DDoS: The Real Extortion. It’s Not What You Think…

I am not normally a big fan of conspiracy theories, but I when I start to connect the dots on the evolution of DDoS, I can really only come to one conclusion that makes sense and holds together.   You may be surprised at what I have found.

But first, my observations about DDoS.

We have all heard the stories about businesses getting hacked, bank accounts compromised, or credit cards stolen.  These breaches happen quietly and discreetly, often only discovered long after the fact.  I can clearly understand the motivation of  a perpetrator behind this type of break in.  They are looking to steal some information and sell it on the dark web.

On the other hand, a DDoS attack does not pose any security threat to a business’ data, or their bank accounts.  It is used as a jamming tool to effectively cut off their communication by paralyzing their network.  I have read vanilla articles detailing how extortion was the motivation.  They generally assume the motive is money and DDoS attacks are monetized through extortion.  You get attacked, your web site is down, and some dark figure contacts you via a back channel and offers to stop the attack for a ransom.  Perhaps some DDoS attacks are motivated by this kind of extortion,  but let’s dig a little deeper to see if there is a more plausible explanation.

Through my dealings with 100’s of IT people managing networks, almost all have experienced some sort of DDoS attack in the past 5 or 6 years.

To my knowledge, none of my contacts were ever approached by somebody attempting to extort money.  When you think about this, taking a payment via extortion is a very risky endeavor for a criminal.  The FBI could easily set up a sting at any time  to track the payment.  You would have to be very, very clever to extort and take payment and not get  caught.

Another explanation is that many of these were revenge attacks from disgruntled employees or foreign agents.  Maybe a few, but based on my sample and projecting it out, these DDoS attacks are widespread, and not just limited to key political targets.  Businesses of all sizes have been affected, reaching into the millions.  I can’t imagine  that there are that many disgruntled customers or employees who all decided to settle their grievances with anonymous attacks in such a short time span.  And what foreign  agent would spend energy bringing down the Internet at a regional real estate office in Moline, Illinois?  But it was happening and it was happening everywhere.

The real AHA moment came to me one day when I was having a beer with an IT reseller that sold high-end networking equipment. He reminisced about his 15 year run selling networking equipment with nice margins.  Switches, Routers, Access Points.

But revenue was getting squeezed and had started to dry up by 2010.  Instead of making $100K sales with $30K commission, many customers dumped their channel connection and started buying their equipment as a commodity on-line at much lower margins. There was very little incentive to work the sales channels with these diminishing returns. So what was a channel sales person going to do now to replace that lost income?  The answer was this new market selling $200K integrated security systems and clearing $30K commission  per sale.

I also learned after talking to several security consultants that it was rare to get a new customer willing to proactively purchase services unless they were required to by law. For example, the banking and financial industry had established some standards. But  for large and medium private companies it is hard to extract $200K for a security system as a proactive purchase to protect against an event that had never happened.

I think you might be able to see where I am going with this, but it gets better!

I also noticed that, post purchase of these rather pricey security systems, attacks would cease.  The simple answer to this is that an on-site DDoS prevention tool generally has no chance of stopping a dedicated attack. A DDoS attack is done by thousands of hijacked home computers all hitting a business network from the outside. I have simulated them on my own network by having 100 virtual computers hitting our website over and over as fast as they can go and it cripples my web server.

The only way to stop the DDoS attack  is at the source.  In a real attack the victim must hunt down the source machine all the way back to their local ISP and have the ISP block  the attacker at the source.  Now imagine an attack coming from 1000 different sources located all over the world. For example, your home computer, if compromised by a hacker, could be taking part in an attack and you would never know it.  Professional hackers have thousands of hijacked computers under their control (this is also how spammers work).  The hacker turns your computer into a slave at its beck and call.  And the hijacker is untraceable. When they initiate an attack they tell your computer to bombard a website of their choosing, along with the thousands of other computers in their control, and BAM! the website goes down.

So why do the attacks cease once a customer has purchased a security system?   If the attacks continued after the purchase of the tool the customer would not be very happy with their purchase.  My hypothesis: Basically, somebody is calling off the dogs once they get their money.

Let me know if you agree or disagree with my analysis and hypothesis.  What do you think is happening?

The DDoS industrial Complex Just Keeps on Growing

DARPA (Defense Advanced Research Projects Agency) is now awarding projects to vendors so they can proliferate the security industry with next-generation tools to mitigate DDoS attacks.

In the article main points are:

DARPA says the XD3 program looks to develop technologies that:

  • Thwart DDoS attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting
  • Disguise the characteristics and behaviors of those assets to confuse or deceive the adversary
  • Blunt the effects of attacks that succeed in penetrating other defensive measures by using adaptive mitigation techniques on endpoints such as mission‐critical servers.

