DDoS Attacks Have Graduated to Extortion


There are things in this world that are far less enjoyable than having your website knocked offline to be certain. That being said, it can have a massive impact to your day or that of a company trying to make a living by selling their wares online. I remember early on one of the first large scale distributed denial of service (DDoS) attacks to launch was aimed at the White House.

This was an attack that was expected at the time to be a withering assault that could reduce the White House website to a pile of molten "cyber" in the guise of what was dubbed a "virtual sit-in". This took place in May 1998. There was concern at the time since this was not something that people had really given a lot of thought to at the time. But, in the end the web server had it's IP address changed.

It was that simple. The attackers had planned to attack not the domain name but, the IP address that was associated with the site. Simple presto change-o and the problem was fixed. These days it isn't that simple to avoid becoming the victim of a distributed denial of service attack.

There are different manner of DDoS attacks that can victimize a website. The vast majority of DDoS attacks are designed to overwhelm a site at the infrastructure level. The idea being to render the website and it's resources unusable to the customers and the company or organization that run the site. This is cyber security equivalent of having a bully sit on your chest and say "stop hitting yourself, stop hitting yourself".

These type of attacks invariably lead to bragging on the part of the instigators. There seems to be an innate inability on the part of these attackers to keep their mouths shut. They seem to be incapable of just launching the attacks and want to be giving recognition for their endeavors. This frequently leads to them getting some press cycles and then a visit from the local constabulary. Assuredly not their desired outcome.

This sort of media whoring plays well with much of the press as it provides a morbidly curious pubic with some level of insight into the instigators. When you drive by an accident on the side of the highway most of will slow down to look. It is human nature. So too is our apparent fascination with these attackers.

What once began as an attacker defacing a website, later graduated to launching DDoS attacks. Now, those very attackers have demonstrated that they are no longer satisfied with press exposure. Now we see evidence of attacks being launched for money.

Case in point is a crew that have been dubbed DD4BC for their pattern of launching attacks in a bid to collect bitcoin. We first saw them in 2014 when they ran trial run attacks against various websites. The curious point at the time was that they demanded a paltry sum from their victims. They were kicking the tires on their new machine.

How this type of extortion attack would work is that they would launch a small burst of traffic against an intended victim and email them to ask them to look at their logs. This was a step to demonstrate that they were serious. The proverbial "look at my gun" approach that has worked for bank robbers for decades. The DD4BC crew would demand money and in the event the website operators failed to cave in to their demands they would launch their attack. As time progressed the cost to stop the attack would rise.

I sincerely hope that no one has in fact paid the ransom that they demanded. This would only encourage them to launch more attacks. Also, for any site that would pay their demands this would provide them no guarantees that the attackers wouldn't return to demand more money.

Attackers have evolved with the times and so to should website operators. The need to have a web site that is designed to fail is clear. If you come under attack today, how will you scale? How will you defend your website? Telling them to go away or you will taunt them again simply won't suffice.

(Image used under CC from redtype)