Death Knell For DDoS Extortion?

← Back to Stories (view on slashdot.org)

Death Knell For DDoS Extortion?

Posted by kdawson on Tuesday May 1, 2007 @11:17AM from the greener-pastures dept.

Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"

5 of 101 comments (clear)

Min score:

Reason:

Sort:

Re:No extortion ever, then! by idesofmarch · 2007-05-01 11:32 · Score: 4, Informative

That is not entirely true. In the present scenario the potential extortionist has a choice - spam or extort. Spamming is currently more profitable, or so the argument goes, and therefore, there are fewer extortions. In the world outside of botnets, extortionists may not have such easily available alternatives, so they stick to extortion.
Re:Maybe not even spam so much... there is worse: by HeroreV · 2007-05-01 12:25 · Score: 2, Informative

To learn more, see XDCC at Wikipedia.
From my experience by jbossvi · 2007-05-01 12:57 · Score: 5, Informative

These guys have hit us up before. From what I have seen it is a
-give us $ or we shut you down.
-a small quick ddos to show you they can.
-you say "no thanks", so now they ask for $$$.
-a little bit longer ddos because you pissed them off.
-now they ask for $$$$$. which you certainly are not going to pay.
-another little ddos, more email threats of looming death and destruction, they are "leet" after all.

at this point you begin to factor outages and lost revenues into the business plan, you call ISP's, you consider calling the FBI.

they eventually go away. The best advice we got was from someone who has a "relationship" (pronounced cashcow) with a ddos'r. The scam is that they are looking for regular clients that they know can/will pay, and that they can hit up when they need cash. The word has gotten around that if you pay once, you'll pay twice. At least in the business of online casino's everyone has begun to understand that you just dont pay, ever.
Re:Why even bother to make good on your threat? by MoxFulder · 2007-05-01 13:21 · Score: 5, Informative

This is sort of a game theory problem.

No individual extortionist wants to actually expend the resources to make good on his threat... but all extortionists recognize that if NO ONE carries out their threats, they will have no power over the victims.

--
My bicyles
Re:No extortion ever, then! by __aailrp9629 · 2007-05-01 13:28 · Score: 3, Informative

South America, the Philippines (well, less Luzon than the other islands), southern Asia... lots of places. Probably because a lot of those places have weak central governments so "The Feds" aren't around to bring massive resources to bear on every single kidnap case. If they were, I'm sure the US solution would work fine.

If.