Is anyone else worried about these DDoS attacks??

[Jazz]

I sure am.

1 - I want the sportsbooks who were attacked to state that they've taken steps (or will take steps) to prevent it in the future

2 - I am now wondering if this wasn't the first of a number of days this season where this will happen

3 - the smaller books that were spared should not take comfort - they may inevitably be next

4 - I am concerned if these attacks continue, they will compromise the financial integrity of the books attacked

5 - is extortion the purpose, or is it to harm competitors? I don't buy for a second these were done for the hell of it

This should be THE second major issue behind the pending government bill. This isn't going to be the last time this happens.

 

[PatrickMcIrish]

I agree Jazz I don't think these were done for the hell of it either. I would be more inclined to think it was hackers trying to extort the books rather than competitors though. Lot to risk in hopes your efforts will not only turn business away from these shops but also direct them to your place of business as well. I sort of doubt it is another book doing this to a competitor.

 

[www.cappersnetwork.com]

I can't see this having any financial or security of funds impact. Worse thing I assume is disgruntled customers and loss of business.

Is this something that can be prevented though? Is there a system out there that can prevent someone just flooding your server with requests? Not a techie or anything like that but from what I understand it's not like a virus or something like that which can be blocked or protected against.

Is this the case or am I way off on the denial of service info I got?

MC

 

[Java]

Question:
Do we know that it was a denial of service by flooding the servers/routers/etc. ?

This is different from a hack where they get control of the computer or access to the data.

The data has value (not so much from selling the customers to another book) but rather from getting identity information and/or credit card info.

A hacker that can log into your system and take control (new Microsoft hole every week) can just log in and make the computer reboot at 4pm on a Sunday. This may be easier than denial of service, because a top-notch ISP can filter out the denial packets if there is a pattern.

So, back to my question: Do we know for sure?

As for Jazz's points:
1) Are the players willing to put up with the downtime of a book having a maintenance schedule and not being 24/7?
2) If there is money to be made, the hackers are likely to continue.
3) The smaller books probably don't even have a security expert, just maintenance. Fortunately, some smaller books may be able to get by with phones or may be deemed unlikely to have enough money.
4) Good point. First, loss/disruption of business will cut into bottom line (clerks, rent still have to get paid). Second, paying cuts into bottom line.
5) No idea, however... Harming competitors implies that another book would hope to get Pinnacle's business. I doubt that players would leave Pinnacle for anything other than a top-ten book. The top-ten books may be greedy, but they are not stupid. The probably already have many of the same players (so no one to steal) and the risk for getting caught would kill them.

 

[Jazz]

Thanks for the good response, Java. It wasn't just Pinnacle that was hit, WWTS sent out an email indicating they were specifically hit by the DDoS. I read somewhere that a total of 4 books were hit, though I'm not sure who the other 2 are. I wonder whether we'll see this tomorrow. But specifically targeting sportsbooks, IMO, cannot be without monetary reasons UNLESS we're talking a personal vendetta by a hacker or hackers who are trying to gain revenge for some perceived or real wrong. I don't know.

Patrick, yes, those books hit were already harmed by not being able to book action - how much would be impossible to know. But put yourself right now in the shoes of the managers at a smaller shop like BHB or SBT, knowing at least 2 heavyweights were shut down completely - that can't be a cheerful prospect.

 

[Java]

Jazz-
I hadn't known for sure that it was a DDoS. There are ways to handle those. I talked to a security guy once and he told me that they have special routers or boxes that can handle this. The boxes were developed in conjunction with Ebay when they got attacked. Ebay has more bandwidth/users than all the sportsbooks combined.
Also, the ISP's should be able to do something.

Well, keep us posted and let's all keep our fingers crossed.

 

[TTinCO]

"1 - I want the sportsbooks who were attacked to state that they've taken steps (or will take steps) to prevent it in the future"

Jazz, the honest ugly truth is that if they know you ip address(es), there is nothing that you can do....just ask Microsoft.

 

[Jazz]

Yup, aware of MS's problem this summer - but I thought you could install robust enough defenses against it. Otherwise why haven't they been brought down again?

Just for the hell of it, I've copied Cisco's recommended prevention measures here just so you can see that I have no possible way of understanding what is and isn't possible with DDoS - LOL!!!

The following are suggested methods to prevent distributed denial of service attacks.

Use the ip verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.

This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.

The effect of Unicast RPF is that it stops SMURF attacks (and other attacks that depend on source IP address spoofing) at the ISP's POP (lease and dial-up). This protects your network and customers, as well as the rest of the Internet. To use unicast RPF, enable "CEF switching" or "CEF distributed switching" in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes. RPF is an input side function that enabled on an interface or sub-interface and operates on packets received by the router.

