
Ask HN: How do I handle a hacker attempting to extort me by threat of DDoS? - thomasfromcdnjs
Recently, myself and a few other friendly website owners have been messaged by the same hacker that is asking for BTC or he will take down our sites.<p>We have no information about him.<p>Already using Cloudflare, it did seem to detect some of his BotNet(~3500 instances) but not enough to stop the load he put on us. (edited)<p>Cloudflare Rate Limiting is just too expensive and &quot;I&#x27;m under attack&quot; mode just breaks the site in places anyway.<p>I&#x27;ve reached out to Cloudflare support to try identify his BotNet from the times when he took it down.<p>Any help would be much appreciated.
======
sigmaprimus
Weather the storm, do not pay the extortion. Most of these guys are shake down
artists and when they realize there is not going to be a payout, they will
move on to their next victim. Many of them are using rented botnets and dont
want to waste their own money on a non payer, unless of course you do pay up,
if you do that then they will keep at it and share/sell your info to others,
things will get much worse.

~~~
thomasfromcdnjs
This makes a lot of sense, thanks!

------
codingdave
[https://www.icann.org/news/blog/how-to-report-a-ddos-
attack](https://www.icann.org/news/blog/how-to-report-a-ddos-attack)

From that page: "you should contact law enforcement if your organization
received a threat prior to the attack, or received a demand for money in
return for not being attacked"

------
saluki
One of my clients came DDoS attacks every summer three years in a row, we said
we were going to print up T-shirts for the annual event but they stopped this
year.

We setup copies of the site so we could quickly rotate it to new IPs during
the attack and signed up for the CloudFlare business plan for a month or two
during the attacks every year.

This kept the site up for us. We also posted a message on the home page so our
users would know what was going on.

We were able to use under attack mode without it affecting the site too much.

Good luck riding it out.

------
sarcasmatwork
Prolly exploiting a known vulnerability. Have you patched and rebooted all of
your systems? Removed accounts that you dont use? Change pw's to everything?

Windows or Linux systems?

You can do some mitigation with iptables in linux.

>He has proved that he can by taking our sites offline for a minute.

What did this person take down exactly? The web server, or did he reboot the
system?

~~~
sigmaprimus
The fact that cloudflare was defeated shows it was a ddos and not a reboot.
Most likely a bot net rented with BTC and nothing more than a fishing
expedition. Unless they are being targeted for some other reason than money
the problem will go away.

~~~
CloudNetworking
> The fact that cloudflare was defeated shows it was a ddos and not a reboot.

How?

~~~
sigmaprimus
It shows that it was a DDos simply by the fact that is what Cloudflare does?
Protects against DDos attacks? IDK maybe your right, I supposed they could
have spoofed a DDos using a small botnet and simultaneously rebooted the
servers. That would require a level of sophistication but certainly possible.

------
thomasfromcdnjs
Update:

Three different people from Cloudflare reached out to resolve the problem.
They are awesome!

