The other day, I got a DDoS threat for one of my domains. I was told to pay them a little over $100 in Bitcoins within 24 hours, or else they’d overload my server with traffic. If I didn’t give in to their demands and they attacked, the price would go up daily until I gave in and paid them in Bitcoin. The email contact information was forged, and about the only useful info I had was their Bitcoin address.
I found the threat pretty funny, since the domain wasn’t in use, there wasn’t a server associated with that domain, and it didn’t even have DNS service configured! It’s really unclear what they thought they were going to attack, and obviously didn’t do any due diligence.
I’ve never experienced a full-blown DDoS attack, so I thought this could be educational. What kind of traffic do they send? How many IP addresses might be involved? What protection does some basic anti-DDoS practices provide? How long would they keep it up?
I figured that they should at least have a target. As the domain wasn’t in use, I needed to configure something to attack. I booted up an Amazon Web Services micro-t1 instance and installed Apache. I didn’t really need any content, so I created a trivial ‘index.html’ page so there was some minimal content.
If an attack was forthcoming, I needed to be a little more prepared. Cloudflare not only provides DNS service, but also caching services to reduce the load on your web server for static content. You can also let Cloudflare know you’re under “attack” and take advantage of the DDoS mitigating services they provide. I configured the domain and name servers to use Cloudflare’s “Free” service level, and added A records pointing to my newly minted Amazon web server. Now if the attack occurs, I have some sort of protection.
Should traffic get too bad, I could shutdown the Amazon instance, or redirect the traffic to somewhere else via Cloudflare. The domain wasn’t in use, so there is really no damage that could be done.
I got another email stating the attack was still planned in the coming hours as indicated by the first email. Again the demand for the paltry funds via Bitcoin. I was prepared. I was excited. And I waited for the appointed hour to arrive.
The hour arrived. I monitored the logs in anxious excitement to see what would happen. Nothing. Not a single web request. Two hours pass, and absolutely no traffic at all. Not. One. Single. Hit. I queried the server with Curl to make sure it worked. Yup, there is was:
xxx.xxx.xxx.xxx – – [dd/mmm/YYYY:HH:MM:SS +00000] “GET / HTTP/1.0” 200 71
There have been some articles suggesting that these low-dollar DDoS threats are just empty words. Email script kiddies hoping that the low ransom will be quickly paid as a way to avoid a minor discomfort, but that they really don’t have resources to do anything. Considering they didn’t even look to see if the domain was being used for anything, this very likely fell into that category. Threaten a bunch of domain holders, and see if anything shows up in the Bitcoin wallet. If so, the threats worked. If not, well it didn’t really cost them anything to send out the emails.
This appears to be the case here. Script kiddie with a email blast tool, random list of domains, and a Bitcoin address hoping to scare a few people. Three hours after the presumed attack and nothing. I did have one Chinese hit on the web site, but it’s probably from a random scan.
However, that doesn’t mean these threats shouldn’t be taken seriously. You should prepare now for these attacks, before you get a threat. Make sure you server is hardened and has decent capacity. Make sure your provider has some sort of contingency to help you mitigate an attack, and possibly with their upstream provider. Look at services, like Cloudflare, that can help provide protection for your web site in case of an attack. If you have vendors/customers that you need to provide a certain service level, plan for how notifications should be done to alert them of a impending or current attack.