Cyber criminals have come a long way from their secret hideouts right in their parent’s basement.
Now they command and control some of the most sophisticated tools humans have ever conceived.
And they use it to launch DDoS attacks.
After infecting their target with malware, they demand a ransom.
This is known as ransomware.
On the whole, this type of criminal behavior is known as DDoS extortion.
DDoS extortion is not new.
Cyber criminals have used similar methods in the past as well.
The hacking community is always improving and coming up with newer ways of hacking into individuals and organizations.
New developments mean hackers can now hack more people than ever and faster than ever before.
Hackers are further facilitated in their attempts to demand ransom from their victims by technologies such as Bitcoin.
Bitcoin is an anonymous payment method and it allows the hackers to have a secure and hidden line of credit.
Hackers have hacked into several different organizations and most of the time they have used rather crude DDoS extortion methods.
If victims don’t pay the ransom, they get infected with more malware.
That’s the law of the jungle as far as hackers are concerned.
Most of us already know that Distributed Denial of Service attack is the latest weapon in the hacker community’s vast arsenal.
Hackers love DDoS and for obvious reasons.
It makes it easy for them to earn a lot of money in a short amount of time and get away with it too.
What does a DDoS attack do?
Well, as far as the end user is concerned, a DDoS attack makes it impossible for the regular users to access websites and online services for an extended period of time.
Normally sites like Twitter and Reddit go down whenever hackers launch a DDoS attack.
Hackers have a bunch of motives behind launching each DDoS attack.
So we can’t know for sure what they want every time they launch one.
Sometimes it is just about cyber hooliganism.
Other time, it’s just cold and dry measures to sweep out the competition.
There are also times when hackers use DDoS attacks to extort money from affectees.
DDoS extortion has become an industry.
And a multi-layered one.
Let’s list out the people who are now involved in modern DDoS attacks.
They are,
- People who commission these attacks
- Creators who develop the botnet and bring in the resources
- Intermediates who arrange the actual attacks
- People who talk to the newly acquired clients
- People who make sure that all payments get to where they are supposed to go
- And there are those who provide all the necessary auxiliary services
The internet has become a dangerous place.
Hackers can exploit any and every unguarded network node.
They can target anything and anyone if provided with the right incentives.
It doesn’t matter if it is a specific server or a network device.
They can also hack into idle addresses which reside in a victim’s sub-network.
The game has changed.
Two Common Scenarios
Hackers too have preferences when it comes to DDoS attacks.
They don’t just attack anyone and via any method.
Most of the time, they send a request to their potential victim resource directly.
They do so via a large number of hacked devices or bots.
Other times hackers launch DDoS amplification attacks.
These are carried out via publicly available servers.
More specifically though, hackers target servers which have software vulnerabilities.
The First Scenario
Hackers find a multitude of machines and/or devices and turn them into zombies by controlling them via remote methods.
Then these zombie devices follow the hacker’s commands.
Then hackers make these devices send requests to the potential victim’s computer systems simultaneously.
This is what we mean when we say hackers launched a distributed attack.
But hackers have other ways too.
Sometimes they hire a group of users and give them a special kind of software.
This software is designed so that these groups of users can also launch DDoS attacks.
Then hackers give these groups of users orders to attack a specific target.
The Second Scenario
This is where hackers take advantage of a technique called amplification attacks.
Basically, hackers lease out servers from data centers.
Then they use these instead of zombie bots to launch DDoS attacks.
After securing the required amount of servers, hackers look for public servers that have software vulnerabilities.
Then hackers enhance their servers with these software vulnerabilities.
This technique has advanced so much that hackers can now use either NTP (network time protocol) or DNS (Domain Name system) servers with ease.
Hackers amplify a DDoS attack when they spoof return IP addresses.
Then they send a short request to the target server.
The server, of course, is the one that requires a significantly longer response.
When the response is received it is sent to the spoofed IP address.
This spoofed IP address is the same one as the victim’s.
Other Factors In DDoS Extortion
DDoS extortion techniques are already dangerous.
But some factors make it even more dangerous.
One of those factors is the number of hackers.
The internet now has more malware than it ever had before.
Moreover, hackers have worked day and night to make sure there are plenty of botnets to go around with.
Because of that, today, anyone can launch a DDoS attack.
And you don’t have to learn code or programming to do so.
How?
It’s simple.
Hackers now advertise their online services.
For example, sometimes hackers offer that they can take down any requested website for just $50 per day.
Usually, they ask clients to pay them via a cryptocurrency.
Right now, the most used cryptocurrency is Bitcoin.
