In a recent survey by Carnegie Mellon University researchers, 17 out of 100 small and mid-size businesses reported being targeted by cyber-extortionists.
I recently stumbled upon a news article about one such extortionist who threatened an online gaming website in 2003: “Your site is under attack… You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months,” or, “if you choose not to pay… you will be under attack each weekend for the next 20 weeks, or until you close your doors.”
The website owner, Mickey Richardson, asked his network admin if they should be concerned. The reply he received was “We should be safe. I think our network is nice and tight.” When the attack finally came, the website crashed hard. Standard DoS (Denial of Service) attack prevention software failed after 10 minutes. The website crashed. His ISP crashed. His ISP’s ISP then crashed. Another e-mail arrived. “I guess you have decided to fight instead of making a deal. We thought you were smart… You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday.”
The site stayed down during most of the respite that followed, and could only be brought up for short periods of time. At some point, the downtime was the result of his ISP deciding to null-route the site’s traffic. Null-routing means the ISP collects all of the traffic going to a site and drives it into the ground. This frees up the ISP’s pipes when a site it hosts is receiving massive amounts of DoS attack traffic; even if the extortionists stopped attacking, the site would stay down.
A consultant they hired had an interesting plan: build a system that would absorb huge DoS attacks. An ISP in Phoenix with a 10Gbps (ten gigabits per second) pipe eventually reluctantly agreed to host it. The system intercepted traffic intended for the website, diverted it to the ISP in Phoenix, null-routed the bad traffic, and sent legitimate traffic to the website. The system did a lot of other stuff too: monitoring, capacity planning, logging and analysis. But when it was first turned on, the extortionists stuffed too much traffic down its throat. The servers were overloaded. The website owner’s decision not to pay the extortionists was affecting other websites that shared the same ISP and were also experiencing network problems. He started getting calls from friendly competitors saying, “We paid. Just pay. We’re going down because of you.”
Another email arrived. “I would like to thank you for not keeping your end of the deal and making this upcoming weekend an enjoyable one for me.” The extortionist demanded $75,000, but then seemed to disregard the money: “I do not care how long I have to destroy your business and I will. You will learn the hard way that you do not make a deal and then fûçk around with us…. Let the games begin.”
A DoS attack is most effective using zombies, exposed and unprotected computers hacked without their owner’s knowledge. With a zombie network in place, the only issue left is scale. The more zombies there are in a network, and the more aggregate upstream bandwidth they have, the swifter and more severe havoc they can wreak. A zombie network with several hundred computers can generate hundreds of megabytes of traffic per second, enough to knock a small network offline. It turns out the extortionists had more than 20,000 zombies.
After days of severe battling, suddenly the attacks stopped. Another email: “I tried getting to your site today and I could not. I thought with all the money you spent you would not have these problems anymore. I guess you wasted your money instead of keeping your word. Good luck. P.S. I bet you feel real stupid that you did not keep your word. I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked.” It was a bluff. The website was up. The extortionists couldn’t get to it because they were blocked. The website owner hadn’t paid them a dime. They made no more threats. They couldn’t because they couldn’t back them up with action. The extortionists had lost. And yet, the e-mail was not far off. Mickey figures it cost him a million dollars in lost revenue and IT investments to win the war.
Update
Three guys in Russia were caught and charged in connection with the DDoS assault on Mickey’s betting site, including Ivan Maksakov, a 22-year-old student at the Balakov Institute of Engineering, Technology, and Management. According to the Russian newspaper Kommersant, Ivan was sentenced to eight years behind bars and ordered to pay a fine of 100,000 рубле (just under USD$4,000)
Recent Comments