Slashdot Mirror
Death Knell For DDoS Extortion?
Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"
this just relegates the Spammer to having to attack smaller sites, who cannot afford to bear the brunt of the assult as long as a large site can
DDoS will be around for a while still
0x09F911029D74E35BD84156C5635688C0
What will come of the 0x09F911029D74E35BD84156C5635688C0 zombie machines out there? Converted to spam remailers? /yea, I know, -1 redundant, but it is still funny.
By this logic, nobody would ever engage in any kind of extortion. Clearly, people do, so either people are just acting illogically, or there is some flaw. I'm guessing some of both.
SIGSEGV caught, terminating
wait... not that kind of sig.
Tell that to this guy... http://www.microsoft.com/presspass/exec/billg/defa ult.mspx
Under the influence of Post-Cyberpunk Gonzo Journalism
They still want the money somehow, and getting it bears higher risk with extortion than by simply grabbing dough under-the-table from spammers.
I suspect (okay, hope?) that spamming will begin to lose its profit motive as well, as users become computer-literate enough en masse to ignore emailed pitches... making the reward not really worth the effort. Even the dumbest user can get ripped off only so many times before they either a) go broke, or b) figure out that maybe they should stop buying stuff from spammers.
Quo usque tandem abutere, Nimbus, patientia nostra?
These people will surely find some other way to fill their day.
It's just calling their bluff. Can they handle a DOS? If so, bring it on. Otherwise, they may end up financially better off to just pay them. Assuming you can trust that they'll not do it anyway.
The extortion part is difficult though, since the target must decide whether to comply with your demands (i.e. payment) or else just give you a good thrashing.
Karma police, arrest this man. He talks in math. He buzzes like a fridge. He's like a detuned radio.
I mean, what better place (from an objective POV) to park warez and illicit data (e.g. certain types of illegal pr0n), than on some unsuspecting schlep's machinery?
The mobsters then charge admittance by way of proxies (conceptual term, not 'w.x.y.z:8080') and advertise by way of spam?
Quo usque tandem abutere, Nimbus, patientia nostra?
Got some nuclear research you'd like to do but don't have the resources to create a super computer? rent a botnet!
Perhaps we could make them into a self-aware AI one day, imagine that. an AI running on poorly secured Windows boxes
“Common sense is not so common.” — Voltaire
DDoS attacks were profitable for years. The author is citing challenges that have always been a part of the practice as the reason they turned to an older technique - as if the idea hadn't panned out. As far as the risk involved, everything I've heard about people responding to botnets was pretty much about people watching to see how big a problem it was. The only thing I've ever heard about someone fighting back was this guy, and unless there were a lot more like him over the following year than I heard, the only explanation that makes sense to me is that spam just got that much easier and more lucrative. Not that I expect Symantec to talk about how anti-virus and anti-spam software like the products they sell fails to stop millions of people from getting infected with malware that makes their computer send spam that isn't filtered out.
Finally modding someone offtopic when they rant about what "Begging the Question" means: priceless.
That all DDoS attacks are for the purpose of extortion. Does nobody do these things simply because they just want to blackball someone anymore? No, this isn't the death of the DDoS.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Even if the victim doesn't pony up to stop the DoS, they still pay in lost service and opportunity. In this regard, a DoS against a big moneymaking site means a huge loss of revenue. How long until an ethically-challenged company DoS's their competition?
Rule #1 -- Politics always trumps technology.
At the least the idea that an extortionist has to carry out the DoS when after being denied payment doesn't make much sense. Since I assume they (the extortionist) are essentially remaining anonymous, there really isn't any need to prove anything, particularly after you know you aren't getting any money from the person you're attacking. As long as there are others still carrying out the attacks, so that they remain a believable threat, there's no reason for you personally to get involved.
So while I think that part is specious, the author is probably right about it coming down to simple terms of risk and profitability. Even if the extortion was marginally more profitable, committing crime completely anonymously, a la pump and dump spam, I suspect is very very appealing and now that the concept has worked its way through the black hat community, many are changing their game. Whether that's ultimately a good thing, in the sense of whether it's better to have many people bled than a few people shot, I don't know.
