DDoS Extortion

Cases of DDoS Extortions are incrementing daily

Cases of DDoS Extortions are incrementing daily

DDoS extortion is certainly not a new trick by the cyber criminal or the hacker community, but there have been several new developments to phenomenon recently. Notable among them is the use of Bitcoin as a method of payment.

There have been several organizations who have recently fallen victim to crude extortion plots using DDoS as punishment for not paying a ransom. A Distributed Denial of Service (DDoS) attack is one of the most popular weapons in the cybercriminals’ arsenal.

It aims to make information systems such as websites or databases impossible for regular users to access normally. There can be different motives behind launching DDoS attacks, ranging from cyber-hooliganism to dirty competition practices or even extortion.

The modern DDoS industry is a multi-layered structure. It includes people who commission attacks, the botnet creators who make their resources available, intermediaries who arrange the attacks and talk to the clients; and the people who arrange for payments for all the services provided. Any network node available on the Internet may become a target, be it a specific server, a network device or a disused address in the victim sub-network.

There are two common scenarios for conducting DDoS attacks: sending requests directly to the attacked resource from a large number of bots or launching a DDoS amplification attack through publicly available servers containing software vulnerabilities. In the first scenario, cybercriminals turn a multitude of computers into remotely controlled “zombies” which then follow the master’s command and simultaneously send requests to the victim computing system (conduct a “distributed attack”).

Sometimes, a group of users is recruited by hacktivists, provided with special software designed to conduct DDoS attacks and given orders to attack a target.

Under the second scenario involving an amplification attack, servers leased out from a data center can be used instead of bots. Public servers with vulnerable software are typically used for enhancement. Today, either DNS (domain name system) servers or NTP (network time protocol) servers can be used. An attack is amplified by spoofing return IP addresses and sending a short request to a server that requires a much longer response. The received response is sent to the spoofed IP address which belongs to the victim.

There is another factor that makes the situation even more dangerous. Because there is so much malware out there, and cybercriminals have created so many botnets, almost anybody can launch this kind of attack. Cybercriminals advertise their services saying that anybody can take down a specified site for just $50 a day. The payments are typically made in cryptocurrency, so it is almost impossible to track down the orders through cash flows.

Affordable prices mean that any online resource can be targeted in a DDoS attack. It’s not something limited to the Internet resources of large and famous organizations. It is more difficult to cause damage to web-resources owned by large companies, but if they are made unavailable, the cost of that downtime will be much greater.

Apart from the direct losses resulting from missed business opportunities (such as electronic sales), companies can face fines for defaulting on their obligations or expenses relating to extra measures to protect themselves from further attack. Last but not least, company’s reputation may be damaged, causing it to lose existing or future clients.

Apart from the direct losses resulting from missed business opportunities (such as electronic sales), companies can face fines for defaulting on their obligations or expenses relating to extra measures to protect themselves from further attack. Last but not least, company’s reputation may be damaged, causing it to lose existing or future clients.

The total cost depends on the size of the business, the industry segment it serves and the type of service under attack. According to calculations by the analytical company IDC, one-hour downtime of an online service can cost a company $10,000 – $50,000.

Types of DDoS attacks

Types of DDoS attacks

DDoS attacks can be divided into five categories:

  1. DDoS attacks at the network device level include attacks that might be caused either by taking advantage of bugs or weaknesses in software or by exhausting the hardware resources of network devices. One example is caused by a buffer overrun error in the password checking routine. Using this, certain routers could crash if the connection to the router is performed via telnet and extremely long passwords are entered.
  1. At the operating system (OS) level DDoS attacks take advantage of the ways protocols are implemented by OSs. One example in this category is the ping of death attack . In this attack, Internet Control Message Protocol (ICMP) echo requests having data sizes greater than the maximum Internet Protocol (IP) standard size are sent to the victim. This attack often has the effect of crashing the victim’s machine.
  1. Application-based attacks try to settle a machine or a service out of order either by exploiting bugs in network applications that are running on the target host or by using such applications to drain the resources of their victim. It is also possible that the attacker may have found points of high algorithmic complexity and exploits them in order to consume all available resources on a remote host. One example of an application-based attack is the finger bomb. A malicious user could cause the finger routine to be recursively executed on the victim in order to drain its resources.
  1. In data flooding attacks, an attacker attempts to use the bandwidth available to a network, host, or device to its greatest extent by sending it massive quantities of data to process. An example is ‘flood pinging’. Simple flooding is commonly seen in the form of DDoS attacks, which will be discussed later.
  1. DDoS attacks based on protocol features take advantage of certain standard protocol features. For example, several attacks exploit the fact that IP source addresses can be spoofed. Moreover, several types of DoS attacks attempt to attack the domain name system (DNS) cache on name servers. A simple example of attacks exploiting DNS is when an attacker owning a name server traps a victim name server into caching false records by querying the victim about the attacker’s own site. A vulnerable victim name server would then refer to the malicious server and cache the answer.

