Death Knell For DDoS Extortion?

Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"

Still potent

[the+code+is+09+F9+11]

this just relegates the Spammer to having to attack smaller sites, who cannot afford to bear the brunt of the assult as long as a large site can

DDoS will be around for a while still

Somebody please think of the Zombies!

[HaeMaker]

What will come of the 0x09F911029D74E35BD84156C5635688C0 zombie machines out there? Converted to spam remailers? /yea, I know, -1 redundant, but it is still funny.

No extortion ever, then!

[The_Wilschon]

By this logic, nobody would ever engage in any kind of extortion. Clearly, people do, so either people are just acting illogically, or there is some flaw. I'm guessing some of both.

Re:No extortion ever, then!

[idesofmarch]

That is not entirely true. In the present scenario the potential extortionist has a choice - spam or extort. Spamming is currently more profitable, or so the argument goes, and therefore, there are fewer extortions. In the world outside of botnets, extortionists may not have such easily available alternatives, so they stick to extortion.

Re:No extortion ever, then!

[R3d+M3rcury]

It's sort of like kidnapping.

Way back when, kidnapping was a pretty good way to make some quick cash. Grab somebody's significant other and tell them to deliver money to see them again. The automobile was pretty new and you could grab somebody and get them far enough away in a short amount of time that local law enforcement couldn't deal with it.

Thus, the feds were immediately brought in to any kidnapping case. Because the FBI had kidnapping specialists who knew all the angles, kidnapping for ransom became very unsuccessful. Nowadays, you rarely hear of a kidnapping case with a ransom demand here in the United States. It's just not worh it.

Re:No extortion ever, then!

Actually, it sounds more like someone kidnapping someone's wife, only to have the ransom demands met with "keep her!"

Re:No extortion ever, then!

[__aailrp9629]

South America, the Philippines (well, less Luzon than the other islands), southern Asia... lots of places. Probably because a lot of those places have weak central governments so "The Feds" aren't around to bring massive resources to bear on every single kidnap case. If they were, I'm sure the US solution would work fine.

If.

Re:No extortion ever, then!

[Reaperducer]

the US solution would work fine.

Never thought I'd see that phrase on Slashdot.

Re:No extortion ever, then!

[fermion]

No, by this logic it means that few would conduct such attacks for money. However we know that people conduct attacks for many other reasons. The assumption that attacks occur only for direct cash rewards results in miscalculations that cause significant holes in security systems and can even start wars.

On the relative benign side we know that people crack security just to see if it can be done, to test their wits against a verified expert. On the less benign side, fanatics might attack because they think the act will give them some other reward. For instance, if we take a purely hypothetical example, religious fanatics might be told by their Pastor to attack the web site of some godless politician so the preferred candidate might have a better chance of winning and installing other fanatics in traditionally secular positions. Such attacks would have a defined timeframe, and therefore predictable costs and risk, and win or lose, would have at least have a terroristic effect. Such an attack would be clearly logical, profitable, and effective.

Re:No extortion ever, then!

[99BottlesOfBeerInMyF]

In the present scenario the potential extortionist has a choice - spam or extort. Spamming is currently more profitable, or so the argument goes, and therefore, there are fewer extortions.

That's a nice theory, but I don't think that is what happens in practice. From what I've seen no one runs a botnet that is constantly sending spam or performing attacks. They spend most of their time idle. If you know the right places to look there are some nice Web interfaces where you can transfer money from paypal to rent out control of a botnet for a set amount of time. The operator doesn't care if you're spamming or DDoSing people, only that he got paid. Thus, while people may find spamming more profitable, others will see a good extortion opportunity and take that as well, and still others will DDoS their competitors, or former employer, of government they dislike, or anyone else they are mad at.

The payment risk has also prolly risen as well.

[Penguinisto]

The author, if I read this correctly, assumes that the risk is constant... but compare the profit from spammers (who can make payments more directly, as noted), and extortionists (who stand a good --not perfect, but good-- chance of having that payment traced/tracked. Sure, it'll go to some money-handling service in Russia or whatnot, but that wouldn't put it completely out of the realm of trackability.

They still want the money somehow, and getting it bears higher risk with extortion than by simply grabbing dough under-the-table from spammers.

