One day, for no apparent reason, the web servers of a small organisation slow to a crawl for about an hour, or perhaps even fall over altogether. After a while the server returns to normal but the technical staff are mystified by the traffic patterns and contact the ISP or hosting provider. Eventually they pass on the bad news – the server was hit by a DDoS attack.
But by whom and for what reason? Usually, serious DDoS attacks weren't an issue in the past. The next day the answer turns up in the email, usually addressed to the managing director or head of IT.
“So, it’s your turn! All your servers are going under attack unless you pay 40 Bitcoin. Pay to [identifier]. Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps,” it begins.
“Right now we are running small demonstrative attack on 1 of your IPs. Don’t worry, it will not be hard, since we do not want to crash your server at this moment, and will stop in 60 minutes. It’s just to prove that we are serious.
“We are aware that you probably don’t have 40 BTC at the moment, so we are giving you 24 hours to get BTC and pay us,” it implores before offering links and instructions on how to find the digital currency.
We took this message from an example published by a security firm but every instance we’re seen is written in an almost identical way.
Denial or Service (DoS) and Distributed Denial of Service (DDoS) attacks are nothing new but the scale of the campaign executed by a single mysterious group calling itself ‘DD4BC’ represents something pretty extraordinary even by the pessimistic standards of the security industry.
DD4BC stands for ‘DDoS for Bitcoins’ a reference to the sector that first received extortion threats from the group in June 2014, since when attacks have spread in a methodical way to other industries such as finance and to numerous countries. More recently, smaller businesses have come into the crosshairs with reports of Silicon Valley startups being targeted.
There are plenty of documented attacks by DD4BC, most recently by Akamai, one of the main DDoS mitigation service providers, which mentions 141 cases among is customers in the year to August 2015.
As for the UK, it’s still guesswork. Techworld talked to an IT head at one sizable financial services firm in the City that admitted it was worried enough about this group to be paying for a daily intelligence feed to track it. Companies further down the scale, including startups, have been targeted, however although none will go on the record, It's a silence that probably plays into the group’s hands.
The recent history of DDoS attacks against UK firms is pretty grim and that was before DD4BC's extortion had taken a toll.
UK startups and SMEs and DD4BC - how attacks unfold
The MO used against SMEs is well thought through. The ransom notes will mention several often competing companies in the same sector, usually in the same country, offering not only to cease attacks if a Bitcoin ransom (equivalent to between $1,000 -$6,000) but to direct fire to one or more of those rivals. Anecdotes abound of SMEs and startups that look at the cost of mitigation and decide to pay the ransom in the hope that the attacks will go away although exact numbers of paying targets still a pure guess even for experts.