Why?
Because Bitcoin is impossible to track.
The cash flows are protected in such a way that there is no easy way to follow an order back to its originators.
And of course, hackers make sure their service is affordable.
That gives them even more market.
Because the lower the prices, the more number of people who want to target a business via a DDoS attack.
DDoS Extortion Effects Go Beyond The Internet As Well
It exists in the sense that if businesses go offline they will lose a lot of money.
The point is, DDoS extortion doesn’t need the internet or any of its resources to remain effective.
They can target organizations big and small, online or offline.
It is true that large organizations have better defenses against DDoS extortion attacks, but with enough effort, hackers can get to them.
And when they do, these big online services go down.
And the more the downtime, the larger will be the damages.
Moreover, any companies that hackers attack with DDoS extortion methods, will lose many business opportunities.
If it sells electronics then it won’t sell them anymore because its official website is down and people can’t order.
Authorities and shareholders can also fine companies for defaulting on some or all of their legal obligations to them and to others.
To protect against DDoS extortion attacks, companies have to spend an extra amount of money on measures against DDoS extortion techniques.
This further raises costs.
And let’s not forget, a company’s public image does take a hit when hackers attack it with DDoS extortion attacks.
This can cause the company to lose customers, existing and future ones.
How Much Money Do Companies Lose As A Result Of DDoS Extortion Attacks?
The amount can vary.
Generally speaking, the total cost of a DDoS Extortion attack depends, not on the hackers, but the business itself.
It also depends on things like,
- The industry that particular business services
- The type of service it offers to users
IDC, an analytical company, made some calculations and found out this:
A single hour of an online service’s downtown can cost that company from $10,000 to $50,000.
Types Of DDoS Extortion Attacks
Basically, we can divide DDoS Extortion attacks into five categories.
They are as follows,
Network Device Level DDoS Extortion Attacks
These type of DDoS Extortion attacks take advantage of any weaknesses in a given software or bugs.
They can also exploit the hardware by exhausting its resources which it provides to network devices.
Just to take an example, hackers can cause a buffer overrun error.
This is done during the regular password checking routine.
Using these technique hackers can make certain routers crash.
Hackers can perform a connection through telnet on the router they want to crash.
They can also input really long passwords to crash the router.
Operating System Level DDoS Extortion Attacks
Operating systems usually implement a lot of protocols.
Hackers can take advantage of that and exploit the OS’s methods of implementing certain protocols.
One very relevant example is that of a ping of death cyber attack.
This type of attack involves the Internet Control Message Protocol, ICMP, echoing some unusual requests.
Most of the time these requests have data sizes which are greater than what Internet Protocol standardizes as the maximum size.
Hackers then send these “over-maximum-size” requests to the victim.
As a result of this attack, the victim’s machine is crashed.
Application Based DDoS Extortion Attacks
In these type of attacks, hackers try to put a machine or an online service out of order.
They do so by taking advantage of certain network application bugs which regularly run on the victim’s machine.
Hackers also use such online applications to consume all the resources of the victim’s machine.
Sometimes, hackers are able to find specific points.
These points have high algorithmic complexity.
Once found, hackers exploit them.
And while doing that they drain away all resources which are available to the remote host.
An example of this DDoS extortion attack is called finger bomb attack.
In cases like these, a user (who has a malicious code) may infect the finger scanning routine code.
As a result, the given routine continues to run recursively.
And when that routine is executed millions of times on the victim’s machine, all its resources are drained.
Data Flood DDoS Extortion Attacks
In these types of attacks, hackers consume all available bandwidth to a given network.
They can also do the same to a host or just a device.
How?
By sending the victim enormous quantities of data.
As a result, the victim can’t process the data and crashes.
One example is the flood pinging.
There is also simple flooding but that usually comes in the form of DDoS Extortion attacks.
We will discuss these later in the article.
Protocol Features Dependent DDoS Extortion Attacks
These types of attacks exploit standard protocol features.
To take an example, hackers know that it is possible to spoof IP source addresses.
They can exploit that.
Additionally, hackers launch DDoS Extortion attack which directly hit nameservers which have the Domain Name System cache.
Let’s take another example and see how hackers go to work when they exploit DNS cache.
A hacker will first own a name server.
Then the hacker will try to trap the victim’s name server.
As a result, the victim’s name server will cache false records.
How does the hacker do that?
By querying.
The hacker makes queries to the victim’s name server about the hacker’s own website.
If the victim’s name server is vulnerable then it will have a reference to the malicious server.
And hence it will cache the answer.
