One of the primary functions of DDoS is to extort the victim. In her paper on DDoS, Molly Sauter draws a distinction between hacktivist DDoS (for civil disobedience) and criminal DDoS (for financial gain). Now Corero Network Security is warning of growth in the latter, and predicting an increase in DDoS aimed at online gaming and particularly gambling sites over a summer of sport.
The standard methodology, Corero's CEO Ashley Stephenson told Infosecurity, is to preface the threat with some minor incursion on the network. Then follows the warning message: check your logs; we did that – and unless you pay us a very large amount of money we'll bring your network down.
The threat is real and the consequences severe. In reality, most large companies refuse to pay, said Stephenson. Slush funds are increasingly difficult to maintain and disguise, not least in the UK following the Bribery Act. Any payment would usually need to be paid via some third-party 'services' company; and the criminals would want payment in something like bitcoins or Paypal (and one of the largest clearing houses for illegal money, Liberty Reserve, was shut down by the FBI in May.) A secret payment is not easy to organize.
But refusing to pay has its own problems: the fulfillment of the threat. "These attacks go beyond simple annoyance," said Stephenson, "with an average cost of over £150,000 per DDoS attack." The evolution of 'reflection' attacks, where an attacker can increase the attack bandwidth eightfold by using open resolvers, means that small groups can now deliver major DDoS attacks – up to and beyond 100 Gbps.
The result is a growing, but hidden, crime. Neither side likes to talk publicly. "More often than not these blackmail threats go unreported," said Stephenson. "We tend to hear about them," he added, "when a threat is received and a decision taken to ignore it." Companies then turn to specialist DDoS mitigators such as Corero to ensure their defenses.
The alternative, paying up, is no solution. "Some companies opt to pay the ransom rather than go public with the attack in the hope that this will satisfy the hackers, though this is rarely the case and may lead to the site continually being targeted.” It's a difficult decision for a company that entirely relies on its uptime for its business. Prevention, through DDoS preparation, is far better than cure – and is the only real solution to a summer of hidden DDoS crime.