How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

According to Richardson and Lyon, the NHTCU encouraged Richardson to wire two extortion payments of a few thousand dollars each to separate Western Union offices in Eastern Europe. The NHTCU wanted to nab anyone who showed up to take the cash. (NHTCU won't confirm this; the spokeswoman said the unit does not discuss investigative tactics.) Richardson agreed, but for a different reason: He wanted his site back up. "I knew another person [in the industry] who was successful getting back online by sending three or four small payments like this," Richardson says, "and those guys didn't even have a solution to the problem when they paid. I knew Barrett was getting closer and closer to a solution. So I sent the payments, thinking maybe I can get a good week out of this."

But no one took the bait. After about two weeks, Richardson pulled the money back.

Wednesday, Nov. 26, 2003: Barrett's Big Bet

From Sacramento, Lyon instructed the PureGig engineers who would turn on his system 630 miles southeast, in Phoenix. Another 2,400 miles southeast from Phoenix, everyone at BetCris waited impatiently.

Lyon's system intercepted traffic headed for BetCris's servers in Costa Rica, diverted it to his creation in Phoenix, scrubbed off the attack traffic and delivered legitimate traffic back to Costa Rica. It was designed to bar DDoS traffic from touching BetCris. If the system failed, it couldn't defend BetCris, and it wouldn't be able to send legitimate traffic to Costa Rica. But BetCris itself wasn't getting attacked. The system did a lot of other stuff too: monitoring, capacity planning, logging and analysis.

It wasn't perfect. After it was installed, Lyon had to tweak routers on the network, install new versions of software and add capacity to his system. The extortionists kept changing attack vectors, and Lyon and his team kept tweaking. It was a constant battle, but Lyon was confident that the system would enable BetCris.com to stay online. Wilson at PureGig called Lyon's system "ingenious" not because it was unique—it was monitoring and filtering at a proxy location—but because Lyon's monitoring and filtering seemed to stop attacks better than any other effort he'd seen.

But when it was first turned on, the extortionists stuffed too much traffic down its throat. Wilson recalls the math: "We had 100MB links to the DNS servers. We went from handling under 2MB per link to, all of a sudden, 600MB." That's six times a full load. Imagine Fenway Park, which holds about 35,000 people. Now imagine 200,000 people trying to get inside Fenway Park at one time.