
Meetup fighting against DDOS extortion - hammerbrostime
http://meetupblog.meetup.com/
======
driverdan
When are we going to hold individuals and companies legally responsible for
the hardware they control? We already do this for other types of crimes such
as remailing scams. If you're going to have hardware on the internet you
should be responsible for it. There should be penalties for being
irresponsible. Ignorance is never an excuse.

~~~
HarryHirsch
Indeed. If I understand it right, the recent rash of NTP reflection attacks
could have been prevented through egress filtering.

------
stcredzero
We've been dealing with DDOS attacks affecting mainstream citizens and
businesses of 1st world countries for about a decade now. Why isn't there law
enforcement dedicated to catching people who do this? We're at a point where
CEOs of companies can engage in such behavior and the companies can stay in
business.

If there is someone reading this who works with a US congressman or senator,
this may be a chance to introduce legislation that can make a positive impact,
make it easier to establish Internet-facing companies, and instead of
eliciting dismay from the community of technical people, gain their gratitude
instead.

~~~
eli
It's already illegal -- what law would you have them pass? Also, my assumption
is that most DDoS ransom demands are coming from overseas.

~~~
stcredzero
_It 's already illegal -- what law would you have them pass?_

Laws enacting agencies' active enforcement of those laws.

~~~
eli
Setting law enforcement priorities is typically an Executive Branch function,
no? I guess Congress could earmark money specifically to fighting DDoS-based
crime.

~~~
stcredzero
_Congress could earmark money specifically to fighting DDoS-based crime._

This. It would need the resources of a small agency all by itself.

------
chimeracoder
At first I almost laughed when I saw the sum - they're asking $300? For a
company that's been around for almost 15 years?

That said, Meetup's reasons for not paying it are very solid. I'm glad they're
spending far more than $300 of their own resources[0] to fight this attack,
because other websites would be the ones paying the price if they decided to
start this precedent.

Also, somewhat relevant:
[https://en.wikipedia.org/wiki/Danegeld](https://en.wikipedia.org/wiki/Danegeld)

[0] I wonder how much this downtime actually represents to them (plus the
engineering time)

------
codinghorror
Is it really this hard to fend off a DDOS? At the funding and staffing level
Meetup is at, I find this a little hard to understand.

~~~
ceejayoz
CloudFlare recently posted about a 400 Gbps attack they saw. I can't imagine
any reason Meetup would have that sort of bandwidth capacity lying around.

~~~
scurvy
You don't need that kind of bandwidth capacity lying around if you plan ahead
and work with DDoS mitigation services _before_ you're attacked.

It's akin to setting up an IDS/IPS _before_ you get pwnt through sloppy
PHP/MySQL injections.

~~~
stcredzero
_plan ahead and work with DDoS mitigation services before you 're attacked_

Where can I find more information about this? I've been thinking about exactly
this issue with regards to running an MMO. Pretty much none of my
functionality can be cached, so I don't think CloudFlare can help me. The best
solution I've come up with is to run my MMO as a few servers on NFO, which
hosts game servers and has a good reputation for "not just nullrouting you."

~~~
jgrahamc
_Pretty much none of my functionality can be cached, so I don 't think
CloudFlare can help me._

We have plenty of clients like that. They are using us for a variety of
reasons, DDoS protection is one.

~~~
dllthomas
What does mitigation look like, in that kind of setup?

~~~
sp332
The NTP attack is a simple example. No legitimate NTP traffic would be aimed
at that site, so it can all be blocked at the firewall with no load on your
servers. The problem with that attack was simply the bandwidth. Cloudflare's
network helped to spread the load across many datacenters around the world.

------
snake_plissken
I find it astounding that a competitor of Meetup thinks that DoS'ing Meetup
could drive a notable amount of traffic to their site.

~~~
elwell
Just because a criminal says it's for a competitor does not mean it is. It
might just be a simple ransom in reality.

~~~
dllthomas
In fact, just because Meetup says a criminal says...

------
eloff
So why don't they just use cloudflare? It's cheap compared to the human
resources they've been spending on the problem.

~~~
driverdan
The are using CF or at least they were at one point during the weekend. It's
not going to matter though if the attackers know the IP range the servers are
hosted at. They'll just bypass CF and attack the servers directly.

~~~
toomuchtodo
Origin under attack? Move it. Consider its current IP block poison for the
next 30-60 days.

~~~
eloff
You don't even have to move it, just change the IP. Even budget hosts can do
that for a price.

------
stuntmachine
The problem here isn't whether companies are using DDoS mitigation services,
it's whether they have ISPs null routing them. The weak point here at the top
tier ISPs, not necessarily the individual companies being targeted. You can
have the best DDoS mitigation service ever, but if the top-tier ISPs black
hole you, you're in a very bad spot.

~~~
scurvy
Why would a "tier 1" (I hate that outdated term) transit provider ever null-
route an IP that's not in their block nor in a customer's block? I haven't
heard of them doing that. That would be a very shady thing to do.

~~~
toomuchtodo
Transit providers will null route traffic that's inbound to you if you request
it. This lets you stop the traffic at their core, instead of overwhelming your
edge gear.

You _are_ the customer after all; you have a say in what traffic makes it to
your edge from your upstream provider.

~~~
scurvy
He was referring to being nullrouted by transit providers that he's not a
customer of. Short of something like a replay of the Morris worm, I can't see
that happening.

Transit providers get paid to provide transit. They don't filter traffic that
isn't bound for their customers.

~~~
toomuchtodo
They do it all the time. Feel free to check out the NANOG mailing list
archives regarding the recent NTP UDP amplification attacks:
[https://www.nanog.org/list/archives/historical](https://www.nanog.org/list/archives/historical)

~~~
scurvy
No, they don't. Transit providers acting in a pure transit manner do not null
route destination networks that they're not responsible for. Provider B,
providing transit from AS A to AS C, will not block traffic bound for C or
beyond. They might block some things bound for AS B or a customer of AS B, but
they're not acting in a pure transit capacity there.

Content and eyeball networks are free to do whatever they want with regards to
routing and blocking. Transit providers? No, they just provide transit. That's
the business they want to be in. They're not in the blocking business.

Thanks for the NANOG tip though. I'm a member and active participant. See you
in Seattle.

The main NANOG threads are about detecting the NTP traffic and blocking
malicious requests in content and eyeball networks -- not transit. There's
also the OpenNTP project discussion --
[http://openntpproject.org/](http://openntpproject.org/)

------
serverascode
I use meetup.com for several meetups. This is not good. I'm really looking
forward to finding out how they plan to mitigate this kind of issue in the
future, b/c there has to be a way.

