The modern Internet offers four hundred relatively honest ways of making money. Unfortunately, not all greedy characters are limited to them. Fortunately, only some of them are qualified to cause serious harm. Nevertheless, their actions for unprepared people can be quite destructive. Under the cut you will find a heart-rending story with threats, blackmail, a treacherous attack and a traditional movie happy ending.

One of our customers has an online store selling computer equipment. On the morning of Friday, November 25th, he received a threatening letter:

Hello!

You need to pay $ 200 (the equivalent in Ukrainian hryvnias is 1600 hryvnias). You need to go to the terminal (you can find them in any super market) and choose WebMoney payment. We draw your attention to the fact that it is not necessary to directly transfer funds to the wallet, but to buy vouchers (vm-cards) for the required amount. In the terminal, select WebMoney payment and buy vouchers, then on the check there will be numbers and codes of vouchers that you must send in a letter. Please note that not all terminals allow you to buy vouchers vm, but most. Payment must be made within 24 hours, otherwise your site will be attacked by a powerful DDoS attack, due to which your site will cease to be available for a long time, up to several weeks or even more. The attack will not stop.

- spelling and punctuation saved.

The attackers did not bother to send a separate letter to each victim, so the addresses of several unrelated online stores were listed in the recipient field.

His natural reaction was not quite a polite refusal. Having considered the incident settled, he safely forgot it ... Until the evening.

In the evening at 17:09 a DDoS attack began, small but sufficient to cause disruptions to the site. Within a quarter of an hour, your humble servant was informed that something was happening.

A quick look at the Apache logs immediately revealed a pattern in the actions of attackers:

X.X.X.X - - [25/Nov/2011:17:19:17 +0200] "GET //user-agreement.html HTTP/1.1" 200 32283 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63"
Y.Y.Y.Y - - [25/Nov/2011:17:19:18 +0200] "GET //user-agreement.html HTTP/1.1" 200 32283 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63"
Z.Z.Z.Z - - [25/Nov/2011:17:19:17 +0200] "GET //user-agreement.html HTTP/1.1" 200 32283 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63"

I think people who are familiar with setting up a web server already know what will happen next. But I will take the liberty to continue, what if a ready-made recipe comes in handy for someone.

It is immediately evident that despite the fact that the attack was carried out from several IP addresses, the attacked URL and User-Agent of the browser were used the same. It begs to use this data to screen out pests. Since we want to protect ordinary users as much as possible from our small conflict, we will use only the User-Agent, fortunately, it was copied from a fairly old version of the opera.

In order to amuse the pride of the attackers, a stub file out-of-order.html was created in the root of the site with simple content:

Our site is temporarily unavailable

And in .htaccess five lines are added:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^Opera/9.80\s\(Windows\sNT\s5\.1\;\sU\;\sru\)\sPresto/2\.6\.30\sVersion/10\.63$
RewriteRule ^(.*)$ out-of-order.html

After that, a small static file began to be given to all requests with the specified User-Agent. From that moment, the attack ceased to have any significant effect on the server.

But our struggle is not over yet! One of the attackers IP addresses was selected and whois was determined using whois. The administrator who answered the call kindly agreed to check whether the attack from this address was actually carried out. Making sure, he called the subscriber and informed him of the outrages taking place. According to the administrator, the subscriber strongly denied his guilt but promised to change the password for his Wi-Fi, "which the villains must have broken." After a couple of minutes, the attack stopped not only from this IP, but from all the others, including other cities. (We still remember that the subscriber has nothing to do with it!)

In high spirits, we sent out a prescription for protection to everyone who received the threatened letter, and the satisfied went home.