Lawrence M. Walsh
Published: 01 Dec 2003
Once again the veil of secrecy is working in favor of "hacktortionists" -- hackers who shake down businesses with the threat of digital attacks.
The Financial Times reports several U.K. businesses have fallen victim to this ploy. The scam goes something like this: A hacker contacts a targeted company and demands a payment of up to $50,000. Failure to pay incurs a DDoS attack, which -- if successful -- could cost many multiples of the extortion demand.
DDoS attacks are nothing new and not very sophisticated. Since that day in 2000 when MafiaBoy launched his sweeping attacks against Yahoo, Amazon and CNN, the technique has been used by everyone from activists protesting public policy to organized hacker and crime gangs looking to make a quick buck.
There are a number of examples of how DDoS attacks have impacted the Internet.
In 2001, a massive DDoS attack took out Microsoft's DNS routers, which slowed Internet traffic and denied access to the Microsoft corporate Web site and any site hosted on the MSN network.
Last year, a sustained DDoS attack against DALnet, one of the largest IRC hosts, brought the service to its knees.
And twice this year, hackers launched DDoS attacks against SCO Group to protest the company's allegations that IBM inserted Unix code into its version of Linux.
At any given time, DDoS attackers around the globe are swamping unsuspecting Web sites with SYN packets or requests for legitimate connections. While the most effective defense remains a self-imposed denial of service (or disconnecting until the storm passes), enterprises have become far more adept at responding to DDoS attacks. In many cases, enterprises can either filter the traffic or ask upstream ISPs to stop transmitting.
Why, then, would any self-respecting company cave in to these digital vultures? Even hackers don't have much respect for simple DDoS attackers, mostly because it doesn't take a whole lot of skill to launch one of these assaults.
The answer lies in the difference between the amount of hacktortionists' demands and the probable losses to DDoS attacks. The payoff is usually a fraction of the damage or losses that could result from an extended service outage. One British company that failed to comply reportedly suffered a massive attack that cost it $1.66 million a day.
Some corporate executives may think that a couple of paltry payouts are worth it to avoid millions of dollars in losses. They may also think that capitulating will save their personal and corporate reputations -- after, the boards of directors don't like seeing their company's logo on the 6 o'clock news in a story about a security incident.
This is a gross miscalculation. Just as New York shopkeepers discovered after their first visit from "No-Thumbs Louie" for protection money, one payout will only lead to another -- and another. Caving to a hacker's demand may save a corporate network today, but there's no guarantee that the hacker won't come back tomorrow. Even worse, what happens if your enterprise becomes known as an easy blackmail target? Suddenly, you'll have every hacker from Racine to Romania knocking on your door.
Victimization persists because corporations often rush to contain word of an attack rather than openly speak about the threats. Case in point: Russian hackers Alexey V. Ivanov and Vasiliy Gorshkov blackmailed U.S. banks for a year because banks wouldn't open up and work with authorities. They were eventually caught.
DDoS attacks are much like the common cold or the flu; there's no shame in contracting the illness or being attacked because it can happen to anyone.
Enterprises and their executives need to recognize this and report extortion attacks. Silence is the friend of extortionists. Breaking the silence will rob them of their ability to victimize anyone.
About the author:
Lawrence M. Walsh is managing editor of Information Security.