Hackers Groups And More Cyber Criminals Related To DDoS Extortion Attacks.
You must have heard about a hacker group by the name of DD4BC.
DD4BC stands for DDoS For Bitcoin.
This group is a prime example when we talk about DDoS Extortion attacks.
Because that’s exactly what it does to its victims.
And it demands the ransom payment via Bitcoin.
Most of the time, DD4BC tries to stay away from big corporations.
Instead, it sticks to smaller, more casual targets such as the gaming industry.
It also attacks the payment processing industries.
But mostly those who use Bitcoin.
Now because of the nature of their work, DD4BC plots is attacks rather than just launches an attack.
Most of the time, their attacks have common characteristics.
DD4BC type DDoS Extortion attacks have a hacker who,
- First, launches the initial DDoS Extortion attack.
This attack lasts anywhere between minutes to several hours.
The hacker does that because the hacker wants to show that it can compromise the victim’s machine or website with ease and for a long period of time. - Secondly, requests the related payment.
The hacker wants the payment processed via Bitcoin.
In the meantime, the hacker tries to advise the victim that hackers aren’t bad people.
And instead, hackers help websites know their weak spots.
And the fact that hackers are exploiting the victim website’s DDoS vulnerability means the victim needs to work on it.
Hence, hackers are good people - Thirdly, threatens the victim of more intensified DDoS Extortion attacks in the near future.
- Fourthly, threats the victim that the group (or the individual hacker) will raise the ransom amount if the victim does not pay within time.
The hacker also tells the victim that much bigger DDoS Extortion attacks are waiting, ready in the pipeline if the victim does not agree to the hacker’s demands.
The victim can either pay less now or pay more, later.
Weak Sites Get Whacked
Hackers are ruthless.
They don’t let go of weak sites easily.
Arbor Networks carried out a study recently and concluded that most of the DD4BC cyber attacks had used UDP Amplification techniques.
The study also revealed that DD4BC also exploited weak UDP Protocols like SSDP and NTP.
If we’re talking about cyber attacks and the people who are behind it, then carrying out UDP flooding with the use of a botnet is a simple task.
How?
All hackers have to do is make use of a blunt attack that submerges the victim network with undesirable UDP traffic.
For hackers, these types of cyber attacks are not difficult.
Nor technically advanced.
Especially now, when hackers can just rent out resources such as scripts, booters, and botnets.
DDoS Extortion Example
Now we will describe that chat.
This chat has two participants.
One is a hacker named DD4BC (the screen name actually).
The other is the hacker’s victim.
The victim had the wherewithals to make the extortion plot public.
Just like the hacker, the victim also has a screen name.
It’s Nitrogen Sports.
So basically DD4BC hacks Nitrogen Sports and gives Nitrogen Sports a Bitcoin account address.
Needless to say, DD4BC wants Nitrogen Sports to put the money in the said Bitcoin account.
As far as the gender of both participants goes, we don’t know.
Generally speaking, the majority of the hackers are male.
But that doesn’t mean there are no female hackers.
In fact, the number of female hackers has increased in the last couple of years.
If MIT hackathon numbers are anything to go by, then female hackers had a 15 percent representation.
Other studies have shown that over 90 percent of the hackers are male.
So with the available data we have, it is safe to assume that DD4BC is a hacker who is male.
Of course, we can’t be certain since the communications between the hacker and the victim don’t give much.
From the conversation, we have come to know that DD4BC likes to refer to himself as me rather than we.
This means we’re talking about a single hacker and not a group.
He has poor grammar and misspelled words a lot.
This indicates that the hacker is not a native English speaker.
More likely, the hacker learned English in school.
And this suggests that the male hacker has had some formal education.
DD4BC also uses smiley face emoticon during the conversation.
For some, this shows immaturity.
Moreover, the levity of the conversation means the hackers doesn’t completely understand that he is committing a crime.
The hacker seems to consider the communication a form of game or something.
DD4BC uses a two-fold extortion technique.
First, he threatens the victim with a DDoS attack and then tells the victim that he will report the site to an authority (name redacted).
Apparently, the victim’s site had some illegality in the way it is run.
This shows that the hacker is familiar with the game and the platform.
And knows about the competitors as well.
The hacker also knows how the payment processes work in the gaming industry.
His focus is on Bitcoin operators and payment processors that are related to gaming.
That isn’t to say hackers don’t like other industries.
Recently, we have seen an upward tick of DDoS attacks on the financial industry as well.
The Arbor Network report tracked the hacker’s Bitcoin payments.
And they found out that it connected to an online gaming/gambling platform wallet.
