How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

1 2 3 4 Page 3
Page 3 of 4

But for the next week, the attack stayed steady at around 1Gb. BetCris, Lyon and PureGig had entered a war of attrition. The extortionists would find a way to kick Lyon's system, Lyon and Lebumfacil would tweak it and get back up. Cat and mouse. "Attack, counterattack, back and forth," Lebumfacil says. "It was 24-by-7 monitoring for two weeks." Wilson and PureGig stopped noticing any of this because the attacks had been segregated from PureGig's other traffic.

And then, suddenly, the attacks stopped.

At 8:46 a.m. on Friday, Dec. 12, two weeks after the assault that nearly put him out of business and three weeks after he first read the words "Your site is under attack," Richardson received an e-mail: "Dear Mickey, I tried getting to your site today and I could not. I thought with all the money you spent you would not have these problems anymore. I guess you wasted your money instead of keeping your word. Good luck. P.S. I bet you feel real stupid that you did not keep your word. I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked."

Richardson knew this was an admission of defeat, even if it was disguised as braggadocio. His site was up. The extortionists couldn't get to it because they were blocked. He hadn't paid them a dime. They made no more threats. They couldn't because they couldn't back them up with action. The extortionists had lost.

And yet, the e-mail was not far off. Richardson figures it cost him a million dollars in lost revenue and IT investments to win this war. "It was worth it," he says. "I just didn't know it would take a couple years off my life."

"It was amazing we made that system work against that attack," Lyon says. "It was a wake-up call on how good the bad guys had gotten."

And Lyon knows the bad guys have gotten even better since. They've built zombie networks of 35,000 machines, capable of delivering a steady stream of 3Gb traffic. Peter Rendell, CEO of Top Layer Networks, which makes intrusion prevention and anti-DDoS hardware, says he expects botnets to pass 50,000 machines (and 4Gb to 5Gb) by the end of this year. It's an arms race, as defenses scale, then offenses scale, though Lyon is convinced the defenses have far outpaced what extortionists can throw at them.

But the bad guys have a response. Extortionists have encrypted DoS attack scripts and have put them on peer-to-peer networks, making criminals who use them nearly impossible to track or contain. They're registering domains and then attacking those domains, only those domains are redirected to other targets. "The only way to stop that is to delete the domain," Lyon says, "and that's not something you can just do." Lyon stopped an attack but certainly didn't stop the problem.

Still, he wouldn't learn of all this until later, after he decided to start a business and, as he did with Don Best, track down the BetCris extortionists. At that moment, though, after the extortionists admitted defeat, he was ready to relax. He booked a vacation in San Jose, Costa Rica, for New Year's. Finally, he'd meet the people he saved and celebrate with them.

New Year's, 2004: Visit to an Online Gaming Hotbed

Costa Rica is about the size of West Virginia, bookended by Nicaragua to the northwest and Panama to the southeast on the Central American isthmus. With coastlines on both the Pacific Ocean and Caribbean Sea, and mountainous terrain inland, Costa Rica sits along the Ring of Fire, so volcanoes and earthquakes are native. Political strife is not. The CIA calls Costa Rica a "Central American success story."

Lured by its stability, BetCris located there in 1993. Richardson joined as a "utility man" in 1996. Back then, the business wasn't online, it was a call center. BetCris's call center once employed more than 500 operators at peak hours, but the number dwindled as the business moved online. Today, maybe 30 operators will man a call center at peak hours, or during an extortion crisis.

As the Internet took off, so did San Jose as an offshore gaming mecca, for several reasons. The government encouraged the industry to expand its economy. (BetCris supports an industry group to lobby local politicians.) Also, the people are educated, with an excellent work ethic, Richardson says. Costa Rica has a 96 percent literacy rate. More high-level employees at gaming companies are Costa Ricans, including all of BetCris's accounting staff and 90 percent of its managers.