It is very important for CEF to be turned on in the router. RPF will not work without CEF. Unicast RPF is not supported in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that support CEF, including the AS5800. Hence, unicast RFP can be configured on the PSTN/ISDN dial-up interfaces on the AS5800.

Filter all RFC1918 address space using access control lists.

Refer to the following example:

interface xy
ip access-group 101 in
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip any any

Apply ingress and egress filtering (see RFC 2267) using ACL.

Refer to the following example:

{ ISP Core } -- ISP Edge Router -- Customer Edge Router -- { Customer network }
The ISP edge router should only accept traffic with source addresses belonging to the customer network. The customer network should only accept traffic with source addresses other than the customer network block. The following is a sample ACL for an ISP edge router:

access-list 190 permit ip {customer network} {customer network mask} any
access-list 190 deny ip any any [log]

interface {ingress interface} {interface #}
ip access-group 190 in

The following is a sample ACL for a customer edge router:

access-list 187 deny ip {customer network} {customer network mask} any
access-list 187 permit ip any any

access-list 188 permit ip {customer network} {customer network mask} any
access-list 188 deny ip any any

interface {egress interface} {interface #}
ip access-group 187 in
ip access-group 188 out
If you are able to turn on Cisco Express Forwarding (CEF), the length on the ACLs can be substantially reduced and thus increase performance by enabling unicast reverse path forwarding. In order to support unicast reverse path forwarding, you only need to be able to enable CEF on the router as a whole; the interface on which the feature is enabled does not need to be a CEF switched interface.

Use CAR to rate limit ICMP packets.

Refer to the following example:

interface xy
rate-limit output access-group 2020 3000000 512000 786000 conform-action
transmit exceed-action drop

access-list 2020 permit icmp any any echo-reply
For more information, refer to IOS Essential Features.

Configure rate limiting for SYN packets.

Refer to the following example:

interface {int}
rate-limit output access-group 153 45000000
100000 100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000 100000
100000 conform-action
transmit exceed-action drop

access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www
established
In the above example, replace:

45000000 with the maximum link bandwidth

1000000 with a value that is between 50% and 30% of the SYN flood rate

burst normal and burst max rates with accurate values

Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.

 

[TTinCO]

Jazz, there isn't much you can do to prevent a DOS attack.

They flood your circuit & basically shut your site down...usually from 50+ locations. With 4 hours of research, I could probably do it to 10 books at a time.

Bad deal....but they can trace this crap, and if it comes back to a competing books IP, all hell will break loose.

 

[Java]

Jazz-
Great info. If this was from Cisco's site, do you have the link so I (we) can bookmark it?

I did some firewall and router stuff (not expert, just dabbled a bit). I recognize a few things.

1) Dropping some of the special reserved ip address patterns that cannot correspond to a real ip address.

2) Making sure the ip address you say you come from matches the address the of packets being sent.

3) Checking for too much traffic from one place and then cut off requests from that one place. (It think this is what the "rate-limit" commands are for.) The IP-Tables Firewall software has a feature like that, and I'm guessing this is Cisco's equivalent. So, you only ignore anybody that tried talking to your server too much at once.

4) SYN packets are the first thing we (normal users) send to a webserver to start the communication (SYNchronization, I think). The server sends back an ACK (ACKnowledgement). Once this handshake occurs, you browser can start getting pages. What hackers do is send SYN, but without a proper ip address for the ACK. So, the webserver sends out ACKs for dummmy SYNs and hangs.

5) The customer (sportbook) and the ISP each have routers that are sort of paired. So, anything the ISP router takes care of, the sportsbook never even sees. Ideally, the ISP would configure both routers in the pair so each handled its part of the attack. (At some level, the ISP probably works with AT&T, Sprint or MCI to block attacks.)

 

[TTinCO]

Java, just concentrate on #3.....that will do a LOT to prevent this.

 

[jjgold]

Not worried we have to deal with it.

 

[Jazz]

Java, yeah, #3 might be the best, but solution #3 is definitely time-consuming if the attacks are coming from hundreds or thousands of hijacked 'zombie' computers. BTW, Java, my expertise was in systems analysis and programming 3GLs and 4GLs on mainframe computers, software, not hardware - but when this stuff is explained well, it's pretty easy to pick up - thanks for the insight.

Here's the link: http://www.cisco.com/warp/public/707/newsflash.html

 

[Jabow]

Hello Jazz
Could you explain wha exactly happened, in regards to ddos. I'm not quite sure what you're saying.

