Death Knell For DDoS Extortion?

Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"

The payment risk has also prolly risen as well.

[Penguinisto]

The author, if I read this correctly, assumes that the risk is constant... but compare the profit from spammers (who can make payments more directly, as noted), and extortionists (who stand a good --not perfect, but good-- chance of having that payment traced/tracked. Sure, it'll go to some money-handling service in Russia or whatnot, but that wouldn't put it completely out of the realm of trackability.

They still want the money somehow, and getting it bears higher risk with extortion than by simply grabbing dough under-the-table from spammers.

I suspect (okay, hope?) that spamming will begin to lose its profit motive as well, as users become computer-literate enough en masse to ignore emailed pitches... making the reward not really worth the effort. Even the dumbest user can get ripped off only so many times before they either a) go broke, or b) figure out that maybe they should stop buying stuff from spammers.

/P

Maybe not even spam so much... there is worse:

[Penguinisto]

Could be that someday, somebody is going to cobble together a P2P-style redundant agent that coulod convert a botnet into a big-assed torrent server.

I mean, what better place (from an objective POV) to park warez and illicit data (e.g. certain types of illegal pr0n), than on some unsuspecting schlep's machinery?

The mobsters then charge admittance by way of proxies (conceptual term, not 'w.x.y.z:8080') and advertise by way of spam?

/P

Re:botnet for personal projects?

[MoxFulder]

Got some nuclear research you'd like to do but don't have the resources to create a super computer? rent a botnet!

Funny, but unlikely I think.

Botnets wouldn't be all that good for supercomputing, except maybe of highly parallelizable problems (voluntary networks like SETI@home already work on those). Botnets don't have the fast communication links between nodes which are vital to the performance of most supercomputers... which often incorporate fancy network technologies like Infiniband or Fiber Channel or even just good ol' 100/1000-MBit ethernet.

As I see it, the main advantage of botnets is their massive outgoing network bandwidth: ten thousand desktops with broadband, averaging conservatively 5 kB/s outbound, gives a wopping 50 MB/s. A commodity computer can EASILY spit out 50 MB of email per second with some intelligent software... but *paying for* the bandwidth to actually send it that fast would be absolutely prohibitive. That's the real reason spammers use botnets.

(Of course, there's also the fact that botnets are a lot harder to isolate and blacklist than a single server.)

Re:No extortion ever, then!

[fermion]

No, by this logic it means that few would conduct such attacks for money. However we know that people conduct attacks for many other reasons. The assumption that attacks occur only for direct cash rewards results in miscalculations that cause significant holes in security systems and can even start wars.

On the relative benign side we know that people crack security just to see if it can be done, to test their wits against a verified expert. On the less benign side, fanatics might attack because they think the act will give them some other reward. For instance, if we take a purely hypothetical example, religious fanatics might be told by their Pastor to attack the web site of some godless politician so the preferred candidate might have a better chance of winning and installing other fanatics in traditionally secular positions. Such attacks would have a defined timeframe, and therefore predictable costs and risk, and win or lose, would have at least have a terroristic effect. Such an attack would be clearly logical, profitable, and effective.

People are better at security

[eraser.cpp]

I'm of the opinion that the software industry has just wised up a bit to security threats. IT too has become better at reducing their surface area of attack and patching products; Windows automatic updates probably did a world of good. Many ISPs filter the majority (all?) ports open by default on Windows as well. I help run a fairly large IRC network and we have seen the frequency of botnet activity and DDoS attacks drop dramatically over the last couple years. It's good and bad, I personally found things a little more exciting when a major hole would come out and chaos would ensue for the next week. Remember when blaster came out and the Internet grinded to a halt?

more DDoS prevention today as well

[linenoise]

Another factor why the DDoS extortion of today is less profitable than a few years back is the existence of mechanisms to mitigate attacks more effectively. Companies like Arbor Networks and Cisco make products that let enterprises and Service Providers quickly flip a switch to redirect and protect legitimate customer traffic. I helped design the Sprint IP Defender solution, providing Sprint customers both quick notification of a security event AND the option to circumvent the issue. This takes all the control away from the extortionists.

Naturally, being employed in the managed security space, I have a dichotomy of interests that should not be forgotten - yes I want to see DDoS incidents being eliminated BUT yes I work for a company where fear of an incident leads companies to buy services from us which in turn drives up my 401k. There is big business in fear, but hey, if you lose $100k in revenue every 10 minutes your network is down, it only makes sense that you protect that income stream. Anyways, for every one extortionist, there are three script-kiddies hanging out in #l33tddos on EFnet wanting to see the level of damage he/she can impose.......

G'night all.

Re:No extortion ever, then!

[99BottlesOfBeerInMyF]

In the present scenario the potential extortionist has a choice - spam or extort. Spamming is currently more profitable, or so the argument goes, and therefore, there are fewer extortions.

That's a nice theory, but I don't think that is what happens in practice. From what I've seen no one runs a botnet that is constantly sending spam or performing attacks. They spend most of their time idle. If you know the right places to look there are some nice Web interfaces where you can transfer money from paypal to rent out control of a botnet for a set amount of time. The operator doesn't care if you're spamming or DDoSing people, only that he got paid. Thus, while people may find spamming more profitable, others will see a good extortion opportunity and take that as well, and still others will DDoS their competitors, or former employer, of government they dislike, or anyone else they are mad at.