Its name was SatoshiBONES.
As it turns out, the wallet is fully compatible with Bitcoin and gaming platforms.
DDoS attacks target individuals all over the world but things used to be different before.
In the past hackers tended to hack more European sites.
Moreover, we also know that the hackers “working hours” indicated they were European as well.
DDoS Extortion Attack Assessment of The Conversation
The hacker involved in the conversation is probably a gambler or gamer himself.
And that’s why he likes to use Bitcoin as the preferred form of payment.
Bitcoin provides its users with anonymity and hackers want anonymity for the obvious reasons.
We also think that the hacker is most likely a young man between the age of 20-27 years.
DD4BC may just want to replenish his (assuming there is one) Bitcoin account.
How To Guard Yourself Against DDoS Extortion Attacks.
Right now, there are many companies who promise to guard your company against DDoS Extortion attacks.
Of course, only a few of them are worth it.
These companies use different methods to thwart DDoS Extortion attempts.
Some,
- Use ISP provided capabilities
- Other make use of appliances that reside within the client’s information infrastructure
- There are a few who force clients to channel all their traffic through the company’s dedicated cleaning centers.
Regardless of the method, all companies do the same thing:
Get rid of junk traffic or preferably block it out.
As mentioned before, hackers create a huge amount of traffic to carry out DDoS Extortion attacks.
If a company is successful in filtering that traffic, then hackers can’t launch DDoS Extortion attacks.
Before we talk about the methods that work, let’s talk about methods that don’t work.
Methods That Don’t Work
Some companies try to work on the client’s side and install filtering equipment.
But these don’t really work.
Or, at least, are not as effective as some other methods.
Why?
Because this technique requires trained manpower.
That trained individual has to spend time with the company and has to make sure the equipment is serviced regularly.
The trained professional might also have to adjust the equipment’s operation from time to time.
All of this adds to total costs.
But more importantly, such techniques only stop DDoS Extortion attacks that are focused on the service.
What about when hackers try to choke the company’s internet channel?
Yes.
This technique fails in that regard.
Even if the service doesn’t go offline, what use is it if people can’t access it from the internet?
Amplified DDoS Extortion attacks are becoming more popular.
Why?
Because it is much easier for hackers to overload a connection channel than otherwise.
If any given company wants true protection then that company should ask the security companies to filter incoming traffic.
This method is more reliable.
Why?
Because this way the company has a broader internet channel.
And hackers can’t clog it up that easily.
But there is another problem.
Some security companies are not really specialists.
And hence only filter out junk traffic that is obvious.
Hackers use much more subtle attacks.
Against these type of attacks, these companies fail.
If a security company wants to analyze a DDoS Extortion attack and come up with the required solution quickly then it will need to hire experienced and trained professionals.
Let’s not forget the fact that if a client hires such a security company then it becomes dependent on the security company and its solutions.
The downsides of that scenario are also clear.
Most obviously, the client can’t change the provider quickly if the client feels it needs another security company.
Moreover, this setup creates many difficulties for the client if the client wants to backup its data through a given channel.
Consequently, the best way to go about it is via specialized processing centers.
These centers implement several combinations of different traffic filters.
They also use other methods to increase the effectiveness of their filters and hence neutralize and block DDoS Extortion attacks.
Methods That Work
Blackholing
This is a process where the client’s security provider blocks all traffic that is destined towards the client’s enterprise.
The security company wants to block that traffic as far upstream as is practically possible.
It then sends the diverted traffic to a place that is called the black hole.
Here the diverted traffic is discarded.
This ensures that the security company’s along with its client’s systems and networks are safe.
Blackholing is not the best solution because it sometimes discards legitimate data packets along with malicious ones while trying to divert traffic.
In some cases, the victim (the client) may lose all its traffic.
And hence hackers get to celebrate a victory.
Routers
First of all, let’s clear a huge misconception before we describe the actual solution:
Just because a router uses an access control list, or ACLs, and filters junk traffic doesn’t mean it defends against DDoS Extortion attacks.
Because it doesn’t.
ACLs only protect clients against known and simple DDoS Extortion attacks.
Examples include ping attacks.
ACLs help clients fight against these type of attacks by filtering unneeded and non-essential protocols.
But modern DDoS Extortion attacks are different.
They can use valid protocols and generally do so.
Now, the problem with valid protocols is that they are fundamental to an Internet presence.
Hence any technique that involves protocol filtering is now not every effective defense against DDoS Extortion attacks.
But routers can do a couple of more things to guard against DDoS Extortion attacks.
