Preventing a DDoS By Redirecting Your Attacker

I just spent the last few hours trying to fight a DDoS attacker who was trying to take down Tailrank. Not fun.

It wasn’t a DoS attack in true form as he was simply trying to use Tailrank as an open proxy for evil. I had enabled an open proxy server for an hour or so last night while testing something and forgot to close it back up. In only a few hours they had found the open proxy and deployed it to a few thousand bots.

Closing the proxy didn’t fix the problem as Apache just started telling my backend servers to handle the requests (which DoSd them too).

An easy fix was just to add:

RewriteCond %{SERVER_NAME} !^[a-z.]+.tailrank.com$
RewriteRule .* http://tailrank.com [F,L]

This will then quickly return a forbidden when the request isn’t for Tailrank. Easy enough.

This made me think of a nefarious counter attack. I was really mad at this guy at the time and I was thinking about revenge (which is bad karma of course).

What if I just returned an HTTP 302 redirect for these guys and pointed them to a few people who wouldn’t necessarily have a sense of humor about these kind of things. Any US government entity would work just fine. Of course this would be bad karma as well considering I don’t want to take down government servers (even though they could probably handle the load).

Anyway. For obvious reasons I didn’t take this course of action. Not only would it be a crime it would also be bad karma (so that’s not good).

Then I had an even better idea. This would be a great and easy way to report a DDoS attacker to the FBI.

What they would do is setup a report.fbi.gov server which all it did was handle bad packets. Then I could just redirect my DDoS traffic back to report.fbi.gov. They should be able to handle the traffic and investigate the incident without getting me involved. Basically, you’re just dumping evidence on their doorstep.

This would be a trivial implementation of course. It would be simple for an attacker to just wait for all of their bots to start redirecting or just disable redirects altogether. You could still just use report.fbi.gov as a proxy server to send them all the traffic directly and the attacker would never know.

Would be good all around. I get to offload a DDoS attack, hurt the bad guys (the attacker) and help the good guys (the FBI in this situation).


  1. Kevin,

    I think you would most likely just be sending reports to the FBI of other compromised machines and infected hosts/clients. You would not likely have any more information about the organizer or owner of the botnet or malware or scam itself. The best way is to open up a new proxy and determine who the first person to detect is, before the flood of abuse comes in. That’s the person to go after. Check your logs and see who found it first. :-)

    ps: Outside of the web2.0 bubble :-) I’ve done a lot of DDoS mitigation and am friends with lots of folks in the Anti-DDoS world.

  2. It’s highly unlikely that sending them a redirect would have worked. If they’re trying to use something as a proxy, invalid results would be ignored rather than followed. You don’t expect raw redirections to come back from a proxy if you’re trying to use it as a proxy, so you probably wouldn’t follow them.






%d bloggers like this: