The Next Online Crime: DDoS Extortion
Imagine you work at a company that does all of its business on the phone. Now imagine you receive a letter that says, “Pay us a bunch of money or we will overload your phone system so that you can’t get any calls.”
Since your company has a policy not to negotiate with “cyber terrorists,” you decide not to pay the extortion money. As a result, your phone bank is bombarded with robocalls that tie up your phone lines and prevent you from doing business.
The equivalent of this extortion process is happening online, with hackers using Distributed Denial of Service (DDoS) attacks as a means of bringing online companies to their knees.
Two high profile companies recently hit by DDoS extortion are Basecamp and Meetup.com. Both companies refused to negotiate with the extortionists and, as a consequence, were crippled by DDoS attacks that prevented customers from accessing the companies’ services for several hours.
The need to prevent or slow down DDoS attacks is particularly important to Software-as-a-Service (SaaS) companies like Basecamp or Meetup.com. These SaaS companies don’t have physical products, so service failures mean a loss of revenue for the companies, not to mention very unhappy customers.
What Is a DDoS Attack?
There is a distinction between a Denial of Service (DoS), which typically comes from a single computer, person or bot, and a Distributed Denial of Service (DDoS), which comes from several computers, people or bots.
There are many different ways that DDoS attacks happen. The most common is when the remote attackers overload a web server or infrastructure with a series of requests. To go back to the example at the beginning of this article, think of the phone line being so overloaded with inbound phone calls that legitimate customers get nothing but busy signals.
Denying various critical resources is a primary characteristic of a DDoS attack. They can manifest in various ways, including the following:
- Consuming bandwidth, memory, processor resources or hard-drive space
- Disrupting routing or other configuration information
- Overloading physical network resources
- Resetting TCP sessions
Some common methods include the following:
- Internet Control Message Protocol (ICMP) floods, otherwise known as the “ping of death” or a “ping flood”
- SYN flood, in which fake connection requests create half-open connections, causing the server to wait for the remaining part of the request
- Teardrop attacks, in which oversized and fragmented requests can crash operating systems
- Peer-to-peer attacks, in which peer-to-peer sharing hubs are redirected against a particular websites
The scary thing is, the sophistication of DDoS attacks is increasing, making it more difficult to mitigate, thwart and overcome new attacks.
What Happened to Basecamp and Meetup.com?
At the beginning of this year, Basecamp and Meetup.com, as well as some other web properties, received an email threatening a DDoS attack if the hackers did not receive a $300 payment. According to the meetup.com blog, the email stated:
Date: Thu, Feb 27, 2014 at 10:26 AM
Subject: DDoS attack, warning
A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.
A DDoS attack started around the same time, bringing down Meetup.com. The site helps local groups organize via a variety of online services, such as online meeting invites and event planning.
Meetup.com’s services were offline for a period of 24 hours while employees worked to recover from the attack. As recovery was under way, Meetup.com was hit with another attack a few days later; a third attack occurred shortly thereafter.
As stated in a blog post, Scott Heiferman, co-founder and CEO of Meetup.com, decided not to pay the “ransom,” because his company does not negotiate with criminals. And although the dollar amount was low, the attack itself was fairly sophisticated.
Heiferman believed that paying the ransom would set a standard for future extortion of other companies in the space, and he thought Meetup.com could recover from future attacks of this nature. The service outage was carefully updated and documented on the Meetup.com blog.
Basecamp experienced a similar DDoS extortion. Basecamp is a project-management tool that is delivered as an online service. As explained by David Heinemeier Hansson, Basecamp founder and CTO, the site was flooded by bogus requests, preventing legitimate traffic from getting through. The company received an email, just as Meetup.com had, asking for payment to stop the attack.
Hansson says that the attack was up to 20 GBps, which saturated the Basecamp network. As is typical with recovery from these types of attacks, network issues remained after the attack was thwarted, which involved manually blocking the IP addresses of the attack’s sources.
How Can You Prevent DDoS Attacks?
As mentioned, DDoS attacks are evolving and becoming more sophisticated. While there is no 100 percent foolproof way to prevent your site or business from being victimized, there are several actions you can take to lessen the possibility of being fully shut down by an attack.
Some things to consider:
- Set up firewalls to block or drop incoming traffic from attackers.
- Use “stateful firewalls” that validate traffic requests instead of letting everything through.
- Use attack detection and mitigation services.
- Use properly configured switches and routers for rate limiting, which can slow down attacks to the network.
- Talk to your hosting provider about the DDoS prevention and mitigation services they offer.
If your company does receive a DDoS extortion email, be prepared for a subsequent attack. It’s important not to negotiate with the extortionist, because it sets a precedent for other hackers or cybercriminals.
Remember, under most circumstances, your company can recover from a DDoS attack. It can take quite a bit of work, so it may be helpful to have a technical partner to guide you through an incident.
Unfortunately, these types of issues are a part of doing business on the Internet, so be sure to plan for the unexpected.
[image: daoleduc/iStock/ThinkStockPhotos ]