How about instead of creating infinite complexity, just stopping them.  I wrote how this could be done back in December in 2015.

Or better yet, how about stinging and arresting people who initiate them? Perhaps we don’t have the police powers to do so.  Maybe the FBI has the manpower to do this. Hopefully it will not get to the point where we need to just cut off those countries from the Internet.

Am I just stupid? Or am I missing something?  What would be the cost to the security industry if we actually found a non labor-intensive way to put and end to this nonsense?

By  Art Reisman
CTO www.netequalizer.com



The 1/4 Million DDoS Extortion

In Christian Sager’s June 2014 article “Why do people perform DDoS attacks“, he does an excellent job in outlining the possible motivations for DDoS attackers. I especially like the DDoS attack map site he references. Here is a snapshot from today’s attacks
DDoS attacks around the world

Christian covers a range of excellent points behind DDoS attacks, and yes he does address direct monitory extortion in the following excerpt.

Feedly’s claim that their DDoS attack was the result of extortionists isn’t that unbelievable. There have been several cases where a DDoS is followed by a ransom note. Once the site is down, the attackers demand money in exchange for stopping their attacks. Some even make the threat before the attack. In both cases their rate of success is usually low.

A DDoS attack with a ransom note is a bit crude when compared to the much more insidious indirect extortion going in the world of DDoS attacks.  One half Million Dollars is the base price for a firewall capable of mitigating a DDoS attack on a 10 gig network  (with limited success at that).  Vendors are selling thousands of them  year.  Let me state, I do not have evidence of any link between the sale of a Firewall product  to a deliberate DDoS attack, but I wonder why the DDoS attacks are so widespread and cannot help but to speculate. With equipment sales in infrastructure struggling in a flat IT infrastructure economy. The prevalence of wide spread DDoS attacks is picking up.

Why Are DDoS attacks so hard to block?

I started off this post thinking about whether or not moving your infrastructure to a cloud would give organizations better protection against DDoS attackers, and the short answer is: not really.

The issue with a coordinated DDoS attack is that it is usually orchestrated from a wide range of attacking computers, which are typically hijacked, and retrofitted with undetected scripts that can be turned on to send out a flood of data at target when directed by the hijacker.

When the attack is commenced all these disparate computers start sending data to your organization in unison. In order to stop  just one  of these attacking computers from flooding your network you have to cut it off upstream at the source.

Blocking the attackers incoming IP  at your local firewall doesn’t do any good because the  main pipe  coming from your upstream provider is still flooded with garbage, and most likely unusable.   So you have to follow the trail of attacking computer farther upstream. Your provider should be able to help if you can work with them, but that may or may not be effective, because the DDOS attack, if large enough can also torment your provider.   And even if you do manage to work upstream and block the IP’s where the attack is coming from , some DDOS attackers can just keep coming at you from new wave of  IP addresses.  One person acting alone can Hi-jack millions of computers from around the world and use them in waves of recurring attacks, with little effort.

How does a hijacker have the time to take over a million computers?

I’ll cover that in my next post.

As for the cloud offering protection, a cloud hosted IT infrastructure cannot provide any immunity, the cloud can be attacked; however the cloud providres might have the resources to detect and more easily block an attacker farther upstream  and a bit more quickly so there is some benefit.


See also

Regulate DDOS like pollution

DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks




Regulate DDoS Like Pollution

I just read another article on DDOS attacks and how companies are being extorted.  As usual I am thinking way out of the box again.

Background on the mechanics of DDOS attack

The raw tools of  DDOS attacker are made possible by  the billions computing devices sitting around  the world attached  to the Internet.   A DDOS attacker probes constantly for computers to hack, and then once they have access to  several hundred or more in their control , they can point  them to any business, sending a storm of data requests jamming  Internet links from the outside. Think of a million people trying to cram into the door of your apartment all at once, you would be trapped inside.

I know first hand this can happen. I put some vulnerable poorly written HTML code on a home computer I was  testing with , and somebody found it , exploited the HTML code and turned it into an attacking computer.

The best and perhaps the only reliable way to stop a DDOS attack is to stop it at the source computers. The problem here is that these are privately owned and are maintained by people that usually have no idea that their computer has been hijacked.  The larger providers do have fairly sophisticated software to detect attacks coming from home users but obviously this is not working very well.

Despite how Orwellian this might sound , I am thinking that perhaps some government standard built into the line cards that connect to the Internet is where we will find a solution.    Okay, I can hear the groans and feel the tomatoes hitting my face , but before you pass judgment , remember these attacks are terroristic in nature. We debate heavily over gun control and the second amendment, and yet we sort of sit idly by and take  trillions in dollars of economic hits from internet terrorists.

A technical solution is quite feasible and here is how it would work. 

