DDoS attack against TinyCert announced

Posted by admin on 28 October 2020 at 06:15 CET. Latest update on 3 November 2020 at 00:37 CET.

Update: November 2nd has come and gone in my time zone and there have been no signs of any DDoS attack and there was no service interruption at TinyCert. Although this, fortunately, means that the threats were bogus, I had to operate under the assumption that it wasn't. This page will be left up for others getting similar threats to find. Hopefully they will learn that the threats are mere bluff and that the ransom should not ever be paid.

A greedy bunch of bastards calling themselves "Voodoo Bear" sent an email to my private email address announcing a DDoS attack aimed at TinyCert to take place, starting Monday 2 November 2020. They seem to be under the impression that there is a large company with deep pockets behind TinyCert, which I suppose is flattering. TinyCert is just a pet project of mine, that I find useful for myself and figured others might find it useful too.

Ransom demands

As you can see from the email below, they are demanding a "small" $1000 ransom to call off the attack, increasing their demands by $1000 per day they are not met. TinyCert has been up for 6 years now and costs me about $200 per year to run ($1200 thusfar) and the total amount of donations in that time has been $75, as I guess not enough people found it useful enough to consider donating. Thus, even if I could pay the ransom, I would not want to. If the site goes down, so be it, the version I use privately will be unaffected anyway.

What can I do about it?

Realistically, nothing. I could change the IP address by moving to another host or hosting provider, so that the attack goes to the wrong place. That would probably not be effective, at least not for very long. Besides, I would much rather the moronic dipshits waste their time and effort by attacking my little pet project rather than going after somebody who might actually pay them. Heck, if anything, they're saving me money if I have to shut down the site.

Cloudflare?

Using Cloudflare or similar services is not an option. The dumb idiots indicate they will attack the network directly (most likely the IP address of the server TinyCert is running on, rather than the actual network of my hosting provider). Since it is a very lightweight server, as TinyCert requires very little in terms of server resources, it won't hold up against a proper DDoS attack for any significant length of time. If anything, it will be interesting to see how well it holds up. For Cloudflare's protection to be effective, the IP address would first have to be changed (which in itself is easily done - I guess the criminals overestimate how much work it is to migrate a small website), but the Cloudflare SSL proxy is not suitable in the free tier. This is because the free tier does not allow the use of a custom certificate and TinyCert uses HPKP. There is also no way I could afford the higher tier that allows that.

Update: Cloudflare CEO Matthew Prince has offered Cloudflare's assistance at no cost if needed. I hope it will not be necessary, but kudos to him and Cloudflare for their work and the kind offer.

Open source?

It has been suggested that I open-source the TinyCert codebase and allow people to have their own local versions, which of course wouldn't be affected. This too is not an option. Parts of the codebase are licensed to me personally and providing the source to them would be a breach of that license. Swapping that out for open source code would be possible, but time consuming and labour intensive and not something I am willing to do.

The actual email received

Here is a copy of the email, for anybody who is interested.

From: Robert Clark <robertclark@coronaxy.com>
Subject: If www.tinycert.org is important to you, you must read this
Date: Wed, 28 Oct 2020 02:13:37 +0000
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!

==========================================

We are the Voodoo Bear and we have chosen www.tinycert.org as target for our next DDoS attack.
Please perform a google search for "Voodoo Bear" to have a look at some of our previous work.

Your network will be subject to a DDoS attack starting at 2020 November 2nd (Monday).

THIS IS NOT A HOAX, and to prove it right now we will start a small attack on www.tinycert.org that will last for 30 minutes.
It will not be heavy attack, and will not cause you any damage so don't worry, at this moment.

This means that your website, e-mail and other connected services will be unavailable for everyone.

We will refrain from attacking your servers for a small fee.
The current fee is $1000(USD) in bitcoins (BTC). The fee will increase by 1000 USD for each day after deadline that passed without payment.

Please send Bitcoin to the following Bitcoin address (cAsE-SeNsitIve):

[address removed]

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you coinmama.com or https://buy.coingate.com/ for buying bitcoins.

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment before the deadline or the attack WILL start!

If you decide not to pay, we will start the attack on the indicated date and uphold it until you do, there's no counter measure to this, you will only end up wasting more money trying to find a solution (Cloudflare, Sucuri, Imperva and similar services are useless, because we will hit your network directly).

We will completely destroy your reputation and make sure your services will remain offline until you pay.
We will also download your database and do as much damage as possible.

Do not reply to this email, don't try to reason or negotiate, we will not read any replies.

Once you have paid we won't start the attack and you will never hear from us again.

Please note that Bitcoin is anonymous and no one will find out that you have complied.

-- Voodoo Bear team

I literally laughed out loud at the first sentence, as it indicates how clueless these numbskulls are. Maybe I'll forward the email to my budgerigars, as they are the only other living beings in here, though I'm not sure they're qualified to make any decisions.

Update: some users have reported receiving similar emails. On the one hand, that is a good thing, as it reduces the likelihood of (persistent) follow-through on the part of these scumbags. On the other hand, the more widespread this is, the more likely it is that somebody will give in and pay up. If you receive a threat like this, do not comply. It will only encourage them that their actions are successful and marks you as being susceptible to caving in to pressure.

So, Mr. "Clark" or "Voodoo Bear", whatever you hilariously pitiable imbeciles call yourselves, you can just fuck off. I have not for a nanosecond considered giving in to your demands, even if I could. You wanna waste your time to take down my pet project? Be my guest. My taking the time and effort to Write this page is the only thing you have "achieved" as you're not getting a penny from me. And thank you for thinking TinyCert something worthy of extortion - that means I must've done something right in creating it.

Well, there you go. It's been fun while it lasted. This is why we can't have nice things.