Relax I just want some peanuts.
Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers.
Surely he meant it was because their super efficient Windoze clients had secured the world and saved us all from this and other dastardly threats! No? Oh well.
Friends don't help friends install M$ junk.
Believe me when I say, Yazan doesn't care whether or not people are running Norton's products.
http://www.skullsecurity.org/blog/
If someone refuses to pay, just don't DDoS them and move on. It's not like your reputation for following through on threats is on the line, you're a secretive criminal.
It isn't enough for DOS to stop. I want them to pay for what they have done to my beautiful internet. I want them to bleed and to suffer greatly for crime of extorting moneys from innocent web administrators.
I suggest you read Slashdot
..at least not directly. A DoS attack, whilst it may not win money, is a very useful thing indeed if you are taking down competition, or trying to affect the share price of a company, or taking on a political enemy.
We may be seeing the fall of random attacks, but attackers will still be busy doing jobs for money.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
These guys have hit us up before. From what I have seen it is a
-give us $ or we shut you down.
-a small quick ddos to show you they can.
-you say "no thanks", so now they ask for $$$.
-a little bit longer ddos because you pissed them off.
-now they ask for $$$$$. which you certainly are not going to pay.
-another little ddos, more email threats of looming death and destruction, they are "leet" after all.
at this point you begin to factor outages and lost revenues into the business plan, you call ISP's, you consider calling the FBI.
they eventually go away. The best advice we got was from someone who has a "relationship" (pronounced cashcow) with a ddos'r. The scam is that they are looking for regular clients that they know can/will pay, and that they can hit up when they need cash. The word has gotten around that if you pay once, you'll pay twice. At least in the business of online casino's everyone has begun to understand that you just dont pay, ever.
"Pay me money or I'll.....post a link on Slashdot!"
"Oh God...anything but that! I'll Pay!"
" i r 1337. j00 a l0z3r "
That talk kinda makes you cry, doesn't it?
That's right..cry those nerdly tears
There will always be kiddie. But Symantec should be focused on the CTO and the SMB/Enterprise customer. The kinds of places they've targeted these kinds products at.
Suggesting that DDOS attacks will go away would be silly, but as a business concern which security companies have whipped up to a somewhat feverish pitch this is a sign that these concerns are changing. Anyway, DDOS solutions where probably nowhere near as lucrative as other more trendy areas of network protection (spam/worms/malicious web-content filtering/ids/data retention etc).
Quack, quack.
I think it's a bit stupid to assume because the attacks have gone down are a result of not paying up. IMO it would be more of an indication of companies paying up.
Think about it. If you run a large corporation that downtime means losses that can run into the millions of dollars even for a short duration, add to this the cost of untangling any sort of mess associated with this downtime and that's a heafty bill. It would be stupid to risk the possibility of losing money (and possibly clients) due to downtime when it can be easily avoided by paying a fraction of the cost to some monkey with a botnet.
The last thing any corporation is going to do is admit to this. On top of that, any extortionist that knows you don't over extort organisations.
Seriously, saying that DoS attacks are down due to people not paying up is just stupid.
Do we expect anything less from Symantec though?
What, we now have Gundam characters working for Symantec?
Hmm...it makes sense that Symantec is now a front for the Titans.
Didnt see in the article any mention of the fact that spammers are using Denial of Service attacks on anti-spam related infrastructure too - can't see those falling by the wayside any time soon. re: Blue Security - http://it.slashdot.org/article.pl?sid=06/05/08/142 229
Believe me when I say, Yazan doesn't care whether or not people are running Norton's products.
Oh, I can believe that and I'm sure Yazan is good at what he does. That's not what amused me.
Friends don't help friends install M$ junk.
We got DDoS'ed by some script kiddie who apparently didn't like the grade that his teacher gave him (the kid had a botnet). He DDoS'ed us, but we put a stop to it and did (thank goodness!) track him down. Thankfully, our WAN link is big enough that it didn't cripple us; his botnet apparently isn't one of the mondo-huge ones. The kid got expelled.
