Held to ransom
After a spate of DDoS attacks on UK e-tailers, Jack Gilbert investigates what the best responses are and asks whether there's an opportunity here for the channel
"The perception previously was that [DDoS attacks] were someone else's problem, but following the events of last week, we have started to realise that it's becoming everybody's problem." That's according to Chris Walsh, director of security distributor Alpha Generation, who reflected on a week of DDoS attacks that took place last month.
First, CRN revealed that a number of UK e-tailers - including Novatech, Overclockers and Aria Technology - saw their websites go down after being hit by DDoS attacks. The latter revealed it had received an email from hackers demanding the payment of 16.66 bitcoins (£2,871.43), otherwise they would bring the website down again. Then TalkTalk admitted that its customers' bank account numbers and sort codes "may have been accessed", after it suffered what many reports claim was a DDoS attack.
The events demonstrated that cyber attacks - and in this instance, DDoS attacks - are becoming everyday occurrences, with very real consequences. DDoS attacks were up 90 per cent year on year for Q4 2014, according to global research from cloud services provider Akamai. The report also found that increasingly, organisations are being threatened with DDoS attacks if they fail to pay monetary ransoms, with small and medium-sized businesses targeted for "quick profit".
With DDoS, locating the attackers is incredibly difficult, and it's hard to decipher if it's being orchestrated by vast criminal syndicates or a solitary teenage boy in his bedroom, as it emerged may have been the case with TalkTalk. The e-tailers affected last month deployed a variety of responses, prompting debate over who the likely suspects are, what companies should do to stop these attacks and what the opportunities are for resellers.
Bounty hunters
In response to the DDoS attacks and bitcoin demands, Aria Technology's owner, Aria Taheri, took a bold approach, refusing to pay any ransom, saying this would only "encourage others to come to us and blackmail us more". Instead he posted a bounty of £15,000 for any information regarding the hackers.
He said the decision to post the bounty has had a great response.
"There has been a lot of positive stuff coming out since we put the bounty up," he said. "We have had a lot of support from customers and support from different organisations around the world, in Europe, America and Canada."
He said since the website was brought down, the attackers have changed their strategy and have started targeting the site in short spurts, instead of longer attacks. But he said that after upping the firm's defences, the attackers have not been able to bring the website down again.
Following the bounty (pictured below), Taheri has received a number of tips about who the culprits are, and said he is confident the offenders can be uncovered.
"I have quite a few leads, [but] following those leads and investigating the nature of the attack, that will take some time," Taheri said. "I've had some experts contacting me and offering their assistance. It's going to be a complex process to find out who it is, but it's possible through looking at the bitcoin accounts, where there is a trail that you can follow. Given the number of leads, I am fairly confident [we can find the attackers]."
While Taheri is happy with his decision to post a bounty, this response has prompted a mixed reaction from industry figures.
Wild goose chase?
Chris Boyd, intelligence analyst at malware-detection vendor Malwarebytes, said Taheri's bounty was perhaps not the best strategy to employ. "They're right to refuse paying the ransom, but asking random netizens to go on what could amount to a wild goose chase could be asking for trouble," he said. "They'd be better off focusing on using the best tech they can afford to ward off DDoS and see if they can ride out the storm."
David Fernandez, principal technical programme manager at Akamai, said using bounties is not an "effective strategy for mitigating this type of threat".
But others have praised Taheri's decision, with John Gunn, vice president of corporate communications at two-factor authentication vendor Vasco, saying it was a positive reaction.
"It is a smart approach," Gunn said. "As with any ransom or blackmail, the perpetrator can continue to come back again and again unless the opportunity for exploitation is removed or the attacker is eliminated in one way or another. Bounty actions will not eliminate DDoS attacks, but they can make some targets less attractive than other organisations."
Gunn conceded it was unlikely that the bounty would lead to the attackers being caught, but said it sends out the right signal.
The bitcoin-based DDoS attacks on UK e-tailers last month were not isolated incidents, and one group in particular is known for these tactics.
DDoS for Bitcoin (Distributed Denial of Service for Bitcoin) - or DD4BC - is a group that has been "responsible for a large number of bitcoin extortion campaigns dating back to 2014", according to Akamai.
The cloud services provider monitored DD4BC and claimed it discovered 114 DD4BC attacks since April 2015.
"In the past year, the group expanded its extortion and DDoS campaigns to target a wider array of business sectors - including financial services, media and entertainment, online gaming and retailers," a statement from Akamai said.
One source, who wished to remain anonymous, said the attack is similar to those launched by DD4BC, and could be from one of the groups which have emerged that try to emulate it.
But proving the identity of the attackers is a difficult task, as Boyd of Malwarebytes pointed out.
"In theory it could be someone dissatisfied with Aria's service in some way, though without detailed information released from Aria on the specifics of the attack it's difficult to say for sure," he said. "Even with said data, it's very difficult to work out who is behind a DDoS attack given that we could be talking about thousands of compromised PCs used to launch the attack."
And Gunn at Vasco said unless they are "rank amateurs", the attackers will never be discovered.
Channel opportunity
With these DDoS attacks on the increase, Dave Larson, chief technology officer at DDoS mitigation vendor Corero Network Security, said organisations that hold infected servers should be highlighted so they are encouraged to get proper protection.
"We would like to see a community effort to begin shaming unwitting participants," he said. "Even those people who didn't intend to attack you, but leave themselves vulnerable to be utilised in the attack should share some responsibility. The internet community is very good at shining a light on someone and getting them to behave better and I think we should see some more of that here."
He said DDos attacks are becoming "more frequent, more sophisticated" and are now focused more on the theft of companies' data, as we have seen with the TalkTalk hack.
Walsh at Alpha Generation (pictured below) said the perception has now changed from DDoS being regarded as a distant threat, to one that everyone is concerned about.
Walsh said that many of the large enterprise clients have now put in place suitable perimeter protection, and today it is the mid-size organisations who are becoming increasingly vulnerable to these DDoS stings. He added these organisations present a good chance for resellers to ensure they are educated and properly protected.
"The opportunity for the resellers is really to go out there and educate end users that this DDoS threat is not going away and they need to make a stand before they become the next DDoS target."