Cyber criminals and hacker group:

DD4BC (DDoS for Bitcoin) is a hacker (or hacker group) who has been found to extort victims with DDoS, demanding payment via Bitcoin. DD4BC seems to focus on the gaming and payment processing industries that use Bitcoin. The plots have several common characteristics. During these extortion acts, the hacker:

  • Launches an initial DDoS attack (ranging from a few minutes to a few hours) to prove the hacker is able to compromise the victim’s website
  • Demands payment via Bitcoin while suggesting they’re actually helping the site by pointing out their vulnerability to DDoS
  • Threatens more virulent attacks in the future
  • Threatens a higher ransom as the attacks progress (pay up now or pay more later)

Unprotected sites can be taken down by these attacks. A recent study by Arbor Networks concluded that a vast majority of DD4BCs actual attacks have been UDP Amplification attacks, exploiting vulnerable UDP Protocols such as NTP and SSDP. In the spectrum of cyber-attacks, UDP flooding via botnet is a  relatively simple, blunt attack that simply overwhelms a network with unwanted UDP traffic. These attacks are not technically complex and are made easier with rentable botnets, booters, and scripts.

Example of a DDoS Extortion Attempt

Following is an example of a chat exchange between the hacker (screenname “DD4BC”) and the victim who has made the extortion plot public (screenname “Nitrogen Sports”). The following screenshot (Figure 1) was taken from bitcointalk.org.

DDoS Extortion - bitcointalk.org

DDoS Extortion – bitcointalk.org

Profile of the Extorting Hacker

The hacker goes by the name DD4BC (DDoS for Bitcoin) and provides a Bitcoin account address for the transfer of funds. As for the hacker’s gender, evidence suggests that most hackers tend to be male, although female hackers seem to be growing in number.

At a recent MIT hackathon, only 15% of the participants were female. An earlier study concluded that around 91% of hackers were male.

Based on the available data, it’s a solid assumption that DD4BC is a male, but it’s not sure from the communications. An earlier study concluded that around 91% of hackers were male.

The hacker refers to himself in the singular (“me”) rather than in the plural (“we”), indicating a lone-wolf actor. His poor grammar and misspelled words suggest that English is not his first language. If true, the hacker has probably learned English in school, suggesting some formal education.

He also demonstrates a level of immaturity with a smiley face emoticon. The levity suggests that the hacker does not fully comprehend the seriousness of the crime being committed, but rather considers this a game.

The hacker’s extortion is two-fold. He threatens not only a DDoS attack but also to report the site for alleged illegality to some redacted authority. He’s familiar with the gaming platform and its competitors.

He’s also familiar with the payment processors that serve the industry. He seems focused on Bitcoin gaming operators and payment processors, although recent attacks have expanded into the financial industry at large.

The Arbor Networks report traced DD4BC Bitcoin payments back to an online wallet for a gaming/ gambling platform called SatoshiBONES. This online wallet is compatible with other Bitcoin and gaming platforms. Although the attacks target clients around the world, the initial attacks were mainly against European sites and during hours that would indicate a European actor.

Overall Assessment of the Extortion – The cyber criminals and hackers are most likely a gamer or online gamblers who uses Bitcoin as the preferred payment method because of its inherent anonymity. The hackers are most likely under 20 – 27 years of age. The extortion may be an attempt to replenish their Bitcoin accounts.

Methods of countering DDoS attacks

There are dozens of companies on the market that provide services to protect against DDoS attacks. Some install appliances in the client’s information infrastructure, some use capabilities within ISP providers and other channel traffic through dedicated cleaning centers. However, all these approaches follow the same principle: junk traffic, i.e. traffic created by cyber criminals, is filtered out.

