DDoS on Demand VS DDoS Extortion

May 08, 2007 / Comments (0) / by Dancho Danchev

There were recent speculations on the decline of DDoS attacks, in respect to the lack of companies actually paying to extortion attacks and that it's supposedly not a cost effective approach for malicious attackers to use their botnets. Think again, as it's always a matter of a vendor's sensor network diversity, one that's also excluding targeting mom-and-pop web properties. Just because DDoS extortion may not be working, and I say may not be working because only a few companies would admit they have paid money given the simple math of losing revenues on an hourly basis and spending more on bandwidth and security consultancy than the money requested, DDoS on demand still remains a well developed underground business model. DDoS attacks may not be profitable for the attacker directly performing them, but remain profitable if he's getting paid to provide the service only. Here's an excerpt from my Future Trends of Malware (January, 2006) publication related to DDoS extortion :

"Now you should ask yourself, would total cost of ownership of the business, the costs of the bandwidth, the DDoS attack protection solution, or the botmaster’s deal with the devil style proposition can solve the situation. If you’re thinking big, each and every time an organization pays, it not only risks a repeated demand, but is also fueling the growth of the practice in itself – so don’t do it!"

I'm aware of an ironic situation where a small-biz client's web server started getting DDoS without any reason whatsoever. The first thing that came to my mind was that it's either a DDoS extortion, or a possible rival, so I asked whether or not they've received any extortion emails. They declined, and here comes the interesting part, two days later, the attacks stopped, and a letter arrived in the form of the following email - "We saw you ignored our first email so we had to demonstrate you the power of our attack, this is your second chance to bla bla bla". What happened, and why did they say no extortion emails were sent? Here comes the irony, in the spam folder of the publicly obtainable email account for the domain was the original extortion email, that got detected as a spam. Time for some cyber intelligence to assess their capacity.. Never comply with such letters, or they'll come back for more. By the way, ever thought of the DDoS extortion bluff?

Here's another excerpt on DDoS on demand :

"There’s a lot of demand for paying to teens to shut down your competitors and hoping they would go under the radar, and while ethics are excluded, given these get busted, they’ll be the first to forward the responsibility to the buyer of the service. There’s also a clear indication of market for such services, and sooner or later these individuals will improve their communication skills, thereby increasing the impact of these attacks. For instance, Jay Echouafni, CEO of TV retailer Orbit Communications, paid a group of botmasters to DDoS his competitors, where the outage costs were estimated at $2 million. Another case of DDoS on demand occurred in March, 2005, when the FBI arrested a 17 year old and a Michigan man for orchestrating a DdoS attack, again causing direct monetary loses. DDoS attacks, and the ease of gaining capability in this field are clearly increasing."

Unethical competitions would favor a service where a third party maintains the infrastructure, launches the attack, and for the safety of both parties, remain as anonymous as possible. Here' a related article at BBC News:

"We are seeing a lot of anti-competitive behaviour," he said. Mr Sop added that many more Asian targets were being hit by DDoS attacks - a region in which Symantec did not historically have a big presence. In Asia, he said, DDoS attacks were proving very popular with unscrupulous firms keen to get ahead of their rivals. "The really frightening thing is you can buy access to a botnet for a small amount of money and you can have you competitor down for a long time," he said."

I never actually enjoyed articles emphasizing on how Russian script kiddies are taking over the world given the idea of "outsourcing malicious services". So next time you see a DDoS attack coming from the Russian IP space against U.S companies, it could still be U.S based rivals that requested the attack on their U.S based competitors -- stereotypes keep you in the twilight zone.

Meanwhile, here's a proof hacktivism is still alive and fully operational as the Estonian Internet infrastructure's been recently under permanent DDoS attacks due to real-life tensions of removing a statue from the Soviet era. It wasn't Chinese Mao-ists that did it for sure, but the recent case is another proof that it's always about the money, as everyone not aware of different malicious attackers' motives is preaching. DDoS extortion isn't dead, it's just happening beneath the radar, as targets are picked up more appropriately balanced with less greed regarding this underground business model only.

UPDATE : More developments on the DDoS attacks in Estonia now combined with defacements, which I think was only a matter of time.

Related posts:
The Underground Economy's Supply of Goods
The War against botnets and DDoS attacks
Emerging DDoS Attack Trends
Korean Zombies Behind the Root Servers Attack
Hacktivism Tensions - Israel vs Palestine Cyberwars