 

[canadiangambler]

Hi Guys.

All the tweaks and recommendations found at the CISCO site (and the ones mentionned here that do not come from CISCO) do not address one problem. Resources limitations.

Even if you drop the malicious packets at the router of the sportsbook there might not be enough bandwidth left for the genuine packets to go through. Or the router might become so busy dropping bad packets that there is no processing room left for the real traffic.

Basically it is a battle of resources. If you have 10 Megabits of bandwidth and they send >10 Megabits your screwed even if the router can drop all the bad stuff. What you have accomplished then is to protect the servers and made them available for real transactions but nodoby can reach them.

It then becomes the responsability of the ISP to block the malicious traffic. By the way, in a distributed attack, there can be 1000s of controlled computers (or zombies) invovled. Each of them sending a small stream of packets and the sum simply overwhelms the victim. Each packet is spoofed (which means the origin is faked) so it makes it very difficult to trace and stop all of them since their origin is masked.

I would be surprised if most sportsbook have more than 2 to 5 Megabits. So it would be quite easy to overwhelm them and the ISP might not believe you because it usually takes a DS3 level attack (near 45 Megabit) to get them interested. Worst than that, the sportsbook is most likely connected to a small scale ISP which in turn is getting bandwidth from a big guy like Sprint, etc. If the ISP does the packet droping then the attacker has to recruit more zombies to overwhelm their bandwidth. Not necessarily a good move because then the hackers attrack the attention of the police.

Some of you in this thread said things like "Sportsbook must tell us what steps they have taken to prevent this from happening again". What chance does a "SportsBetting" company have when the "ISP" which are genuine technical companies have a very hard time stopping these. What should they do, contact the FBI!!!

One network admin friend of mine, who actually is the brighest individual I have ever met told me that whatever is done now to stop them will be obselte next year.

C'est la vie.

French Canadian Gambler.

 

[Java]

Guys-
The #3 mentioned in my response is an feature of the "rate limit" (if it acts as I suspect). It's not that time consuming, since it's not being done by a human being.

Canadian, yes, it is a battle of resources. However, depending upon the particular packet type being sent (TCP, UDP, ICMP, etc) it may be an easy pattern for the routers to block. There have been enough of these attacks so that ISP's have some good tools for dealing with them.

If the attack is a DISTRIBUTED Denial of Service:
One poster thought 50 machines might be involved in the attack, though Canadian points out that some attacks can involve thousands. Think of it this way... in the cases where thousands of computers are involved, the hacker has to contaminate them with a virus or program under his control. That program waits/checks for instructions from the hacker as to which site(s) to attack.

My point is: the hacker has to get his program onto the machines of the unwitting users, without Norton or other anti-virus catching on.

If the hacker was from another sportsbook (which I think is NOT the case), the attack could be part of the "downloadable" software/casino. Most books do not require download, but a few do, especially for casinos. It would be a simple matter to program that software to attack other sportsbooks any time the player dealt a card.

Of course the BIG problem with this method is that once the software is on the players computers and would be evidence if someone wanted to prove the book was responsible.

I really hope Pinnacle and the other books are able to track these bastards down.

 

[TuLiMing]

read
http://grc.com/dos/drdos.htm

a 14 year old can close down most servers on the internet. problem is dumb ppl with cable or dsl with no firewall leting trojans in. the attack then can come for multible machines from many isps.

http://grc.com/dos/drdos.htm

 

[Jazz]

Hollywood is under attack tonight from these assholes - kudos to them for not giving in to extortion demands

Kevin Mitnick??? You assholes can only dream of being Kevin Mitnick

 

[GringoinCR]

How many people keep mcaffee or norton up to date?

How many computers currently have trojans on them?

How can you serve your customers when you have thousands of trojans banging on your servers?

How many sports books use MS server?

How many MS servers are running on an MS platform? Why is Billy running versions of Unix on his servers?

 

[scott]

I was working for DB when they were attacked. It was much more involved than the solutions discussed here. It was like a CIA/KGB movie. We could sense the dos attack and sure enough it would gain in intensity till we were out for the count for that period. It might start again the nexy day or mabey the next weekend. DB did everything possible to stop and also prevent them. DB hired the very best security people (20 somethings) from LA. It was awsome to watch. They would be on computers in our office fighting the hackers. I actually watched them battle. It took many days of intense battle but these kids did what they did and stopped the attacks. I'm not at DB anymore (they canned me, no use for 61 yr olds that make computer mistakes) but as far as I know they are protected from anumore dos attacks.....ScottyS