DDoS: platform for cyberextortion

January 3^rd, 2008 LibertyReserve has published the message received from patrkell@fastem.com, named themselves as anonymous group of hackers claiming they have received the payment of $7,000 from v-money.com to DDoS (distributed denial of service) the site; but offered "if you desire for $8,000 we stop this attack, e-gold is only accepted...Today our team is stared with DDoS in intermittent way, if we won't receive the answer and e-gold payment today the attack will be increased on time to time basis".  

The troubling in further network performance proved that the site became the victim of the DDoS attack. Lately the account holders of the Pecunix have demonstrated worries about the situation with the payment system network. The accountholders were neither able to log in to http://www.pecunix.com/ nor to proceed any type of transactions with their assets locked on the accounts. Some of the bloggers have suggested to log-in: http://www.secure.pecunix.com/. Meanwhile, multiple opinions were expressed trying to figure out the real reason that caused the shut down of the web. First of them, of course, was massive DDoS attack. Amongst the other versions expressed were that system has problems with money caused inability to pay back to its accountholders; however, it is unproved information and we may assume that there's a big possibility that Pecunix might made all situation up to have enough time to use the assets of its accountholders for its own purposes hiding "dirty intentions" behind the DDoS attack victim's mask. hidden . As if certain proof of the expressed above idea we have found that some Pecunix users claimed to loss coverage calculated as lost profit within the time period the funds were not accessible. Strange is the fact that the site has experienced troubles from September 2, 2007 and up until now the users can't log-in on a regular way. One more thing to add - recently two leading HYIP web sites such as Offshores.us and Expert Traders were harmed by ddos-attacks caused the shut down of the web sites for two days. The frequency and severity of the DDoS attacks harming the  high-risk sites and casing the lick of the personal data base add even more risk to the investments that are, obviously, aren't covered by the high interest rates.

So what is the DDoS attack, who are the main targets, how to determine the site is under DDoS attack and how to prevent it?

1. General

Basing on the Wiki DDoS - is mainly an attempt to make computer resource unavailable to its users. It generally comprises the concerted, malevolent efforts of a person or organized group to prevent internet site or service from proper functioning or causing its shut down, temporally or indefinitely. In other words, DDoS occurs when hacker injects malware into machines across the internet and uses them to send a flood of requests to a server until it becomes overwhelmed and stops functioning.

There is significant difference between DoS and DDoS attacks. In the first case, attacker generates a smurf attack from single host, in general, any attack centering on the availability  would be classified as DoS. In reverse, if the attackers use thousands zombie computers to simultaneously launch malware against the remote host, than it would be classified as DDoS (distributed denial of service).

2. Major signs

Basing on US Computer Emergency Readiness Team there are several sings of the DDoS attack distinguished:

- abnormally slow network performance (while log in or opening the files);

- unavailability of a particular web site - temporally or indefinitely;

- inability to access any web site;

- sharp increase of spam e-mails received.

3. Implementation and distributive methods

The attackers are using different methods to flood the bandwidth or resources of victim web site or server.

- flooding with a network that cuts the flow of legitimate network traffic;

- disrupting the server by sending more requests that it can possibly handle, therefore, preventing with access to a service;

The common way of launching DDoS attack are as follows:

- forcing the computer to reset, consume its resources so it no longer provides its service;

- obstructing the communication media between the intended users and the victim so that they are not able to communicate adequately.

As to the distributive methods of spreading the malware there are several ways it can be processed:

- malware can carry DDoS attack mechanisms (MyDoom, as example) that are triggered on a particular time and date;

- system can also be compromised with Trojan that allows to download a zombie agent;

- breaking into system using the automated tool that exploits flaws in programs that listen for connections from remote hosts;

- stacheldraht- a bright example of DDoS tool that employs the layered structure with used client's one to connect client program to handlers that are issuing commands to the zombie agents. These zombie agents would later facilitate the DDoS attack. Each handler can control up to a thousand agents.

However, within last year the experts in anti-DDoS sector have noticed a new trend in launching DDoS attacks. The attackers now can control any number of PCs without infecting them with sophisticated malware to launch DDoS. Instead, they are using popular servers through P2P (peer-to-peer) network or web servers to embed browser malware in JavaScript or flash. Basing on the latest studies of Prolexic, we may predict future DDoS attackers will be focused on API's of Web 2.0 sites as an easiest way to distribute new browser's malware.