Most of the devices that connect computers to the Internet have mini computers built into them. These computers that handle the lowest level of communication are basically factory sealed at the time of manufacture. For example: the computer chips inside wireless Lan cards that connect you to the outside world, they have little factory sealed computer programs.

The footprint of a DDOS attack going out is much different than normal usage patterns and could be easily spotted and detected by the chip sets in these line cards.

The EPA regulates the smoke stacks on coal power plants and the emissions on cars to keep our air clean. The same precedent could be used to regulate any device that connects to the internet. It is absurd at the ease of which a few people can bring down entire multi billion dollar corporations. By inserting a simple logic  in the chip sets of consumer devices we could detect and disable DDOS attack attempts before they get going. In essence  we would remove the criminals tool set , perhaps entirely in a matter of a few years . The beauty of this proposal is that it would have no effect on the operating systems that computers use.  IOS , Linux, Windows would not require any updates, only the platforms that they run on.

I am likely about 10 years ahead of my time with this writing , but I suspect given the rise of DDOS attacks this may be a very viable solution. We’ll see when the dust settles.


Posted in DDoS. 3 Comments »

NetEqualizer DDoS Firewall: Simple and Effective without the Bloat

One of the challenges when creating a security tool is validating that it works when the S$%^ hits the fan.  We have heard (via anonymous sources) that many of the high-dollar solutions out there create bloated, rotting piles of information, whose only purpose is to look impressive due to their voluminous output.  A typical $100K buys you a CYA report. A tool that covers  everything, leaving the customer to decide what to do; which is usually nothing or some misguided “make work”. These non-specific tools are about as useful as a weather forecast that predicts everything all the time. Rain, Snow, Wind, Hot, Cold, for everyday of the year. If you predict everything you can’t be wrong?

On the other hand, the reports from the field coming in for our DDoS tool are:

Yes, it works.

Yes, it is simple to use.

Yes, it takes action when appropriate.

We have confirmation that our DDoS tool, combined with our shaping algorithms, has kept some very large institutions up and running while under very heavy, sophisticated DDoS attacks.   The reasons are simple. We look at the pattern of incoming packets in a normal situation.  When the pattern reaches a watermark that is clearly beyond normal, we block those incoming circuits. If needed, we can also take a softer approach, so the attacker is not aware we are throttling them.  This is needed because in some situations outright blocking will alert the attacker you are on to them and cause the attacker to double-down.

When under DDoS attack you don’t need reports; you need immediate action. If you would like to discuss our solution in more detail feel free to contact us.

DDoS Attacker Caught in the Act

Before the telescope, planets and stars were just dots of light to the human eye. Before the invention of X-rays, and the MRI, doctors often could not determine the cause of a problem until a person was in an autopsy room.

Today, there is no reason to remain blind to DDoS and hacking intrusions.

This morning I got a text message from our training engineer at a customer site. “Just stopped a Chinese DDoS attack at the #### school.”

Our training engineer was not even doing a security audit. He was simply walking through the features of our product. He had scrolled over to our DDoS monitoring tool, and right away this attack popped out. It was as clear as a large cancerous tumor in an MRI. He noticed an outside entity was bombarding the customer link with all kinds of queries.

The attacker stood out because our DDoS tool identifies uninvited queries, as well as gives you a count of how often they are hitting your enterprise. Our engineer then checked the source of the incoming IP, and thus removed any lingering doubt that this was a hostile attack. The requests were originating from China, which was not an expected source of traffic on this school’s network.

This wasn’t yet a full-scale DDoS attack, but the warning signs were clear. The attacker happened to be hitting port 22, probing for login vulnerability on all the servers inside the school. From the frequency of the incoming requests, it was obviously a bot. Combining the frequency of hits with the fact that it was an uninvited outside IP address, it stood out like a sore thumb in our DDoS monitor (easily flagged). Once identified, the IT administrator at the school was then able to block the IP, averting any further shenanigans from this hacker.

In everyday life, we’re able to identify warning signs and act accordingly for our own protection. For example, if a person showed up at your front door wearing a ski mask with an AK-47, you would likely not let them in, right? The threat would be obvious. The point is it should not be expensive or impractical for the average layman to also easily spot a security risk on a network. You just need a tool that exposes them.

You Also Might Like

Firewall Recipe for DDoS Attack Prevention and Mitigation

Posted in DDoS. 1 Comment »

Network Provider Outages and DDoS Attacks Dwarf Local Hardware Failure Problems

My Internet Service went down yesterday and I had to revert to my backup provider.

Network Outages due to upstream provider failure are endless…

Comcast Outage for North Denver Fiber cut

Comcast hit with massive Internet outage

Forum discussion about wide spread Internet outage Des Moines Iowa

Spokane Washington 10,000 customers without Internet service

Wide spread Internet outage London , Virgin Media

And even if your provider is not to blame, there are endless hackers out there instigating DDoS attacks , some with an ax to grind others just for random entertainment.