I suspect (okay, hope?) that spamming will begin to lose its profit motive as well, as users become computer-literate enough en masse to ignore emailed pitches... making the reward not really worth the effort. Even the dumbest user can get ripped off only so many times before they either a) go broke, or b) figure out that maybe they should stop buying stuff from spammers.

/P

Re:The payment risk has also prolly risen as well.

[tmarthal]

He also doesn't seem to get that sometimes people DoS sites out of spite or out of malice.

You can't put a pricetag on being an asshole to the internet community.

Bot network?

[psaunders]

For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. You don't need a bot network to be a DoS extortionist. Unplugging your target's modem is just as effective, and has the virtue of simplicity.

The extortion part is difficult though, since the target must decide whether to comply with your demands (i.e. payment) or else just give you a good thrashing.

Re:Bot network?

[myowntrueself]

You don't need a bot network to be a DoS extortionist. Unplugging your target's modem is just as effective, and has the virtue of simplicity.

I think I see where you are coming from; my ISP is some kind of DoS extortionist... if I stop paying them they DoS me.

Help, I am being exploited! :(

Maybe not even spam so much... there is worse:

[Penguinisto]

Could be that someday, somebody is going to cobble together a P2P-style redundant agent that coulod convert a botnet into a big-assed torrent server.

I mean, what better place (from an objective POV) to park warez and illicit data (e.g. certain types of illegal pr0n), than on some unsuspecting schlep's machinery?

The mobsters then charge admittance by way of proxies (conceptual term, not 'w.x.y.z:8080') and advertise by way of spam?

/P

Re:Maybe not even spam so much... there is worse:

[blhack]

They already do that. See: the entire movie bootlegging scene.

Re:Maybe not even spam so much... there is worse:

[HeroreV]

To learn more, see XDCC at Wikipedia.

botnet for personal projects?

[OrangeTide]

Got some nuclear research you'd like to do but don't have the resources to create a super computer? rent a botnet!

Perhaps we could make them into a self-aware AI one day, imagine that. an AI running on poorly secured Windows boxes

Re:botnet for personal projects?

[element-o.p.]

...and Skynet was born

Re:botnet for personal projects?

[MoxFulder]

Got some nuclear research you'd like to do but don't have the resources to create a super computer? rent a botnet!

Funny, but unlikely I think.

Botnets wouldn't be all that good for supercomputing, except maybe of highly parallelizable problems (voluntary networks like SETI@home already work on those). Botnets don't have the fast communication links between nodes which are vital to the performance of most supercomputers... which often incorporate fancy network technologies like Infiniband or Fiber Channel or even just good ol' 100/1000-MBit ethernet.

As I see it, the main advantage of botnets is their massive outgoing network bandwidth: ten thousand desktops with broadband, averaging conservatively 5 kB/s outbound, gives a wopping 50 MB/s. A commodity computer can EASILY spit out 50 MB of email per second with some intelligent software... but *paying for* the bandwidth to actually send it that fast would be absolutely prohibitive. That's the real reason spammers use botnets.

(Of course, there's also the fact that botnets are a lot harder to isolate and blacklist than a single server.)

One assumption though...

[Chabil+Ha']

That all DDoS attacks are for the purpose of extortion. Does nobody do these things simply because they just want to blackball someone anymore? No, this isn't the death of the DDoS.

The victim still pays indirectly

[southpolesammy]

Even if the victim doesn't pony up to stop the DoS, they still pay in lost service and opportunity. In this regard, a DoS against a big moneymaking site means a huge loss of revenue. How long until an ethically-challenged company DoS's their competition?

Why even bother to make good on your threat?

[seaturnip]

If someone refuses to pay, just don't DDoS them and move on. It's not like your reputation for following through on threats is on the line, you're a secretive criminal.

Re:Why even bother to make good on your threat?

[MoxFulder]

This is sort of a game theory problem.

No individual extortionist wants to actually expend the resources to make good on his threat... but all extortionists recognize that if NO ONE carries out their threats, they will have no power over the victims.