DDoS Mitigation

DDoS Mitigation

Installing filtering equipment on the client’s side is considered to be the least effective method. Firstly, it requires specially trained personnel within the company to service the equipment and adjust its operation, creating extra costs. Secondly, it is only effective against attacks on the service and does nothing to prevent attacks choking the Internet channel.

A working service is of no use if it cannot be accessed from the net. As amplified DDoS attacks become more popular it has become much easier to overload a connection channel.

Having the provider filter the traffic is more reliable as there is a broader internet channel and it is much harder to clog it up. On the other hand, providers do not specialize in security services and only filter out the most obvious junk traffic, overlooking subtle attacks. A careful analysis of an attack and a prompt response require the appropriate expertise and experience.

Besides, this kind of protection makes the client dependent on a specific provider and creates difficulties if the client needs to use a backup data channel or to change its provider. As a result, specialized processing centers implementing a combination of various traffic filtration methods should be considered the most effective way to neutralize DDoS-attacks.


Blackholing describes the process of a service provider blocking all traffic destined for a targeted enterprise as far upstream as possible, sending the diverted traffic to a “black hole” where it is discarded in an effort to save the provider’s network and its other customers. Because legitimate packets are discarded along with malicious attack traffic, blackholing is not a solution. Victims lose all their traffic—and the attacker wins.


Many people assume that routers, which use access control lists (ACLs) to filter out “undesirable” traffic, defend against DDoS attacks. And it is true that ACLs can protect against simple and known DDoS attacks, such as ping attacks, by filtering non-essential, unneeded protocols.

However, today’s DDoS attacks generally use valid protocols that are essential for an Internet presence, rendering protocol filtering a less effective defense. Routers can also stop invalid IP address spaces, but attackers typically spoof valid IP addresses to evade detection. In general, although router ACLs do provide the first line of defense against basic attacks, they are not optimized to defend against the following sophisticated types of DDoS attacks:

  • SYN, SYN-ACK, FIN, etc. floods—ACLs cannot block a random, spoofed SYN attack or ACK and RST attacks on port 80 of a Web server, where the spoofed source IP addresses are constantly changing, because manual tracing would be required to identify all the individual spoofed sources—a virtual impossibility. The only option would be to block the entire server, completing the attacker’s goal.
  • Proxy—Because ACLs cannot distinguish between legitimate and malicious SYNs coming from the same source IP or proxy, it would, by definition, have to block all the victim’s clients coming from a certain source IP or proxy when attempting to stop this focused spoofed attack.
  • DNS or Border Gateway Protocol (BGP)When these types of randomly spoofed DNS server or BGP router attacks are launched, ACLs – as with SYN floods—cannot track the rapidly changing volume of random spoofed traffic. In addition, they have no way of identifying which addresses are spoofed and which are valid.
  • Application-level (client) attacks—Although ACLs could theoretically block client attacks such as HTTP error and HTTP half-open connection attacks (provided the attack and individual non-spoofed sources could be accurately detected), it would require users to configure hundreds and sometimes thousands of ACLs per victim.


Although firewalls play a critical role in any organization’s security solution, they are not purpose-built DDoS prevention devices. In fact, firewalls have certain inherent qualities that impede their ability to provide complete protection against today’s most sophisticated DDoS attacks.

First is location. Firewalls reside too far downstream on the data path to provide sufficient protection for the access link extending from the provider to the edge router at the fringe of the enterprise, leaving those components vulnerable to DDoS attacks. In fact, because firewalls reside inline, they are often targeted by attackers who attempt to saturate their session-handling capacity to cause a failure.

Second is a lack of anomaly detection. Firewalls are intended primarily for controlling access to private networks, and they do an excellent job of that. One way this is accomplished is by tracking sessions initiated from inside (the “clean” side) to an outside service and then accepting only specific replies from expected sources on the (“dirty”) outside.

However, this does not work for services such as Web, DNS , and other services, which must be open to the general public to receive requests. In these cases, the firewalls do something called opening a conduit—that is, letting HTTP traffic pass to the IP address of the Web server.

Although such an approach offers some protection by accepting  only specific protocols for specific addresses, it does not work well against DDoS attacks because hackers can simply use the “approved” protocol (HTTP in this case) to carry their attack traffic. The lack of any anomaly detection capabilities means firewalls cannot recognize when valid protocols are being used as an attack vehicle.

Leave a Reply