Death Knell For DDoS Extortion?

Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"

Still potent

[the code is 09 F9 11]

this just relegates the Spammer to having to attack smaller sites, who cannot afford to bear the brunt of the assult as long as a large site can

DDoS will be around for a while still

No extortion ever, then!

[The_Wilschon]

By this logic, nobody would ever engage in any kind of extortion. Clearly, people do, so either people are just acting illogically, or there is some flaw. I'm guessing some of both.

Re:The payment risk has also prolly risen as well.

[tmarthal]

He also doesn't seem to get that sometimes people DoS sites out of spite [slashdot.org] or out of malice [vitalsecurity.org].

You can't put a pricetag on being an asshole to the internet community.

One assumption though...

[Chabil Ha']

That all DDoS attacks are for the purpose of extortion. Does nobody do these things simply because they just want to blackball someone [wikipedia.org] anymore? No, this isn't the death of the DDoS.

The victim still pays indirectly

[southpolesammy]

Even if the victim doesn't pony up to stop the DoS, they still pay in lost service and opportunity. In this regard, a DoS against a big moneymaking site means a huge loss of revenue. How long until an ethically-challenged company DoS's their competition?

Re:No extortion ever, then!

[R3d M3rcury]

It's sort of like kidnapping.

Way back when, kidnapping was a pretty good way to make some quick cash. Grab somebody's significant other and tell them to deliver money to see them again. The automobile was pretty new and you could grab somebody and get them far enough away in a short amount of time that local law enforcement couldn't deal with it.

Thus, the feds were immediately brought in to any kidnapping case. Because the FBI had kidnapping specialists who knew all the angles, kidnapping for ransom became very unsuccessful. Nowadays, you rarely hear of a kidnapping case with a ransom demand here in the United States. It's just not worh it.

Re:Maybe not even spam so much... there is worse:

[blhack]

They already do that. See: the entire movie bootlegging scene.

Re:botnet for personal projects?

[element-o.p.]

...and Skynet was born <shudder>

Why even bother to make good on your threat?

[seaturnip]

If someone refuses to pay, just don't DDoS them and move on. It's not like your reputation for following through on threats is on the line, you're a secretive criminal.

I don't think that's his concern..

[msimm]

There will always be kiddie. But Symantec should be focused on the CTO and the SMB/Enterprise customer. The kinds of places they've targeted these [symantec.com] kinds products at.

Suggesting that DDOS attacks will go away would be silly, but as a business concern which security companies have whipped up to a somewhat feverish pitch this is a sign that these concerns are changing. Anyway, DDOS solutions where probably nowhere near as lucrative as other more trendy areas of network protection (spam/worms/malicious web-content filtering/ids/data retention etc).

Not the point

[tygerstripes]

While that's certainly true, I think you're missing the point of the article - that DDoS attacks simply aren't worth the effort and risk when compared to the perfectly viable alternative of spamming.

If you can choose two ventures, one of which will almost certainly generate revenue with very little risk to you, and the other of which often generates no revenue at all but poses a high risk to your liberty and your resources, which do you choose?

Doesn't work?

[tygerstripes]

I don't think this would hold true in the corporate world.

Most businesses who refuse to pay up get someone in quickly to prevent their internet tubes getting clogged. Either that or (if it's cheaper) just let it happen, and find a way around it or ride it out. Either way, they won't actually publicise the proposed extortion as it's bad PR for them. Similarly, if they do pay up, nobody ever finds out about it - so there's no PR again. (Obviously there are exceptions in both cases, but for every exception you can guarantee there will be a few that meet this pattern).

To piggy-back the analogy; if nobody ever found out about the murders or the threats thereof, it would be all effort and no PR return for the dealer.