Infosec: The threat from cyber extortion
And the weapon of choice is the DDoS attack.
By Jose Nazario, Arbor Networks | Techworld | Published: 22:00, 29 March 2006
Criminal gangs are increasingly using the Internet as a tool to extort money from businesses. Thousands of Distributed Denial of Service attacks are occurring globally every day and it is vital that senior management wakes up to the very real risk of such an assault.
The rise of the Internet carries a number of threats in the form of viruses, hackers, worms, and malware. Most companies are aware of these risks and have the appropriate processes and technology in place to mitigate them. But in the last few years these internet based threats have taken on a more malevolent and sophisticated nature; virus writing is no longer the pastime of teenagers with too much time on their hands - instead, viruses are now being written for organised cyber criminals motivated only by money.
Extortion A growing problem
These criminals are increasingly using a method known as Distributed Denial of Service (DDoS) attacks. DDoS attacks are launched with the sole aim of crashing a companys website or server by bombarding them with packets of data, usually in the form of web requests or emails. Unlike single source attacks (which can be stopped relatively easily), the attacker compromises a number of host computers which, in turn, infect thousands of other computers that then operate as agents for the assault. These infected host computers, known as zombies or bots, then start flooding the victims website with requests for information creating a vast and continuous stream of data that overwhelms the target website, thus preventing it from providing any service.
Every business is at risk
The cost of a DDoS attack can be substantial and it has been estimated that as many as 10,000 occur world-wide everyday. DDoS extortion attacks were originally used against online gambling sites. Criminal gangs would initiate attacks that would bring the website down just before a major sporting event, inflicting maximum financial damage. Now, however, DDoS attacks are increasingly being used to extort money from all sorts of businesses.
There are numerous examples of DDoS attacks that can be cited. One of the most well known DDoS attacks occurred early last year: MyDoom infected hundreds of thousands of computers before launching an attack on SCO (a Utah based Unix vendor) that took the company out of business for several weeks. The motivation for the attack has never truly been established.
DDoS attacks are a truly global threat as the extortionists are not restrained by traditional borders. Even the Greater Manchester Police have fallen victim to an assault; recently its chief constable was subjected to 2000 emails an hour in an attempt to crash the forces computer systems. DDoS attacks are also being used for increasingly political purposes. On Valentines day this year animal activists set up a chat-room and encouraged people to log on and chat at the same time. For every word typed an email would be sent to the target organisations in the vivisection and fur industries in an effort to crash their websites.
The reality is that no company is safe. The problem is exacerbated by the fact that DDoS attacks do not simply effect the organisations they are targeted at, but can in fact bring down the Internet Service Provider (ISP).
Lack of awareness is making businesses vulnerable
Despite the substantial damage DDoS attacks can cause, research released by IT Company IntY earlier this year has revealed an alarming lack of awareness amongst businesses about the threat posed. According to IntY, more than half of UK companies are at risk because this lack of understanding has resulted in a widespread failure to implement the necessary preventative technology. It is vital that senior decision makers wake up to the very real threat posed by DDoS attacks. A failure to do so could have far reaching consequences.
All businesses with an online arm should implement the necessary preventative measures to mitigate the threat of a DDoS attack. Many companies rely on reactive measures such as blackholing, router filters and firewalls, but all these methods are either inefficient, not sophisticated enough to protect against cyber criminals or can only be configured to specific external sources.
A multi-layered approach to defence
While all these tools do possess crucial security features, they fail to offer sufficient protection against the ever evolving and sophisticated nature of these assaults. If companies are to successfully combat a DDoS attack a truly multi-layered approach to defence must be adopted. Thus it is vital to establish a solid relationship with your service provider to ensure that you are aware of the measures that are available to protect your network and online business. Recent research by Arbor Networks revealed that DDoS attacks are the most crippling threat facing ISPs today, yet only 29% of ISPs surveyed offer security and DDoS service levels agreements to their customers.
Because DDoS attacks are launched from thousands of computers around the world it is essential that companies share information about the attacks if they are to be stopped. Such assaults cannot be fought alone and a collaborative effort is vital. A number of ISPs including Belgacomm, Cable & Wireless and COLT have signed up to Arbor Networks Fingerprint Sharing Alliance which enables them to share detailed attack information in real time and block attacks closer to the source. Once an attack has been identified by one company, the other ISPs in the Alliance are automatically sent the fingerprint enabling them to quickly identify and remove infected hosts from the network. This enables businesses and their ISPs to stay abreast of security threats as they arise. The Alliance is helping to break down communication barriers and its rapid growth marks a significant step forward in the fight against cyber criminals.
The threat of being blackmailed by organised criminals using DDoS attacks is very real and businesses cannot afford to be complacent. Such attacks are capable of bringing even the largest companies to their knees. However, stand alone defences are insufficient to combat these attacks and a comprehensive approach to security must be implemented. Not only should a multi-layered security strategy be instilled at enterprise level, but companies must also work with their ISPs to ensure that they too have taken preventative measures.
Arbor Networks is exhibiting at Infosecurity Europe 2006.