Hacker News new | comments | show | ask | jobs | submit login

Does anyone actually pay?

It was actually on Freenode when a botnet operator sent a message to me to pay up or suffer the consequences.

I can't remember, but he asked for an insane amount of Bitcoins (800 I think, ~$8400) which wasn't even remotely close to our operating costs.

No way I would pay, our site was down 2 days but we moved to Heroku afterwards. No problems since, it probably scared him away.

YMMV with bigger botnets.

Would it be reasonable to think of these expletive redacted botnets as a force of nature? As something useful to harden resources against, or just disasters that you hope don't hit? (I'm thinking of this in terms of sour grapes, not poor planning.)

Most hosts (Linode, SoftLayer) will null-route you in a heartbeat when you get a massive influx of traffic that affects their network.

DDoS protection is expensive. Unless it is economically feasible for you to pay for the protection, most sites don't have it until they're a high target.

Isn't this the situation that Cloudflare was designed to protect against? Their service is free as well.

CloudFlare will protect you from DDoS attacks to an extent.

There are 2 kinds of DDoS attacks I know of (there are more but they're similar): bandwidth exhaustion and computer resource exhaustion.

Bandwidth exhaustion DDoS mitigation is difficult, because it requires you to have a fat inbound pipe to let all the bogus traffic through. Fat pipes are _expensive_, there are few hosting providers that allow you to have a dedicated line more than 1 Gbps.

Supposedly their Business plan ($200/month) protects against this, and their free plans protect much smaller amounts of traffic.

You can prevent against some common resource exhaustion attacks (SYN floods) by having a proper firewall setup.

CloudFlare has been known to let the attack traffic route to your server if it's big enough.

with CloudFlare spreads the load over loads of sites you need more then 1000GB/s to bring them down under an pure DDoS bandwidth exhaustion, they have loads of sites spread all over the world

computer resource exhaustion is more likely to work then bandwidth exhaustion on CloudFlare

If nobody paid then the botnet operators wouldn't continue to try extorting.

Like spam, botnet operating costs may be so low that hardly anyone at all may need to succumb to make the operation pay off. Someone's likely to cheat and pay to make the pain go away eventually.

I believe that most people pay. It is perceived to be cheaper to pay off the extortionists than to mitigate the DoS attack.

I've been put into a similar situation before, but I couldn't find any convincing evidence that I wouldn't be extorted in the future, even if I did pay.

What's the logic behind this? After all, DDoSers probably aren't upstanding citizens.

Paying an extortionist is the one way in which you guarantee that you'll be extorted in the future.

Think of it as entering into a subscription arrangement.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact