresh.

There are hundreds of different ways.

I meant the malware to infect unsuspecting clients to participate in the attack.

asim18 · 21 Jan 2009 at 21:14

Mr^B said:
Yes, unfortunately to "learn stuff" requires one to "read stuff".

There is no other generally accepted way of getting information into one's brain.

Err, ok captain obvious.

Also, just for your information; I'm not an ignorant idiot that doesn't know squat about anything.

Infact, today, I was shocked when a 17 year old girl in my IT class didn't know what a g-spot and ovaries were.

Pilky01 · 21 Jan 2009 at 21:15

asim18 said:
Infact, today, I was shocked when a 17 year old girl in my IT class didn't know what a g-spot and ovaries were.

Show her your little brown fella and she will be really confused.

bigredshark · 21 Jan 2009 at 21:17

AcidHell2 said:
of course, but what does that have to do with anything?

Well, I'm just saying, it's not like anybody will be punished (so what harm offering a reward) and given it's an easy attack these days and pretty safe to be behind it, you could say it's a little dumb having no protection.

I'd liken it to being mugged for your mobile, sure it's a serious crime but there's little risk of being caught for the criminal, as a result you tend to be careful about taking your phone out in dodgy areas. It's being careful.

Or put another way, £10k would have been better spent on protection against these sort of attacks up front.

JimAroo · 21 Jan 2009 at 21:17

Trifid said:
I meant the malware to infect unsuspecting clients to participate in the attack.

don't even take malware can be something as simple as an image from ocuk hidden on some compromised web page, every user who enters this web page will then be unknowingly refreshing this hidden image which is sat in an iframe. don't sound like much but it all adds up.

AtlanticP · 21 Jan 2009 at 21:19

Pilky01 said:
Show her your little brown fella and she will be really confused.

hehe

keyvan · 21 Jan 2009 at 21:21

As a network security guy, have you considered getting a CISCO firewall?
They are now call ASA5000 Security Appliance.

They cost about 2 to 3 thousand pounds but are well worth it.

They can automatically detect a DDoS attack before the packets reach the server and let them fall into a "black hole" while the legitimate packets (me building my dream system over and over again) get through.

Had many of these over the years and the Cisco firewalls can easily deal with DDoS attacks. There is a reason why some hardware firewalls cost £200 and some cost £2000.

If you're interested in finding these guys send me a private mail and I can tell you how to set-up some stuff on your end to catch them red handed.

asim18 · 21 Jan 2009 at 21:23

keyvan said:
If you're interested in finding these guys send me a private mail and I can tell you how to set-up some stuff on your end to catch them red handed.

Can i have 10% of your winnings please?

paradigm · 21 Jan 2009 at 21:24

keyvan said:
As a network security guy, have you considered getting a CISCO firewall?

As a "network security guy" (seriously, network security guy? is that a job role?), surely you realise that "hosted in a datacentre" means that OcUK aren't directly responsible for the leading edge firewall.

keyvan said:
They are now call ASA5000 Security Appliance.

No, they aren't all called ASA5000's, the ASA5000 is called the ASA5000.

PistolPete · 21 Jan 2009 at 21:27

10K is a very good incentive for someone to cough - I just hope it works.