Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gangs Extort Companies With DDoS Attacks

Posted by timothy on from the crisis-of-the-week dept.

Pcol writes "The Financial Times reports that gangs based in Eastern Europe have been launching attacks on corporate networks costing the companies millions of dollars in lost business and exposing them to blackmail. Sites have been asked to pay up to ensure they are free from Distributed Denial of Service attacks for a year. One detective reported, 'If the demand comes in for $40,000-50,000, compared to the losses they're suffering, there's an attraction for the companies to pay and hope it goes away. But there's nothing to say it will go away.'"

2 of 423 comments (clear)

  1. They make pay to their hacked eBay accounts... by jcrb · · Score: 4, Informative

    which they transfer to one of the 100's of stolen credit card numbers they have which they then go off and use to by something very expensive (in person).

    As a side note, I know a network security company who got hit with one of these, end result? The FBI and the local (eastern european) police arrested and are trying the hackers in question.

    When you start trying to extort real money across international borders you are into real crime. The FBI does investigate these attacks, and I am sure they will get much better at it as time goes on.

    --
    -jon
  2. Re:Fine. Let them! by Zeinfeld · · Score: 4, Informative
    The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!

    Commercial rates for security consultants start at $2,000 per day. People in the middle tier charge as much as $5,000. Big name consultants such as Bruce Schneier can name their price.

    And the fact is that none of us can do diddly against a DDoS attack, except advise you on how to configure bigger pipes and how to get in touch with ISPs quickly to stop the traffic from their networks.

    Occasionally there is a DDoS that has a flawed mode of attack that can be diverted. There have been a couple of attacks against the Whitehouse that were like that. They can divert the attacks because they can get top rank consulting for free in extremis.

    Not paying might be cheaper in the long run, but in the long run we are all dead. The answer is not consultants, it is law enforcement and better infrastructure.

    For example why exactly does anyone need to send a stream of several thousand SYN packets per second from a home computer to the same IP address for several hours at a time? There is simply no reason why a home machine should need to do that, nor should a home machine be sending millions of DNS requests per second to any machine.

    There is a pretty easy fix to DDoS attacks, put intelligence into cable modems and router boxes. Even if there is an option that allows the expert user to turn the checking off the boxes should be shipped in a safe configuration by default and it should not be possible to disable the safety catch without physical access to the modem.

    Congress could encourage ISPs to adopt this type of technology by merely suggesting that ISPs be made liable for attacks mounted from their machines.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/