Slashdot Mirror

← Back to Stories (view on slashdot.org)

Death Knell For DDoS Extortion?

Posted by kdawson on from the greener-pastures dept.

Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"

12 of 101 comments (clear)

  1. Still potent by the+code+is+09+F9+11 · · Score: 2, Insightful

    this just relegates the Spammer to having to attack smaller sites, who cannot afford to bear the brunt of the assult as long as a large site can

    DDoS will be around for a while still

    --
    0x09F911029D74E35BD84156C5635688C0
  2. No extortion ever, then! by The_Wilschon · · Score: 2, Insightful

    By this logic, nobody would ever engage in any kind of extortion. Clearly, people do, so either people are just acting illogically, or there is some flaw. I'm guessing some of both.

    --
    SIGSEGV caught, terminating

    wait... not that kind of sig.
    1. Re:No extortion ever, then! by R3d+M3rcury · · Score: 4, Insightful

      It's sort of like kidnapping.

      Way back when, kidnapping was a pretty good way to make some quick cash. Grab somebody's significant other and tell them to deliver money to see them again. The automobile was pretty new and you could grab somebody and get them far enough away in a short amount of time that local law enforcement couldn't deal with it.

      Thus, the feds were immediately brought in to any kidnapping case. Because the FBI had kidnapping specialists who knew all the angles, kidnapping for ransom became very unsuccessful. Nowadays, you rarely hear of a kidnapping case with a ransom demand here in the United States. It's just not worh it.

  3. Re:The payment risk has also prolly risen as well. by tmarthal · · Score: 5, Insightful

    He also doesn't seem to get that sometimes people DoS sites out of spite or out of malice.

    You can't put a pricetag on being an asshole to the internet community.

  4. One assumption though... by Chabil+Ha' · · Score: 4, Insightful

    That all DDoS attacks are for the purpose of extortion. Does nobody do these things simply because they just want to blackball someone anymore? No, this isn't the death of the DDoS.

    --
    We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
  5. The victim still pays indirectly by southpolesammy · · Score: 3, Insightful

    Even if the victim doesn't pony up to stop the DoS, they still pay in lost service and opportunity. In this regard, a DoS against a big moneymaking site means a huge loss of revenue. How long until an ethically-challenged company DoS's their competition?

    --
    Rule #1 -- Politics always trumps technology.
  6. Re:Maybe not even spam so much... there is worse: by blhack · · Score: 2, Insightful

    They already do that. See: the entire movie bootlegging scene.

    --
    NewslilySocial News. No lolcats allowed.
  7. Re:botnet for personal projects? by element-o.p. · · Score: 2, Insightful

    ...and Skynet was born

    --
    MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
  8. Why even bother to make good on your threat? by seaturnip · · Score: 3, Insightful

    If someone refuses to pay, just don't DDoS them and move on. It's not like your reputation for following through on threats is on the line, you're a secretive criminal.

  9. I don't think that's his concern.. by msimm · · Score: 2, Insightful

    There will always be kiddie. But Symantec should be focused on the CTO and the SMB/Enterprise customer. The kinds of places they've targeted these kinds products at.

    Suggesting that DDOS attacks will go away would be silly, but as a business concern which security companies have whipped up to a somewhat feverish pitch this is a sign that these concerns are changing. Anyway, DDOS solutions where probably nowhere near as lucrative as other more trendy areas of network protection (spam/worms/malicious web-content filtering/ids/data retention etc).

    --
    Quack, quack.
  10. Not the point by tygerstripes · · Score: 3, Insightful
    While that's certainly true, I think you're missing the point of the article - that DDoS attacks simply aren't worth the effort and risk when compared to the perfectly viable alternative of spamming.

    If you can choose two ventures, one of which will almost certainly generate revenue with very little risk to you, and the other of which often generates no revenue at all but poses a high risk to your liberty and your resources, which do you choose?

    --
    Meta will eat itself
  11. Doesn't work? by tygerstripes · · Score: 2, Insightful
    I don't think this would hold true in the corporate world.

    Most businesses who refuse to pay up get someone in quickly to prevent their internet tubes getting clogged. Either that or (if it's cheaper) just let it happen, and find a way around it or ride it out. Either way, they won't actually publicise the proposed extortion as it's bad PR for them. Similarly, if they do pay up, nobody ever finds out about it - so there's no PR again. (Obviously there are exceptions in both cases, but for every exception you can guarantee there will be a few that meet this pattern).

    To piggy-back the analogy; if nobody ever found out about the murders or the threats thereof, it would be all effort and no PR return for the dealer.

    --
    Meta will eat itself