How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

By Scott Berinato

Page 10

The DNS servers that had overloaded in Phoenix were brought back online in a couple of hours, after Lyon and Wilson adapted some filtering scripts and increased the size of their network pipes.

Lyon then spent Thanksgiving and Friday eating leftover turkey his girlfriend delivered and tweaking his system to absorb bigger DDoS attacks. On Friday, he believed it could handle a 1Gb attack, and he felt good about that. He assured a frayed Richardson that he'd never see an attack that big. It would take tens of thousands of zombie computers.

Which is exactly what happened. It turns out the extortionists had more than 20,000 zombies. PureGig's data center suffered badly, which affected several of its ISP customers. PureGig decided to take Lyon's system offline to fix it.

"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."

Richardson recalls the attack: "So I have Barrett on the line, who I think is the second coming, and he says, 'Let me think about this. Give me some time.' And I say, 'OK, I don't want to pressure you. I have faith. But if you don't fix it, I'm out of business.'"

Why Online Extortion Works

It was never supposed to have gotten to this point; Richardson was supposed to have paid long ago. The extortionists expertly optimized the chances of it.

To ensure a quick, quiet transaction, the extortionists did what all extortionists (in the physical or online world) do: They exploited the problem of the commons. An ecological principle, the problem of the commons states that people will act in self-interest if it profits them in the short term, even if that act will hurt everyone, including themselves, in the long term. Every act, every threat, every negotiation tactic, every single move extortionists make is designed to make paying the protection fee not only appealing, but in fact, the smartest business decision you can make in the short term, even if you know in the long run that you haven't stopped the problem at all.

Thus, extortionists attack when it hurts the target the most; they ask for $10,000 to $100,000 (generally considered the sweet spot of extortionist profitability versus victim willingness to pay, depending on the size of the victim company).