One day, for no apparent reason, the web servers of a small organisation slow to a crawl for about an hour, or perhaps even fall over altogether. After a while the server returns to normal but the technical staff are mystified by the traffic patterns and contact the ISP or hosting provider. Eventually they pass on the bad news – the server was hit by a DDoS attack.
But by whom and for what reason? Usually, serious DDoS attacks weren't an issue in the past. The next day the answer turns up in the email, usually addressed to the managing director or head of IT.
“So, it’s your turn! All your servers are going under attack unless you pay 40 Bitcoin. Pay to [identifier]. Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps,” it begins.
“Right now we are running small demonstrative attack on 1 of your IPs. Don’t worry, it will not be hard, since we do not want to crash your server at this moment, and will stop in 60 minutes. It’s just to prove that we are serious.
“We are aware that you probably don’t have 40 BTC at the moment, so we are giving you 24 hours to get BTC and pay us,” it implores before offering links and instructions on how to find the digital currency.
We took this message from an example published by a security firm but every instance we’re seen is written in an almost identical way.
Denial or Service (DoS) and Distributed Denial of Service (DDoS) attacks are nothing new but the scale of the campaign executed by a single mysterious group calling itself ‘DD4BC’ represents something pretty extraordinary even by the pessimistic standards of the security industry.
DD4BC stands for ‘DDoS for Bitcoins’ a reference to the sector that first received extortion threats from the group in June 2014, since when attacks have spread in a methodical way to other industries such as finance and to numerous countries. More recently, smaller businesses have come into the crosshairs with reports of Silicon Valley startups being targeted.
There are plenty of documented attacks by DD4BC, most recently by Akamai, one of the main DDoS mitigation service providers, which mentions 141 cases among is customers in the year to August 2015.
As for the UK, it’s still guesswork. Techworld talked to an IT head at one sizable financial services firm in the City that admitted it was worried enough about this group to be paying for a daily intelligence feed to track it. Companies further down the scale, including startups, have been targeted, however although none will go on the record, It's a silence that probably plays into the group’s hands.
The recent history of DDoS attacks against UK firms is pretty grim and that was before DD4BC's extortion had taken a toll.
UK startups and SMEs and DD4BC - how attacks unfold
The MO used against SMEs is well thought through. The ransom notes will mention several often competing companies in the same sector, usually in the same country, offering not only to cease attacks if a Bitcoin ransom (equivalent to between $1,000 -$6,000) but to direct fire to one or more of those rivals. Anecdotes abound of SMEs and startups that look at the cost of mitigation and decide to pay the ransom in the hope that the attacks will go away although exact numbers of paying targets still a pure guess even for experts.
It’s not that DD4BC is the only group in this shady business but it probably the first to realise that effective marketing and branding of its work boosts its notoriety. This has risks because it attracts more attention from the police but the plus is that victims will be frightened by the group's reputation and mystique. A sting in the tail is that the group also publicises its handiwork using social media, the better to undermine a company’s brand reputation. If you don't pay the world will still know you have been attacked.
Unfortunately, even writing this article contributes to that brand awareness but things have gone far beyond the point where downplaying the group will make any difference.
“Every day startups in the Valley are being attacked,” confirms Marc Gaffan, co-founder of anti-DDoS business Incapsula, now part of security company Imperva. “It’s like the old Al Capone movie where the gangsters threatened to close a shop down.”
Almost any smaller or medium-sized business with an online channel – the sort of businesses that today rarely have DDoS defences – can be hit.
“We got called by three online pet stores on one weekend saying they were being threatened. We asked ourselves, who is going to attack this space?”
The attacks are not always proportional to the target – attacks can be from 1Gbps -2Gbps, just enough to overwhelm the capacity feeding into a target. But they can be far bigger even when that doesn’t seem necessary, sometimes between 13Gbps and 50Gbps according to Akamai. The DD4BC group just throws what it has at its targets.
In the old days, this sort of DDoS attack would have used botnetted PCs but the attackers have long since moved on to the cloud and its armies of vulnerable servers to fuel traffic.
“The volume of DDoS infrastructure in ten times what it was a year ago because the amount of cloud computing out there is growing. If that capacity falls into the wrong hands they can use that to launch DDoS against anyone they want,” says Gaffan.
The involvement of the cloud underlines where DDoS extortion industry is going – towards bigger and bigger attacks targeting just about everyone and anyone. Until SMBs start using anti-DDoS mitigation they will be vulnerable, he argues.
It sounds like a self-serving argument but the point is valid. The evidence strongly suggests that the one thing that will put off DD4BC and other extortion groups copycatting its operation is effective defence. There is a simple reason for that; attempting to overwhelm DDoS defences takes time and costs money. Attackers can use hijacked cloud infrastructure but they are still paying someone for that service.
UK startups and SMEs and DD4BC - attacks aren't going away
“In a DDoS attack a second feels like hours, hours like days, days like weeks,” muses Roland Dobbins, a principal engineer and DDoS expert at anti-DDoS appliance and services firm Arbor Networks.
“They only seem to attack a single target at a time, or concentrate on a single geography at a time. They don’t seem to hop around. They have gained notoriety beyond ISPs and security researchers.”
The attacks on financial firms might have been partly a ploy to feed their notoriety, he suggests. DD4BC is disciplined enough to move on to new targets if defences are raised.
One interesting marker of the group’s tactics is the low ratio of ransom threats to actual attacks, anything from 1:1 to 1:100, an important detail if victims are to be convinced that they will be targeted if they don’t pay up. Dobbins is clear that paying DD4BC will at best buy some time – the group will return at a later date for more ransom money because that’s how all extortion rackets work.
“The reality is that they came back again and again. Organisations should understand that you can’t trust what they say.”
The short-term solution to this kind of extortion is better defences even if that starts an arm’s race between defenders and attackers suggested by a recent Swiss national CERT warning that DD4BC could eventually coral reflection DDoS attacks up to a staggering 500Gbps that bypass conventional ISP protection services by hitting applications directly at Layer 7.
One disgruntled Bitcoin firm even took matters into its own hands last March by offering a bounty of $25,000 for information leading police to the identity of the DD4BC group. The fact this got nowhere convinced many that the group was very small, making it harder to find. That, however, is where DD4BC is most likely to founder when the authorities do eventually catch up with it. But the history of cybercrime isn’t comforting that this will be the end of such attacks. More likely, the path blazed by DD4BC in DDoS extortion will be picked up by others who will learn from its successes and failures.
UK startups and SMEs and DD4BC - coping with DDoS extortion
- It’s extremely important to have a plan worked out in advance for this type of incident. That will save valuable time, particularly if a threat is received out of hours or at the weekend.
- The attackers will typically threaten to increase the price if no reply is received within a given time period. This is a psychological ploy. The best advice is NEVER to contact the extortionists or attempt to negotiate with them.
- Don’t reply on in-house equipment such as firewalls – this is a paper wall to a DDoS attack.
- Contact your ISP or hosting provider first and inform them of the threat and that it involves a named group. They won't always have mitigation but they willl need to be informed.
- Contact the police through one of UK’s regional crime units.
- Contact anti-DDoS service providers and consider ongoing protection. The cost will always be lower than the cost of downtime from a series of DDoS attacks.