DDoS Extortion: Easy and Lucrative

Distributed denial-of-service (DDoS) attacks are nothing new, nor is the fact that they’re being used to create a profit. But the fact that DoS has become a lucrative criminal enterprise is something likely to become even more popular. “Send us 100 bitcoins and we’ll go away” is a common message in the inbox of chief financial officers and IT managers around the world.

Sometimes organizations pay up, but there’s no guarantee the attackers won’t be back next month or another criminal group won’t send the same message with the same demands. Criminals communicate in the background about who’s a vulnerable target, so once you’ve paid, expect the vultures to start circling.

Attacks Past and Present

DoS and DDoS attacks have been around nearly as long as the Internet itself. Back in the early days, users would go after each other using tools like smurf attacks and the Ping of Death, or simply knock the victim off the Internet with SYN and ICMP floods. These were the days when a dial-up connection was the standard, and if you happened to have access to a higher-bandwidth pipe, knocking your enemy offline was easy.

It wasn’t until teenage cybercriminal MafiaBoy attacked Yahoo, Amazon and other major websites in 2000 that DDoS became part of the public lexicon. Even then, it wasn’t much more than an annoyance until late 2010, when the hacktivist group Anonymous created the Low Orbit Ion Cannon (LOIC) tool and started a long series of virtual sit-ins. It was these Anonymous attacks that made organizations, both legal and criminal, realize that DDoS is still an issue — one that can affect every businesses, no matter how big or small.

The most recent threats have been from a group calling itself DDoS for Bitcoins (DD4BC). DD4BC usually starts by performing a short-duration attack against a site, then tells the operator to send a number of bitcoins to an account or risk another strike. If the organization pays, DD4BC theoretically goes away for good, but there are no guarantees. If no payment is sent, then a second attack is performed against the target, potentially lasting for days and consisting of various types of traffic and attack patterns. DD4BC has been operating since mid-2014, with no sign of abating in the near future.

Types of DDos Attacks

DDoS comes in three basic flavors: volumetric, application-layer and protocol attacks.

Volumetric Attacks

Most people are familiar with volumetric attacks, which send so much traffic to a data center that it fills the data center’s circuits and prevents any of the legitimate traffic from connecting to a website. Volumetric attacks can be further subdivided into direct traffic and reflected traffic.

Direct traffic usually comes from a botnet of compromised systems, with a command-and-control (C&C) structure informing systems where to send their traffic. Often, the compromised systems are those of home users who’ve downloaded malware that makes them part of the botnet, but compromised WordPress and Joomla servers are increasingly becoming part of the botnets, as well. With home Internet connection speeds over 100 Mbps becoming increasingly common, compromised home systems are a big enough threat on their own. But servers sitting in a data center with much bigger pipes can pump out gigabits of traffic before anyone notices or responds.

The second type of volumetric attack is called a reflection attack. It’s easy to forge a request in any protocol and have the response directed at the targeted system. For every packet sent by the attacking servers, the reflecting server sends a larger amount of traffic to the target server. For example, while a Domain Name Services (DNS) request is fairly small, the response can contain several hundred name records. DNS reflection attacks have an average of 30 to 50 times the amplification of the traffic sent from the reflection server to the target server. Currently, the main protocols used for reflection attacks are DNS, Network Time Protocol (NTP) and Simple Services Discovery Protocol (SSDP), with others like the routing protocol RIPv1 also in use. A large pipe helps against these volumetric attacks, but with some strikes now topping 300 Gbps in size, all but the very largest of data centers are going to fail.