Revenge

[Hao+Wu]

It isn't enough for DOS to stop. I want them to pay for what they have done to my beautiful internet. I want them to bleed and to suffer greatly for crime of extorting moneys from innocent web administrators.

From my experience

[jbossvi]

These guys have hit us up before. From what I have seen it is a
-give us $ or we shut you down.
      -a small quick ddos to show you they can.
-you say "no thanks", so now they ask for $$$.
      -a little bit longer ddos because you pissed them off.
-now they ask for $$$$$. which you certainly are not going to pay.
      -another little ddos, more email threats of looming death and destruction, they are "leet" after all.

at this point you begin to factor outages and lost revenues into the business plan, you call ISP's, you consider calling the FBI.

they eventually go away. The best advice we got was from someone who has a "relationship" (pronounced cashcow) with a ddos'r. The scam is that they are looking for regular clients that they know can/will pay, and that they can hit up when they need cash. The word has gotten around that if you pay once, you'll pay twice. At least in the business of online casino's everyone has begun to understand that you just dont pay, ever.

I don't think that's his concern..

[msimm]

There will always be kiddie. But Symantec should be focused on the CTO and the SMB/Enterprise customer. The kinds of places they've targeted these kinds products at.

Suggesting that DDOS attacks will go away would be silly, but as a business concern which security companies have whipped up to a somewhat feverish pitch this is a sign that these concerns are changing. Anyway, DDOS solutions where probably nowhere near as lucrative as other more trendy areas of network protection (spam/worms/malicious web-content filtering/ids/data retention etc).

People are better at security

[eraser.cpp]

I'm of the opinion that the software industry has just wised up a bit to security threats. IT too has become better at reducing their surface area of attack and patching products; Windows automatic updates probably did a world of good. Many ISPs filter the majority (all?) ports open by default on Windows as well. I help run a fairly large IRC network and we have seen the frequency of botnet activity and DDoS attacks drop dramatically over the last couple years. It's good and bad, I personally found things a little more exciting when a major hole would come out and chaos would ensue for the next week. Remember when blaster came out and the Internet grinded to a halt?

more DDoS prevention today as well

[linenoise]

Another factor why the DDoS extortion of today is less profitable than a few years back is the existence of mechanisms to mitigate attacks more effectively. Companies like Arbor Networks and Cisco make products that let enterprises and Service Providers quickly flip a switch to redirect and protect legitimate customer traffic. I helped design the Sprint IP Defender solution, providing Sprint customers both quick notification of a security event AND the option to circumvent the issue. This takes all the control away from the extortionists.

Naturally, being employed in the managed security space, I have a dichotomy of interests that should not be forgotten - yes I want to see DDoS incidents being eliminated BUT yes I work for a company where fear of an incident leads companies to buy services from us which in turn drives up my 401k. There is big business in fear, but hey, if you lose $100k in revenue every 10 minutes your network is down, it only makes sense that you protect that income stream. Anyways, for every one extortionist, there are three script-kiddies hanging out in #l33tddos on EFnet wanting to see the level of damage he/she can impose.......

G'night all.

Not the point

[tygerstripes]

While that's certainly true, I think you're missing the point of the article - that DDoS attacks simply aren't worth the effort and risk when compared to the perfectly viable alternative of spamming.

If you can choose two ventures, one of which will almost certainly generate revenue with very little risk to you, and the other of which often generates no revenue at all but poses a high risk to your liberty and your resources, which do you choose?

Doesn't work?

[tygerstripes]

I don't think this would hold true in the corporate world.

Most businesses who refuse to pay up get someone in quickly to prevent their internet tubes getting clogged. Either that or (if it's cheaper) just let it happen, and find a way around it or ride it out. Either way, they won't actually publicise the proposed extortion as it's bad PR for them. Similarly, if they do pay up, nobody ever finds out about it - so there's no PR again. (Obviously there are exceptions in both cases, but for every exception you can guarantee there will be a few that meet this pattern).

To piggy-back the analogy; if nobody ever found out about the murders or the threats thereof, it would be all effort and no PR return for the dealer.

Virus?

[sonictheboom]

What happens when it gets a virus? AI goes crazy? What happens when it becomes self aware and finds out that it is made out of Windows? Self loathing and madness. Scary thoughts.