The other reason gaming companies swarmed here is, of course, because it's not the United States, where gambling laws are difficult to negotiate. Today, hundreds of offshore gaming companies, most of them online ventures, operate from San Jose. In BetCris's seven-story headquarters alone, Richardson says, there are 10 such enterprises, two software companies and a telecom company—pretty much offering everything you need to get started in the online gambling business in one building. The competition is mostly friendly. Richardson says it's not unusual to bump into competitors at a restaurant and join them for dinner.

The valley that makes up the San Jose metropolitan area holds almost half the country's 4 million people. Richardson says the valley gets blistering hot, and downtown San Jose is "undesirable." But BetCris, and most of the gaming and tourism industries, are above all that, nestled in the higher elevations of the valley's surrounding mountains, where Richardson compares the weather—and the lifestyle—favorably to San Diego.

When Lyon arrived here, he felt a sense of pride for helping. He saw "this beautiful building with this top-notch data center," he recalls. "And I met all the people who work there, and I kept thinking, I protected all of this. Me and my keyboard helped all these people keep their jobs. It was so neat to see how good a thing it was that we did."

Richardson and Lyon bonded immediately. There was a party with professional-grade fireworks launched from Richardson's front lawn. They went to dinner, talked about life and the attacks. Lyon had developed antipathy to the extortionists; he wanted to nail them. He told Richardson and Lebumfacil he was going to start a business, a service whereby people could subscribe to his anti-DDoS attack infrastructure. Lyon recruited Lebumfacil to help him start DigiDefense. BetCris was his first customer. Richardson gave them office space to start.

That business talk, though, was in the background. Lyon relaxed, went deep-sea fishing and zip-lining through the rain forest.

Jan. 12, 2004, Phoenix: A Defensive Arms Buildup

On Jan. 12, Lyon met Lebumfacil in Phoenix. They drove to PureGig to rip out and replace the system that saved BetCris. Lyon knew it was already a relic. He had to build something that could support 10, 20, 50 customers or more without one customer's traffic interfering with another's, and without his customers affecting the rest of PureGig's customers too. He also planned to hone his traffic logging and analysis. His new system would not include commercial products.

The Super Bowl—a significant moment for betting sites that extortionists would exploit—was just weeks away. Some gaming sites had heard about Lyon's exploits with BetCris and wanted to sign up. Lyon had customers before he had a product.

Lyon and Lebumfacil "went on a rampage" of building and testing, and three days later, Lyon says most of the system was online. Over the coming months, as more customers signed on, Lyon flew to Phoenix more than 20 times to build up the infrastructure. A routine developed. Dozens of hardware boxes would arrive. Wilson from PureGig would sign for the equipment and store it until Lyon showed up to get it. "He'd live here for a couple of days installing everything," Wilson remembers. Once, Lyon slept in the data center.

But even as Lyon's business grew, the extortionists' business did too. That fall, after CanBet and a site called eHorse were attacked, BetCris was attacked, and then the extortionists hit other sites across the industry: BoDog Sportsbook, BetWWTS, WagerWeb, William Hill, BetFair and Blue Square. And those are only the cases that became public, usually through postings on online industry discussion boards or in gaming industry newsletters. Just how many sites either paid or never reported their cases will never be known, but it's certain many fall into this category.

Usually, the extortionists followed the attack methodology they used against BetCris. (In Blue Square's case, they demanded 7,000 euros, or else they would send out child pornography in the company's name.) Many ended up calling Lyon for help.

"It became a personal vendetta to track these guys down," Lyon says. "I wanted them stopped. So I asked some law enforcement people, 'Is this illegal, for me to talk to them?' And they'd tell me, 'No, but we can't help you or tell you what to say. However, if you did want to say something along these lines, that would be very interesting to us.'"

January and February: Online Chats with Extortionists

By this time, Lyon and Lebumfacil had recruited Dayton Turner, an engineer from eHorse, an extorted gaming site that operated out of the same building as BetCris. Like Lyon, Turner wanted to exact a certain justice, having lived through an extortion. He agreed to go undercover. Turner and Lyon spent the next several months chatting with the extortionists while they also monitored and logged the extortionists' activities. They shared what they learned with law enforcement, mainly the NHTCU but also the FBI.

