The hacktivist collective, Anonymous, has been targeting government, religious and corporate websites with distributed denial of service (DDoS) attacks left, right and centre – and all in the name of protest.
For example, in November last year, it took down an Islamic State-supporting website in the wake of the attacks in Paris. While the Anonymous group is using DDoS attacks to publicise the wrongdoings of the world, the criminal gang DD4BC – which is short for DDoS for Bitcoin – are using DDoS attacks to demand ransom money in the form of bitcoins.
In the last year, DD4BC shifted its focus away from targeting online gambling companies and towards other lucrative operations; financial institutions. In its most recent attack, DD4BC honed in on its target and triggered a DDoS attack in the 25-35 Gbps range. Victims received a ‘ransom note’ demanding 30 to 40 bitcoins – which equates to around £8,000 to £10,000 – as insurance against a second, stronger attack.
Despite a multi-national law enforcement team led by Europol arresting a key player believed to be behind the 2015 DD4BC attacks, DDoS attacks will continue as targeted organizations pay the ransom fees. Previous extortion attempts show few reasons to pay up, not least because a larger secondary attack rarely occurs. Paying an attacker could lead to additional attacks.
In 2015, Swiss company ProtonMail paid a ransom as part of a DDoS extortion attack and went public with its actions. The result? Other DDoS attackers zeroed in and demanded payoffs. Fortunately, most organizations can defend themselves against DDoS attacks such as this and should take notice of the following guidelines:
Manage what’s coming in and what’s going out
Institute strong external network-facing Access Control Lists (ACLs) to keep all out-of-profile traffic off servers. For example, on a web server, only allow TCP port 80 and/or 443. Block out all other traffic and aggressively time-out ‘half-open' network traffic designed to fill up connection tables. High-risk organizations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks.
Monitor, monitor, monitor
Companies should set up robust monitoring to identify tell-tale signs during the early stages of an attack. The upstream ISP should be notified to place mitigations on their connected devices to protect networks. DDoS commercial products are also an option, but organizations can take several other proactive steps to help minimise the impact of these attacks.
Collect, store and share information with the law
While the exact number of victims targeted by DD4BC is unknown, best estimates are in the thousands. Therefore, collecting and sharing information with law enforcement is absolutely critical. Unfortunately, however, many organizations fail to report extortion attacks. To assist law enforcement teams, organizations should provide several key pieces of information to law enforcement and/or their security vendors.
For example, an e-mail threatening DDoS should be preserved with full headers, timestamps of the attack with the victim’s IP, size of attack, and a profile of the type of DDoS attack (with packet captures if possible). Collection should not be limited to these items; any data that can be shared can be helpful in tracking these attacks to their originator and bringing cyber criminals to justice.
Ultimately, DDoS attacks are becoming increasingly common, so it won’t be long until the next hacker strikes. Companies must ensure they are prepared; keep tabs on the network, set up robust monitoring and communicate with law enforcement agencies. The fact that big financial institutions such as HSBC can be hit by a DDoS attack is not only proof that no-one is safe from these kind of attacks, but that it is possible to thwart an attack after the company ‘successfully defended’ itself against it.
To put it simply, if we are going to bring down the hacktivists, we must be prepared to use the tools at our fingertips to push back against them.