‘Pay up or we’ll take your Web site down’, so goes the adage that usually accompanies ransom-based cyber-attacks. At the top of the news feed on a regular basis, we witness well-known names such as Feedly and Evernote falling victim to extortion-based DDoS attacks. But these attacks are just the tip of the iceberg when it comes to this very lucrative criminal activity. While digital ransom attacks come in all sorts of types and forms, Distributed Denial of Service (DDoS) attacks top the list of methods used by attackers to force money from targeted companies.
According to Arbor’s 10th annual Worldwide Infrastructure Security Report, DDoS extortion attacks account for 20 percent of all DDoS attacks. While it may seem like a relatively small percentage, one must consider that as many as 10,000 DDoS attacks occur worldwide every day, and that the potential cost in damages and reputation can have a significant impact on an organization. DDoS extortion attacks are generally volumetric, high bandwidth attacks that are launched with the aim of crashing a company’s website or server by bombarding it with packets from geographically dispersed botnets. The size of volumetric DDoS attacks continues to increase year over year, and they remain a major threat to enterprises and Internet Service Providers (ISPs) alike. In fact, the size of DDoS attacks globally has grown 4,900 percent in past 10 years, peaking at 400 Gbps in 2014.
Traditionally, DDoS extortion attacks were used against online gambling sites and around major sporting events. Criminal gangs would initiate attacks that would bring the website down just before the event was to start, thus forcing the companies to choose between suffering a major loss in monetary and reputational terms or paying up. Increasingly, however, DDoS attacks are being used to extort money from all sorts of businesses, and the reality is that no company should feel safe. Any business operating online—which means just about any type and size of organization, can become a target, because of who they are, what they sell or with whom they partner. Companies that are especially vulnerable to this type of attacks are those with no or limited DDoS protection, or ones that lack the resources to deal with either volumetric or application-layer based DDoS attacks.
Once the criminals choose a target, the attack usually follows one of two scenarios. Attackers either show off their skills by conducting a ‘sample’ DDoS attack on an organization, which lasts for a short period of time and is followed by a threat of further attacks if ransom isn’t paid, or simply skip the display of power and proceed straight to the ransom request. The targeted company then faces two obvious choices—either pay up or brace itself for further attacks.
So what is the right response when it comes to extortion demands? The answer is simple and always the same—do not give in. Under no circumstances should an organization agree to pay the ransom—it can set a dangerous precedent and encourage more attacks in the future, and while it might make the pain go away in the short term, the long term results are generally not worth it. Declining to pay can come, of course, with severe consequences—as we saw from recent attacks on Feedly, which suffered from three separate waves of DDoS attacks. It has been praised for its brave decision by the security community and even its own customers.
Yet, instead of reacting to an extortion attempt and dealing with the consequences, companies that rely on Internet availability to conduct business should be looking to invest in appropriate protection. Many companies still rely on reactive measures such as router filters and firewalls, which are inefficient and not sophisticated enough to protect against organized cybercrime. Instead, organizations should consider investing in DDoS protection, preferably, multi-layered mitigation which includes on-premise and cloud protection, as well as allowing for cooperation with its ISP or hosting company. Putting a mitigation strategy in place is of crucial importance—especially as only 17 percent of organizations globally feel that they are fully prepared for a security incident.
By building defenses, implementing plans ahead of time and refusing to give in, businesses need not feel threatened anymore—attackers wanting to make easy money will have to look elsewhere.
The post The Science Behind DDoS Extortion appeared first on Arbor Insights - Our People, Products and Perspective.