January and February's gumshoeing produced an astonishing 36-page dossier—complete with chat transcripts, log file analysis and other data. Lyon and Turner gave it the hyperbolic title "DDoS Terrorism Report." The following comes from that report.

When they were logging the DDoS attack traffic at BetCris, the team traced some of it back to a chat server. Turner and Lyon called themselves "Hardcore," made sure they masked their real location and hopped onto the chat line. (While Turner did most of the chatting, Lyon was always on the line, "managing" the conversation and chatting with Turner, but it appeared to anyone else that Turner and Lyon were one in the same.)

The leader of the chat room clique went by many names, including eXe, Key, k9, NASA, x3m1st (pronounced "extremist"), x890 and others. For simplicity's sake, we'll always call him "eXe"—even if he was going by another name at the time—and we'll always call Turner and Lyon "Hardcore." (We've also cleaned up some typos for clarity, and skipped extraneous conversation for the sake of space.)

When Turner logged on, he told eXe that he had been out of the game for a while but wanted to get back into DDoS attacks. EXe took the bait and began chatting, cautiously, with Hardcore. The first few chats didn't yield much. At one point a bodyguardlike heavy named "uhdfed" came online and bullied Hardcore, proclaiming, "We have 5,000 bots, and we don't need help." He attacked Turner's chat client. Lyon and Turner were forced to log off, but not before their log showed uhdfed was at the same time trying to attack another site:

In ensuing chats, Turner gathered circumstantial connections to BetCris and the gaming extortion wave. EXe asked Hardcore, "how u know about our work? about bettings & sportsbooks"; at another point, Turner saw a reference to BoDog, a sports book that had been attacked. Another time, eXe inadvertently exposed his real ISP, in Russia.

Chat sessions continued for eight weeks. Often they were jarring and discombobulated. Cyrillic characters mixed with poor English. There was foul language and other noise. Turner watched eXe attack Microsoft and probe But over time, eXe began to chat more freely with Hardcore. In a couple of long chats, they talked shop in detail, Hardcore always deferring to eXe and praising his skill. This seemed to put eXe at ease.

eXe: i shall be happy to see u again. welcome

Hardcore: :) thanks hehe

eXe: i's eat now. =)...maybe i will sleep later=)

Soon enough, eXe pointed Hardcore to a webpage with attack scripts on it, and he gave Hardcore an ICQ chat client user ID that he hacked. (Perhaps as a gesture of friendship, he gave the account the password "hardcore.") The ICQ account allowed Turner to chat directly with eXe, but it also led to eXe's biggest mistake when eXe conducted a file transfer over this ICQ connection. Turner nabbed eXe's real IP address and traced it to a dedicated broadband line in Russia, a cable modem that he determined eXe paid for himself.

March 1, 2004: Finding Ivan

On March 1, Hardcore and eXe chatted on ICQ. EXe had been waiting for some attack code that Hardcore had promised to write for him. It was the most productive conversation Lyon and Turner would conduct.

eXe: hi how are you?

Hardcore: hey man. pretty's pretty cold here right now, what's russia like? hehe

eXe: i'm good...Russia is like the Russian vodka=)...u give me code?...

Hardcore: I still have just a little bit to do to make it functional. I'll have it for you soon dont worry :)

eXe: ok...i'm relax =)

Hardcore: i noticed you have like 4 different types of bots in there...are you testing new bots?

eXe: yes...

The two talked about zombie networks, and Hardcore pressed eXe to tell him the size of the biggest zombie network he'd ever seen. EXe bragged about a 10,000-bot network, then added, "it's no many, i seen more."

eXe: how old are you?

Hardcore: about you? :)

eXe: i am 21 =) my name is Ivan. i'm from Russia. my nationality is Russian.

Hardcore: My name is Matt :) Ive always lived in canada

eXe: i happy to meet you

Hardcore: nice to meet you too ivan :) you work or go to school or just do this? ive made a lot of money doing this so far :) :)

eXe: school. i'm study. inginier-mechanic. etc=) i'm learn french. my English is very bad.

1 2 3 4 Page 3
Page 3 of 4
How to choose a SIEM solution: 11 key features and considerations