Routers can block invalid IP address spaces.
But as mentioned before, hackers can now spoof valid IP addresses.
This helps them to evade any kind of detection.
In a general sense, routers do provide a basic first line of defense against DDoS Extortion attacks.
But that’s all.
Routers aren’t optimized enough to safeguard the client against other complex and advanced types of DDoS Extortion attacks.
Types Of Advanced DDoS Extortion Attacks
Syn, Syn-ACK, FIN Floods
As indicated earlier, ACLs can’t do a lot of things necessary to guard against DDoS Extortion attacks.
They can’t defend against a DDoS Extortion attacks which are spoofed and random.
And they are helpless against attacks like SYN, ACK, and RST which are mostly targeted on port 80 of any given web server.
In these types of attacks, hackers constantly change the spoofed source IP addresses.
Why?
Because if the security company wants to identify all (or any) individual spoofed IP sources then they will have to do so via manual tracing.
Which is impossible.
So is there an option left?
Yes.
They can try to block the whole of the web server.
And that is exactly what the hackers want.
Proxy
There is another problem with ACLs:
They are unable to distinguish between malicious and legitimate SYNs which coming from IP sources and/or proxy that are the same.
And because of that, if an ACL wants to stop a given focused spoof attack then it will only have one option:
Block all of the victim’s clients that are using a specific source IP or a proxy.
DNS and/or Border Gateway Protocol
These are also some kind random spoof DNS server attacks.
Sometimes they are called BGP router cyber attacks.
ACLs just like with SYN floods can’t defend against this type of DDoS Extortion attacks.
Why?
Because of the same reason as before:
It can’t keep a track of the random spoofed traffic whose volume is changing at a rapid pace.
Moreover, ACLs can’t identify which IP addresses hackers have spoofed.
And because of that, they can’t even tell which IP addresses are valid.
Application Level Client Side Cyber Attacks
Theoretically speaking, ACLs can block client side attacks.
Such type of attacks includes HTTP half-open connection cyber attacks as well as HTTP error attacks.
Of course, we’re assuming here that ACLs can accurately detect the actual attack and all the individual non-spoofed sources it uses.
But here is the problem:
It will require an insurmountable amount of resources.
Basically, users will have to configure thousands (if not more) of ACLs for each victim.
Firewalls
Firewalls always play a critical role in an organization’s security defenses.
But as with many of the solutions before, Firewalls are not purpose-built prevention devices for DDoS Extortion attacks.
The reason for that is that firewalls, by their nature, have some qualities that stop them from providing any sort of comprehensive protection against DDoS Extortion attacks.
DDoS Extortion attacks of today are sophisticated and complex.
They require much more than just a simple firewall if a client wants to protect against them.
The first problem with Firewalls is location.
They are too far downstream of any given data path.
And hence cannot provide sufficient protections for any critical components.
This renders the access link that extends from the security provider to the edge router which lies at the fringes of the given enterprise defenseless and vulnerable against DDoS Extortion attacks.
In fact, hackers love firewalls precisely because they reside inline.
This allows hackers to saturate the victim’s session-handling capacity.
And that eventually causes a failure.
Firewalls are also bad at anomaly detection.
And that’s because firewalls aren’t built for that purpose.
Firewalls are built to primary control the access rights to private networks.
And they are great at that job.
But there is a way to guard against anomaly attacks as well.
To understand that way, let’s first define two things.
First is the inside. Let’s call it the clean side.
Second is the outside, and we’ll call it the dirty side.
If a security company can track sessions which are initiated from the clean side to any outside service then there is a possibility.
The security company will also have to make sure that the client accepts only specific replies.
And these replies have to come from expected sources.
As mentioned before, these “expected sources” reside on the dirty side (the outside) so success here is critical.
It Is Not A Fail-safe Solution
This solution is ineffective for services like,
- DNS services
- Web services
- Other services which have to remain open to the general public in order to receive requests.
In such cases, firewalls can do one thing:
They can open a conduit.
What does that mean?
It means firewalls can allow HTTP traffic to pass to the specific web server’s IP address.
This approach offers some amount of protection.
How?
By only accepting specific protocols for a particular IP address.
And because of that, this solution is not effective against DDoS Extortion attacks.
Why?
Because hackers are clever enough to use the approved protocol.
Which, in this particular case, is the HTTP protocol.
This is how they can still carry out their DDoS Extortion attacks.
Hence, firewalls can’t defend against anomaly attacks.
They lack the sufficient detection capabilities.
And because of that, they can’t recognize when hackers use valid protocols as their attack channels.