DDoS attack brings down Web Drive Client New Zealand

DDoS attack brings down dutch government

DDoS attack interrupts tournament.

Although this sampling of news stories is not very scientific, I could literally spend a month clipping these articles. There are new ones every day, and that is just the major ones that get reported. If I informally poll our customers, almost every single one of them has seen a DDoS attack of  some kind in the past year, and all have had some sort of upstream Internet outages within the last couple of years.

Now if I ask how many have had critical Network Equipment go down due to hardware failure, that list shrinks to maybe 1 or 2 percent of our customers. Basically, what this tells me is you have a 100 percent chance of a Network outage for some period of time every year due to a problem upstream with your provider. You have  a 2 percent chance due to a hardware failure with your local core Router/Firewall/Bandwidth/Switches.

To put that another way, for every 50 outages caused by external events at your provider beyond your control, you have 1 event due to internal hardware failure.

The solution is to have multiple distinct Internet Providers on hand at all times, so if one goes down you can switch over to the other. As I said there is nothing wrong with the idea of sourcing redundant local equipment, but statistically it is much more important to get a second Internet provider sourced before investing in redundant equipment.

Here is another article highlighting the prevalence network outages.

Note: Although DDoS attacks are provider Independent, your chances of stopping or mitigating the attack are enhanced by having multiple providers.

Other causes of failures:
Yes, wireless topologies are notoriously unstable, and so are applications running on Web Servers, both of which can cause service outages to local users. These types outages are usually not on the same order as catastrophic hardware failure problems or upstream failures. Outages with wireless equipment and service are usually related to these products getting into a bad state, and are not associated with a complete loss of communication to the outside world. You’ll still need to re-boot these systems to get them back into a good state.

Related Articles: 

The Top Five Causes of Disruption of Internet Service

Five Tips for Defending Against a DDoS Attack



Posted in DDoS. 1 Comment »

Firewall Recipe for DDoS Attack Prevention and Mitigation

Although you cannot “technically” stop a DDoS attack, there are ways to detect and automatically mitigate the debilitating effects on your public facing servers. Below, we shed some light on how to accomplish this without spending hundreds of thousands of dollars on a full service security solution that may be overkill for this situation.

Most of the damage done by a targeted DDoS attack is the result of the overhead incurred on your servers from large volume of  fake inquiries into your network. Often with these attacks, it is not the volume of raw bandwidth  that is the issue, but the reduced the slow response time due to the overhead on your servers. For a detailed discussion of how a DDoS attack is initiated please visit http://computer.howstuffworks.com/zombie-computer3.htm zombie-computer-3d

We assume in our recipe below, that you have some sort of firewall device on your edge that can actually count hits into your network from an outside IP, and also that you can program this device to take blocking action automatically.

Note: We provide this type of service with our NetGladiator line. As of our 8.2 software update, we also provide this in our NetEqualizer line of products.

Step 1
Calculate your base-line incoming activity. This should be a running average of unique hits per minute or perhaps per second. The important thing is that you have an idea of what is normal. Remember we are only concerned with Un-initiated hits into your network, meaning outside clients that contact you without being contacted first.

Step 2
Once you have your base hit rate of incoming queries, then set a flag to take action ( step 3 below), should this hit rate exceed more than 1.5 standard deviations above your base line.  In other words if your hit rate jumps by statistically large amount compared to your base line for no apparent reason i.e .you did not mail out a newsletter.

Step 3
You are at step 3 because you have noticed a much larger than average hit rate of un-initiated requested into your web site. Now you need to look for a hit count by external IP. We assume that the average human will only generate at most a hit every 10 seconds or so, maybe higher. And also on average they will like not generate more than 5 or 6 hits over a period of a few minutes.  Where as a hijacked client attacking your site as part of a DDOS attack is likely to hit you at a much higher rate.  Identify these incoming IP’s and go to Step 4.

Step 4
Block these IP’s on your firewall for a period of 24 hours. You don’t want to block them permanently because it is likely they are just hijacked clients ,and also if they are coming from behind a Nat’d community ( like a University) you will be blocking a larger number of users who had nothing to do with the attack.

If you follow these steps you should have a nice pro-active watch-dog on your firewall to mitigate the effects of any DDoS attack.

For further consulting on DDoS or other security related issues feel free to contact us at admin@apconnections.net.

Related Articles:

Defend your Web Server against DDoS Attacks – techrecipes.com

How DDoS Attacks Work, and Why They’re Hard to Stop

How to Launch a 65 gbps DDoS Attack – and How to Stop It

%d bloggers like this: