Although I think DDoS extortion is declining due to the rising lucrative ransomware and scareware tactics, DDoS extortion remains interesting to me due to its sheer supervillainary. (plus the stories sound cool when you tell them). I was giving the example to a CSO I met today and after telling the story he asked, “How do I survive a DDoS Extortion Attack”, so here is how:
Businesses hit with these attacks have almost no reprisal to fight back and even have a disincentive to alert authorities who could work to defend against them.
DDoS, distributed denial of service, extortion occurs when a hacker threatens to utilize a vast botnet of many infected computers to bombard a single target online. By using up the target’s resources to accommodate the botnet traffic, legitimate traffic is unable to access the site, causing a denial of service. This prevents businesses from using their website, which may be integral to their business operations.
Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.
Companies have three ways to retaliate: pay the attacker, use DDoS protection, or go to the authorities. Unfortunately, most companies choose to simply pay the attacker since it is the easiest and least expensive way to fix the problem. This only emboldens these kinds of attacks, causing more extortion on other companies.
It is possible to use DDoS protection to block bots, but in the extortionist will warn that if such an attempt is made then they will only increase the number of bots attacking the website, making it much more expensive to deal with.
Going to the authorities can be so ineffective that extortionists will not even discourage their target from doing so. Extortion attacks usually come from other countries, usually Eastern Europe, where the FBI has little recourse. Furthermore, businesses are afraid of reporting the crime because it could damage their brand if it got out that they were helpless against extortionists. This makes it harder for any countermeasures to be developed since it is impossible to tell how often extortion occurs, how much money is extorted, and who are the targets of extortionists. According to experts, every online gambling site is paying an extortion, usually around $40,000.
For these, reasons too often companies will simply remain quiet about the extortion and pay their fee. The ransom is much less than the costs incurred from a denial of service attack. Sometimes, the extortionist even gives their victim the opportunity to pay for an attack on a competitor. Why not? It gives the victim a chance to level the playing field and the extortionist a chance to make even more money.
The best way to combat attacks like these is for businesses to put aside competitive differences and share their information regarding security and cyberattacks with industry peers and law enforcement authorities. But that’s never going to happen and businesses are likely to continue to fight an every-man-for-themselves battle.
Until then, it’s up to companies to build up internal protections and beef up their security to protect against botnet attacks. Also, if this ever starts to happen to your business you can always contact me and I can see how I can help!
{ 1 comment… read it below or add one }
Mike,
A couple of things:
1. I fully agree businesses should not only share the attack data but also learn from the very guys who have been dealing with this for a long time – Easter European hosting providers. It’s very safe to say that many of the DDoS toolkits are being tested in EU on a smaller scale at least before they are being employed elsewhere. There’s just a lot of info on DDoS mitigation from the trenches. Businesses susceptible to DDoS ( as you mentioned gaming, etc. ) should be advised to use their OSINT capabilities in DDoS research and not only rely on appliances. DDoS mitigation is a process and for them it should be on par with their DR capabilities ready to kick in.
2. Not all DDoS is created equal. I think the element of fear and helplessness upon facing the unknown play a huge role in this setup when methods of attack are not understood. I 100% believe that businesses should invest in their staff for DDoS mitigation before they invest in specific technology. Log monitoring, nginx setup feeding into decent scripting, kernel buffer modification and iptables rules should fend off 90% of most medium-size bots. The game is most likely won in the first 24-72 hours when the attacker pays enough money while renting the botnet and should ROI on that, or move on to another target.
You must log in to post a comment.