Death Knell For DDoS Extortion? 101
Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"
Still potent (Score:2, Insightful)
DDoS will be around for a while still
No extortion ever, then! (Score:3, Insightful)
Re:The payment risk has also prolly risen as well. (Score:5, Insightful)
You can't put a pricetag on being an asshole to the internet community.
One assumption though... (Score:5, Insightful)
The victim still pays indirectly (Score:4, Insightful)
Re:No extortion ever, then! (Score:5, Insightful)
Way back when, kidnapping was a pretty good way to make some quick cash. Grab somebody's significant other and tell them to deliver money to see them again. The automobile was pretty new and you could grab somebody and get them far enough away in a short amount of time that local law enforcement couldn't deal with it.
Thus, the feds were immediately brought in to any kidnapping case. Because the FBI had kidnapping specialists who knew all the angles, kidnapping for ransom became very unsuccessful. Nowadays, you rarely hear of a kidnapping case with a ransom demand here in the United States. It's just not worh it.
Re:Maybe not even spam so much... there is worse: (Score:2, Insightful)
Re:botnet for personal projects? (Score:3, Insightful)
Why even bother to make good on your threat? (Score:3, Insightful)
I don't think that's his concern.. (Score:3, Insightful)
Suggesting that DDOS attacks will go away would be silly, but as a business concern which security companies have whipped up to a somewhat feverish pitch this is a sign that these concerns are changing. Anyway, DDOS solutions where probably nowhere near as lucrative as other more trendy areas of network protection (spam/worms/malicious web-content filtering/ids/data retention etc).
Not the point (Score:4, Insightful)
If you can choose two ventures, one of which will almost certainly generate revenue with very little risk to you, and the other of which often generates no revenue at all but poses a high risk to your liberty and your resources, which do you choose?
Doesn't work? (Score:3, Insightful)
Most businesses who refuse to pay up get someone in quickly to prevent their internet tubes getting clogged. Either that or (if it's cheaper) just let it happen, and find a way around it or ride it out. Either way, they won't actually publicise the proposed extortion as it's bad PR for them. Similarly, if they do pay up, nobody ever finds out about it - so there's no PR again. (Obviously there are exceptions in both cases, but for every exception you can guarantee there will be a few that meet this pattern).
To piggy-back the analogy; if nobody ever found out about the murders or the threats thereof, it would be all effort and no PR return for the dealer.