Application Layer Attacks

Application layer attacks, also called Layer 7 attacks, use a different tact. Rather than overload the pipe that leads into the data center, these assaults tie up the resources of your servers and prevent them from processing legitimate traffic. Nearly every modern website has a database sitting behind it, so one method to tie up your resources is to send a request that has a high computational cost. In other words, if I send a search for a fake product to your shopping site and format it correctly, I can tie up a large amount of memory for a considerable length of time. If I send enough of these requests to your servers, they become so busy processing my fake requests that they have no memory left to handle those from legitimate users. There are similar attacks that tie up resources on the Web server, but the effect is the same: no resources left to handle real user requests. Web application firewalls (WAF) and other on-premises devices are often very helpful against this type of attack, but new or strangely formatted strikes can sometimes bypass these protections.

Protocol Attacks

Protocol attacks are interesting because they assail the underlying procedures that make systems run. The Ping of Death was an example of protocol problems: Early computers expected an Internet Control Message Protocol (ICMP) packet to have a 56-byte payload, so if the actual payload was larger than 65,528 bytes, their network stacks would suffer from buffer overflows and crash.

Modern interpretations include using vulnerabilities in the network stacks of routers or computers, exploiting flaws in HTTPS implementations or taking advantage of the computational cost of SSL. The best defense against protocol attacks is to make sure servers and network equipment are running the latest versions of the software with no known vulnerabilities. Vendors are usually quick to provide patches, though it can take businesses a considerable amount of time to roll out the fixes everywhere.

Volumetric attacks are the weapon of choice for many cybercriminals because it’s hard to deal with the consequences once the traffic has hit the threshold of your data center. But skilled actors will have components of all types of attacks, and they will also use the noise created by an attack to hide other activity. What better time to compromise a server than when all attention is focused on stopping the strange traffic?

Dealing With Attacks

So how do you deal with a DoS attack when you’re the one being targeted? How should you respond? What can you do? There are four basic steps to be taken:

  1. Have a plan. This may sound silly, but it’s really the measure many organizations forget because they haven’t contemplated DDoS as a form of attack that might be used against them. Like most issues in security, though, it’s becoming less of an “if” and more of “when” it will happen to you. So sit down, work through a plan on paper and test your response with exercises or simulations throughout the year. During the attack is no time for planning.
  2. Know how to detect a DDoS attack against your organization. Volumetric attacks are usually fairly easy to spot at the firewalls and routers, but would you be able to recognize a resource exhaustion attack against your SQL back end or a strike against a protocol vulnerability? There are a number of actions that leave very little evidence in your logs, so learning to recognize the problems early can cut critical hours off of your incident response time.
  3. Be prepared to work with your current providers. Many ISPs and data center providers already have some of the tools in place to help mitigate attacks. Know what tools they have, who you need to contact in an emergency and the lead time required to enact these protections. It may be that you can have everything set up well in advance in a standby mode, or you may need to make changes on the day of the attack. In either case, it’s better to know far in advance.
  4. Call in the big guns! Sometimes you aren’t going to be able to deal with the attack yourself, so you have to call in a specialist. On-premises devices have the advantage of being under your control, but they can’t help you against volumetric attacks that fill up your Internet connection before it even gets to the device. Cloud- and data center-based services take some of the control away but usually come with a higher capacity and access to specially trained personnel. Similar to ISP solutions, there is going to be a lead time to implement any of these solutions, and the more research you’ve done before the attack, the sooner relief will be felt.

It’s hard to track a DDoS attack back to the organizer. First you have to find the servers involved in the attack, then you have to trace them back to their C&C structure and finally locate the connection to the origin point. It’s not an easy task, politically or technically, which means there’s little risk to the attackers of getting caught. While the payout to criminals is currently relatively low, expect the ransom to rise as more groups take part. That’s why you need to be planning your response now rather than waiting for the hammer to fall.

Share this Article:
Martin McKeay

Security Advocate

Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. As a member of Akamai's Security Intelligence Team, he is responsible for researching security threats, customer education and industry intelligence. With over fifteen years of experience in the security space and five years of direct Payment Card Industry work, Martin has provided expertise to hundreds of companies. He is also the author of the Network Security Blog and host of the Network Security Podcast.