Security

The anatomy of a DDoS extortion attempt

Learn how a company successfully repelled a DDoS attack by hackers seeking a payoff.

Image: iStock/frankpeters

As summer rolls along, those of us in IT find the pace of work nevertheless remains steady. After all, applications, systems, and networks don't go on vacation. Neither do hackers, of course.

The threat

I recently caught up with a friend who is the head of Security for a financial organization. I'll call him Jeremy. Jeremy's company depends on solid and reliable internet connectivity in order to serve its customers on a 24x7x365 basis. He received an email several weeks back that at first glance appeared to be a practical joke or part of a shoddy movie script. (Note: Specific identifiers are blocked out with [***].)

Subject: DDOS ATTACK!

Hello,

To introduce ourselves first:

http://www.coindesk.com/bitcoin-extortion-dd4bc-new-zealand-ddos-attacks

http://bitcoinbountyhunter.com/bitalo.html

http://cointelegraph.com/news/113499/notorious-hacker-group-involved-in-excoin-theft-owner-accuses-ccedk-of-withholding-info

So, it's your turn!

Your sites are going under attack unless you pay 40 Bitcoin.

Pay to [***]

Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don't even bother. Or at least not with cheap protection like CloudFlare or Incapsula. But OK, you can try.

Right now we are running small demonstrative attack on one of your IPs.

Don't worry, it will not be hard and will stop in 1 hour. It's just to prove that we are serious.

We are aware that you probably don't have 40 BTC at the moment, so we are giving you 24 hours to get it and pay us.

You can pay directly through exchanger to our BTC address, you don't even need to have BTC wallet.

Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will increase.

IMPORTANT: You don't even have to reply. Just pay 40 BTC to the identifier provided - we will know it's you and you will never hear from us again.

We say it because for big companies it's usually the problem as they don't want that there is proof that they cooperated. If you need to contact us, feel free to use some free email service. Or contact us via Bitmessage: [***}

But if you ignore us, and don't pay within 24 hours, long term attack will start, price to stop will go to 100 BTC and will keep increasing for every hour of attack.

IMPORTANT: It's a one-time payment. Pay and you will not hear from us ever again!

We do bad things, but we keep our word.

Thank you.

At first glance, Jeremy's reaction was a bemused "Yeah, right." Then he checked with his network team and the "small demonstrative attack" described in the email was indeed occurring, and did in fact stop shortly thereafter. Uh-oh.

As a background, a DDoS attack is a Distributed Denial of Service attack whereby malicious individuals overload systems or networks with traffic from various origins. According to Akamai, a network service provider, this particular hacker group "appears to use Google IP address ranges, and in some cases AppEngine instances, in its attacks. It appears to use common UDP reflection DDoS attack techniques, as well as SYN floods that spoof Google crawler IP addresses, to mask the malicious traffic." In layman's terms, the goal is to make the target incapable of responding to legitimate traffic, much like an audience yelling hundreds of questions at a public speaker. Sony's PlayStation Network was hit by a DDOS attack in December 2014.

While the price tag here seemed cheap -- $9,200 to get the hackers to go bother someone else -- paying extortion demands is always a bad idea. It just encourages the bad guys, and there is no guarantee they won't up the ante and threaten another attack next week unless they receive more money.

"Science fiction concepts are never too far away when you work with technology, so my first thought was of the 'Star Trek' films and how the captain would order 'Shields up!' when threatened by an enemy vessel," Jeremy stated.

Too bad there's no similar concept in real life, right? Well, in Jeremy's case, that's exactly what they did.

The remedy

The size of Jeremy's company was the reason it was an attractive target to this hacker group. However, that also meant they had the budget to afford protection services from DDoS attacks. Jeremy's company is an Akamai customer and utilize its Prolexic service as needed to thwart malicious traffic.

"Basically, we activate Prolexic by routing our traffic through Akamai's networks. They use BGP, or Border Gateway Protocol, to distribute our incoming data and check for signs of DDoS attacks. It's pretty easy for them to tell which constitutes good traffic and which are just bogus packets, so they shut down the data streams from the illegitimate sources and allow only the valid data to reach our own networks. It's a temporary measure only, since we don't need them to scrub our traffic unless there's an active issue," Jeremy explained.

Akamai offers a DDoS Hotline for Emergency DDOoS Protection to get those shields up fast. Akamai claims they have "2.8 Tbps of DDoS protection capacity" and they block "40-50 DDoS attacks every week." Jeremy's company activated the service before the threatened deadline, then monitored their incoming network traffic to see if anything unusual occurred.

The result? "It was a pretty quiet evening," Jeremy said. "My network team and I monitored data levels and server/application response times and found no anomalies. Akamai reported to us that the DDoS attempt occurred, but they cut it off at the knees. We turned off Prolexic the next day."

"Aren't you worried they're just going to try to hit you again at a later date, this time without warning?" I inquired.

"Doesn't matter if they do, and they probably know that," Jeremy stated. "We'll just switch Prolexic back on again. These guys were interested in money, which they didn't get. They might also be motivated by revenge, but revenge doesn't pay their bills."

Akamai's Prolexic isn't free. While Jeremy couldn't provide me the cost of the service, it's budgeted like any other security solution and viewed as an operational necessity like antivirus or server redundancy. "I can say the yearly fees for Prolexic are more than what the hackers demanded -- this time," he told me. "However, had we paid them the tribute they demanded, I have no doubt word would have gotten out, and there'd be a line of hackers at our door stretching around the block, figuratively speaking. And then there's the threat of the reputation damage we would suffer if word got out that we paid off hackers."

"Did you ever try to contact them, even to say 'too bad, so sad'?" I inquired.

"No, there's no point engaging these types. They didn't get their money, so they'll go bug someone else. It'd be nice to think that they might give up and get actual jobs, but there's plenty of people out to get something for nothing so they're obviously lured by that ideal. They probably figure if they can get 25% of their demands met that's a nice living. Me, I'd rather give my money to the good guys."

"How about trying to catch them and bring them to justice?" I asked.

"Well, they're an anonymous group like any other bunch of cowards," Jeremy replied. "They sent me that email through an anonymous remailing service. They send traffic through hacked or compromised systems. They operate in shady parts of the world where law enforcement is lax or disinterested in computer crime. My job is to protect my company, not play policeman. Besides, when it comes to busting hackers, if you cut one head off another just takes its place. Any imbecile who can download hacker scripts from the internet can threaten a DDoS attack. It won't stop until we kill off their revenue gains."

Unfortunately, hacker groups will continue to flourish as long as they feel there's a potential payoff in their activities. Utilizing DDoS protection services can mean the vital difference between smooth business operations or catastrophic human-engineered system and network failures. Those of us whose jobs involve maintaining order in technology must accept these necessities as a way of life if we're to keep on keeping on.

Also see

Note: TechRepublic and ZDNet are CBS Interactive sites.

Visit TechRepublic