How to Deal with Blackmails — Security through Obscurity

The first blackmail letter that I ever received.

I received tons of blackmail emails threatening to DDoS my game business over the past few years. Some were just threats, some were actual attacks.

If you open an online business on the internet, whether it’s e-commerce or especially gaming business, it attracts a lot of attention as well as people with malicious intents. The intents can be:

  • They can be mad at your customer service and attack you.
  • They can be a petty competitor of the same niche.
  • They attack you to blackmail for money.
  • They simply just like to attack and have bragging rights (that’s how the internet work)

The attack that I’m talking about is DDoS:

DDoS = Distributed Denial of Service attack = the “hackers” send a large amount of junk traffic to your server’s network, causing the network and server to overload and can not handle legitimate traffic from legitimate people.

While some of the DDoS attacks are state-sponsored (China) or from professional hackers, most of the common DDoS attacks you might receive are from teenagers buying DDoS services from hacking forums. All they have to do is enter the target’s IP address and press the attack button. It is mostly true in the gaming industry.

I know from experience that DDoS is a major issue in gaming communities, and something that can destroy servers and destroy business. It isn’t right that twelve year olds can take your server down for a whole day for only a few dollars, perhaps causing you hundreds of dollars of lost revenue and angry players.

It also isn’t right that in order to stop them you must pay hundreds or even thousands of dollars each month for basic DDoS protection. It is annoying when you build a community that aside from being the good guys, you have to deal with the bad guys you don’t even know where they are from as well.

And for so called “enterprise grade DDoS protection service”, you shouldn’t have to pay this amount of money for something you might not even use. I used to have to pay thousands to cease and block the attack. Most of the DDoS mitigation services out there don’t even work if you are not willing to pay.

That brings me to “Security through Obscurity”, a method where you know something that the attacker don’t know, and use it to your advantage. It saves money when you are starting out or just simply don’t want to pay for expensive DDoS protection.

Ignore the Blackmailer

  • This is a psychology response if you receive a DDoS threats via email, chat, or other methods that the attacker can tell you they are going to attack you directly.
  • If you receive such message, simply ignore. Don’t even think about responding.
  • Better yet, conduct your business in a normal fashion.
  • When you ignore the blackmailer and not responsding, you buy yourself time to prepare for mitigation if needed. It varies from hours to days. Sometimes, there is no attack.
  • In this situation, the blackmailer usually waits for your response because it gives them satisfaction. Most noobs “hackers” don’t set a timeframe for an attack, it’s usually random due to their mood of the day.

Response with Force

  • This basically means attack the attacker at the same time he attacks you.
  • This method is not recommended. You should know what you are doing and what you are getting into.
  • If you know you are being attacked by a petty competitor or you know the person’s IP address (via various ways), you know where to direct the attack to.
  • Only work if you know who attacks you, which requires threat, timing and if it is a competitor, then he has his business to lose. So that’s good.
  • After a few back and forth, his attack will cease, and you cease yours.
  • There is no need to further communicate with the blackmailer, he knows, and you are no longer being attacked.

Masked Address

  • Mask your website’s real IP address — By using services like CloudFlare
  • For game servers, mask it via SRV record. I was one of the first in the game server industry to implement SRV record.

(to be continued)