4. Global cyberspace is under attack

Every day tremendous number of sites is under DDoS attack that locally can cause sensible data loss and damages, however, in October 2002 the cyberspace analysts were shocked by the first occurred and disrupted service at 9 of 13 root services that were intended to provide service to all internet users. Therefore, the attempt of DDoS of these servers was considered as an attempt to shut down the entire Internet. The second global attack occurred in February 2007 and caused disruption of 2 root servers. As it was later declared by Ted Julian co-founder of Arbor Networks (seller of anti-DDoS monitoring systems): "It changes from a local attack of actual Web sites to global attack". During the root server attack, hacker sent (usually via ICMP) fake ping requests, queries from one host to another to determine if there's available communication on path between two hosts. Afterwards, within an hour the root servers were flooded with ICMP requests, causing several root servers to stop being available to regular Internet traffic. We have been told that the "limitation of the amount of ICMP traffic acceptable by root servers might prevent the attack". Earlier in April and than in May 2007 the cyberworld witnessed the launch of DDoS with 200,000 attacking computers. Each computer was sending a small amount of data base on its own but on a said moment over 80,000 connections were opened. The damages of flood were unprecedented.

5. Main targets

Generalizing the categories of victims experienced the DDoS attack we would split them in groups as hereunder:

- sites or services hosted on high-profile web servers such as banks, credit cad payment gateways and DNS rooters.

- web-centric company with expanded distribution or branch network that contains an immense data base;

- small-to-medium size IT and security budgets; however there is an exception - the web site that claims to have the strongest anti-DDoS protection might become the victim of DDoS attackers as well as any other company. The severity of the attack in this case would depend on the ego and ambitious of the attackers;

- attackers' don't have the bandwidth in place or solution to mitigate DDoS attack so your networks is regarded as suitable for them;

The preferable and the most easy breakable networks are those of online gambling. Note, that usually attackers prior the launch of the DDoS attack are trying the anti-DDoS system by DoS to see the response of the server.

6. Price

The price per DDoS attack may vary from $300 to $13 million/per person/per incident, depending on client, its budgets, level of DDoS protection and, of course, appetites of the hacker. Market offers a great variety of the tools on sale or on lease that facilitate the development of the different types of malware, viruses, scams, botnets including DDoS platform to facilitate its further launch.  For example, we have found Black Energy Botnet that was considered the bestseller of the holiday hackers' shopping offered on a short-term lease for only $80/hour. Low cost option starts from $10 for 1 million bots available for conveniently distributed smaller spam loads or malware.

7. The most popular types of DDoS

Basing on the major type of distribution of DDoS - there are several main forms that could be used as classification basis:

- Smurf attack - a type of flooding DoS using an amplification network that allows to send  ICMP packets to all computer hosts on a particular network via the broadcast address of the network;

- Ping flood - the ICMP packets are sent on overwhelming number directly to victim using "ping-f" command;

-SYN flood - attacker sends an initial SYN packet with TCP/ACK packet in response from sender address, however, due to the used forged sender's address the response never comes. As each of the sent packets is taken as half-connection request, they saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests till the end of attack.

- Land - spoofed SYN packets with the source and destination addresses identified as the victim site. This causes the system to crash as it attempts to respond on its own packet.

-Teardrop - the attack is made out of fragmented IP with overlapping, over-seized, payloads to the victim. System, while trying to rebuild them, creates invalid UDP packet, causing the system error, crash or reboot.

- Peer-to-peer attack - as we have mentioned above the hackers found the way to distribute DoS attack without the use of botnets. Attacker instructs clients of large peer-to-peers file sharing hubs to disconnect from their P2P network and to connect to a target web site. Regular site can send over few hundred attacks, in comparison to over 750,000 connections in a short order during the moderate P2P attack.

8. Prevention

As any type of the attack or injection of the malware into the victim's system there is always a preventive method that helps to avoid potential looses and damages related to unduly network performance caused in some cases a shut down of the web. Especially, if we are talking about such sensitive cases as payment systems, HYIP, independent exchangers, banks and etc.  The best preventive method is to be prepared to the possible attack. The other simple solution is to keep the sensitive data base in isolate. Separate emergency block of IP addresses for critical servers with a separate route can be a solution as well. As far as bloggers are concern the filtering and the firewalls can hardly protect the network from DDoS; first of all, the route to the filter might be swamped so only a trickle of traffic will survive; as to firewall - they are unable to separate legitimate flood traffic from malicious DoS attack, it simply allows or denies protocols, ports and IP addresses.

Over 10,000 incidents of DDoS attacks are registered daily in the Internet. Some of the web sites denying the fact of being under the massive DDoS attack fearing to lose the customers' trust, business reputation or brand name. Some of the victims faced the cyberextortion and every time the network owners are asking themselves a question - weather to pay cybercriminals or not. The respective authorities such as FBI officials are usually suggesting not to pay as it may provoke the further DDoS attack, with increased frequency and severity. Don't forget the fact the hackers are also communicating via same channels of the Internet as we are, meeting for conferences to discuss the development of the cybercriminal world and to perfection methods of collecting the "easy money", including via the DDoS.

Ant the last remark, note that e-gold.com had ever experienced the troubles with DDoS attacks. Is it because of the advanced anti-DDoS protection or is it because the hackers won't want to harm the payment system they are using to extort the money - it remains as unrevealed mystery..

Natalia, reporter of Ecommerce Journal