It's really difficult to take anything someone says when they go by a psudonym taken from a Gundam character. No, I haven't RTFA.
"As a consequence, the attacker has to spend time and resources on a lost cause." Kinda like in Iraq?
I'm of the opinion that the software industry has just wised up a bit to security threats. IT too has become better at reducing their surface area of attack and patching products; Windows automatic updates probably did a world of good. Many ISPs filter the majority (all?) ports open by default on Windows as well. I help run a fairly large IRC network and we have seen the frequency of botnet activity and DDoS attacks drop dramatically over the last couple years. It's good and bad, I personally found things a little more exciting when a major hole would come out and chaos would ensue for the next week. Remember when blaster came out and the Internet grinded to a halt?
Another factor why the DDoS extortion of today is less profitable than a few years back is the existence of mechanisms to mitigate attacks more effectively. Companies like Arbor Networks and Cisco make products that let enterprises and Service Providers quickly flip a switch to redirect and protect legitimate customer traffic. I helped design the Sprint IP Defender solution, providing Sprint customers both quick notification of a security event AND the option to circumvent the issue. This takes all the control away from the extortionists.
Naturally, being employed in the managed security space, I have a dichotomy of interests that should not be forgotten - yes I want to see DDoS incidents being eliminated BUT yes I work for a company where fear of an incident leads companies to buy services from us which in turn drives up my 401k. There is big business in fear, but hey, if you lose $100k in revenue every 10 minutes your network is down, it only makes sense that you protect that income stream. Anyways, for every one extortionist, there are three script-kiddies hanging out in #l33tddos on EFnet wanting to see the level of damage he/she can impose.......
G'night all.I'd like to see someone build up a large botnet and then do as much hardware damage (turn on disk encryption, write over the bios flash memory, etc.) as they can to all of the machines in the botnet.
Then end lusers will actually start caring about security and maybe their machines won't be used to send me spam in the future.
I think the real reason is that extortions do not make real sense in an online enviroment. Why:
There is no real threat. You will never get killed/injured it is just about numbers. And since: If you pay once you will pay twice (and thrice...) is so true it is better/cheaper to never ever pay and just take the pain once. You will just loose chash no fingers!
There is no way to protect a turf. If I pay a) then b) could extort me also or even worse a) could pretend to be b) or c) now to extort even more money. In real life I only pay they guys who own (and protect) the turf. And nobody else. Extortion in real life s either about protection also, or it is life/health threatening.
When you don't pay your drug dealer, him coming and killing you doesn't increase the odds of *you* paying (at all); but it reinforces his reputation, so others will be sure not to fail in their payments. I don't see how this is any different. Yes, if you make a threat, and have to follow through, there is no direct benefit from the effort required in following through; however, there is "P.R." value for your next threat.
Love many, trust a few, do harm to none.
If you can choose two ventures, one of which will almost certainly generate revenue with very little risk to you, and the other of which often generates no revenue at all but poses a high risk to your liberty and your resources, which do you choose?
Meta will eat itself
Most businesses who refuse to pay up get someone in quickly to prevent their internet tubes getting clogged. Either that or (if it's cheaper) just let it happen, and find a way around it or ride it out. Either way, they won't actually publicise the proposed extortion as it's bad PR for them. Similarly, if they do pay up, nobody ever finds out about it - so there's no PR again. (Obviously there are exceptions in both cases, but for every exception you can guarantee there will be a few that meet this pattern).
To piggy-back the analogy; if nobody ever found out about the murders or the threats thereof, it would be all effort and no PR return for the dealer.
Meta will eat itself
What happens when it gets a virus? AI goes crazy? What happens when it becomes self aware and finds out that it is made out of Windows? Self loathing and madness. Scary thoughts.
I've heard that there are some hosting providers out there that are so well connected that any attempt to DDoS them just shuts down one of their upstream links, without any significant effect on global availablity of the web sites they host.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }