As network resources become more readily available, it's perhaps unsurprising that distributed denial of service attacks have increased in strength and frequency. For example, the recent campaign waged against CloudFlare topped out at more than 400 Gb/s, shattering the record set during an attack on Spamhaus last year. At the same time, tactics have shifted, with many cybercriminals opting to exploit the previously obscure Network Time Protocol as an alternative to classic DNS reflection techniques.
DDoS perpetrators and security professionals are now locked in a game of cat-and-mouse as new attack vectors are discovered and addressed. The stakes for protecting websites from DDoS are higher than ever, with business continuity and enormous amounts of money at risk. Some attackers have even taken up extortion tactics, giving organizations the option of paying a fee to prevent their domains from being assaulted.
The abundance of DDoS resources means that targets need not be high-profile political or commercial institutions, but can be chosen from a much broader pool. Random companies may find themselves in the cross-hairs of a DDoS campaign and face the dilemma of either battling against massive amounts of bandwidth or paying a would-be attacker for what may amount to only a quasi-guarantee of safety.
On top of that, with online commerce rapidly evolving thanks to Bitcoin, commercial organizations have to face the prospect of safely managing transactions and navigating the volatile politics that sometimes surround the cryptocurrency. The recent takedown of Mt. Gox, the world's most prominent Bitcoin exchange, featured a flurry of DDoS attacks, and it likely won't be the last Bitcoin platform to go down as cybercriminals scramble for a greater share of a tightly limited global supply.
Keeping up with the mounting pressures of DDoS won't be easy, but organizations have to be aware of the challenge and work with vendors to harden their networks and assets against attacks. Some steps, such as removing reliance on NTP, are straightforward, while others – having enough capacity to withstand a huge breach – are less so and will require more long-term planning.
DDoS extortion becomes an issue as attack become easier to conduct
Meetup, a social networking site focused on group activities, spent several days in early March 2014 fending off DDoS attacks. It eventually got services back up and running, but not before receiving a peculiar offer – for $300, the attackers would simply not carry out their plans.
The amount was oddly small, in light of how much venture funding the 12-year old company had raised. Meetup's executives refused to pay, noting that the offer was likely low-balled to see if the company would pay at all; it it had agreed, the requested fee may have risen, plus it's possible that other would-be attackers would notice and then decide to try out a similar tack with Meetup.
Meetup made the right decision, but will other organizations follow its lead? Perhaps the better question is: Will they be confident enough in their resources and operations to withstand similar extortion tactics?
Companies face a hard road ahead in this regard. The DDoS landscape has changed a lot just in the past year or two. An Akamai study estimated that the number of DDoS attacks rose by one-third between 2012 and 2013. Similarly, the average number of gigabits per second that attackers could throw at victims nearly quadrupled between the first quarters of 2013 and 2014, rising to 179 Gb/s.
The Meetup extortion attempt wasn't the first of its kind, and it made waves mostly because the company took the incident public, an unusual step. In 2013, two Polish programmers were jailed for attempting to extort money from casino owners. They demanded half of all the casino's profits, and when the request was refused, they carried out a 5-hour attack on the organization's IT infrastructure. Casinos and e-commerce sites continue to be among the most common targets of DDoS, if only because of the amount of money that passes through them, but the Meetup incident shows that companies in other sectors are also at risk.
Addressing the rising prevalence of DDoS is a tall task, especially for sites that sell items and provide services to users. Coincidentally, e-commerce site Endless Wardrobe used services from CloudFlare – later the victim of the largest DDoS attack ever – to mitigate the impact of a 2012 extortion attempt, in which attackers requested $3,500.
"We were sent an extortion email from Russia demanding money from our business. If we did not send the money, they threatened to DDoS our site," said Andrew Burman, co-founder and director at Endless Wardrobe. "We started working with our Web host who implemented security measures to stop the attack, but that also meant real visitors and customers could not access our site either."
DDoS, Bitcoin and e-commerce
A growing number of e-commerce sites are accepting Bitcoin. Overstock recently added support, joining the ranks of OKCupid, Reddit and Zynga. It's too early to tell how extensive Bitcoin's impact will be on online commerce, but merchants should be wary of the various risks that Bitcoin invites, including the prospect of DDoS attacks to distract operators and steal currency.
The recently shuttered Mt. Gox Bitcoin exchange faced roughly 150,000 DDoS attacks per second as cybercriminals tried to steal funds. Ultimately, about 800,000 bitcoins were lost for good, underscoring both the need for firmer security at any institution that deals in Bitcoin and the fact that cybercriminals will resort to DDoS. The anonymity and growing popularity of Bitcoin make it a lucrative commodity, and DDoS is a highly effective way to harvest it. Its efficacy could result in incidents similar to what happened at Mt. Gox.
"DDoS attacks can be done without high-level hacking techniques," Ritsumeikan University professor Tetsutaro Uehara stated, according to The Register. "It is possible that copycats turned their eyes on other exchanges after weaknesses in Mt. Gox's system were found."
Bitcoin's growing role in e-commerce could complicate organization's risk mitigation strategies. To fend off DDoS attacks, companies should refuse to be extorted and instead invest in software solutions and infrastructure upgrades to improve their security postures.