This month, a multi-national law enforcement team led by Europol arrested a key player believed to be behind the 2015 distributed denial of service (DDoS) extortion attacks by the criminal gang DD4BC (short for Distributed Denial of Service for Bitcoin). The gang formed in 2014 by targeting online gambling interests, and more recently expanded operations to another lucrative target -- financial institutions.
The attack unfolded as DD4BC honed in on their target and triggered a DDoS attack in the 25-35 Gbps range. Victims received a “ransom note” demanding 30 to 40 bitcoins (about $13,000 to $17,000) as insurance against a second, stronger attack as detailed in this threat intelligence report.
While the arrest of the threat actors behind DD4BC is good news, DDoS attacks will continue as targeted organizations pay the ransom fees. However, previous extortion attempts show few reasons to pay up. A larger secondary attack rarely occurs. In fact, paying an attacker could lead to additional attacks. In 2015, Switzerland-based ProtonMail paid a ransom as part of a DDoS extortion attack and went public with its actions. The result? Other DDoS attackers zeroed in and demanded payoffs.
Fortunately, most organizations can defend themselves against DDoS attacks using the following guidelines. First, institute strong external network-facing access control lists (ACLs) to keep all out-of-profile traffic off servers. For example, on a web server, only allow TCP port 80 and/or 443. Block out all other traffic, and aggressively time-out “half-open” network traffic designed to fill up connection tables. High-risk organizations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks.
Most importantly, set up robust monitoring to identify these types of attacks and patterns during the early stages of an attack. The upstream ISP should be notified to place mitigations on their connected devices to protect networks. DDoS commercial products are an option, but organizations can take several proactive steps to help minimize the impact of these attacks.
While the exact numbers of victims targeted by DD4BC are unknown, best estimates place the numbers in the thousands. Collecting and sharing information with law enforcement is crucial. Unfortunately, many organizations fail to report extortion attacks. To assist law enforcement, organizations should provide several key pieces of information to law enforcement and/or their security vendors. An e-mail threatening DDoS should be preserved with full headers, timestamps of the attack with the victim’s IP, size of attack, and a profile of the type of DDoS attack (with packet captures if possible). Collection should not be limited to these items -- basically any data that can be shared can be helpful in tracking these attacks to their originator and bringing cyber criminals to justice.