Death Knell For DDoS Extortion?

Ron writes "Symantec security researcher Yazan Gable has put forward an explanation as to why the number of denial of service attacks has been declining (coincident with the rise of spam). His theory is that DoS attacks are no longer profitable to attackers. While spam and phishing attacks directly generate profit, he argues that extortion techniques often used with DoS attacks are far more risky and often make an attacker no profit at all. Gable writes: 'So what happens if the target of the attack refuses to pay? The DoS extortionist is obligated to carry out a prolonged DoS attack against them to follow through on their threats. For a DoS extortionist, this is the worst scenario because they have to risk their bot network for nothing at all. Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has to spend time and resources on a lost cause.'"

The payment risk has also prolly risen as well.

[Penguinisto]

The author, if I read this correctly, assumes that the risk is constant... but compare the profit from spammers (who can make payments more directly, as noted), and extortionists (who stand a good --not perfect, but good-- chance of having that payment traced/tracked. Sure, it'll go to some money-handling service in Russia or whatnot, but that wouldn't put it completely out of the realm of trackability.

They still want the money somehow, and getting it bears higher risk with extortion than by simply grabbing dough under-the-table from spammers.

I suspect (okay, hope?) that spamming will begin to lose its profit motive as well, as users become computer-literate enough en masse to ignore emailed pitches... making the reward not really worth the effort. Even the dumbest user can get ripped off only so many times before they either a) go broke, or b) figure out that maybe they should stop buying stuff from spammers.

/P

Maybe not even spam so much... there is worse:

[Penguinisto]

Could be that someday, somebody is going to cobble together a P2P-style redundant agent that coulod convert a botnet into a big-assed torrent server.

I mean, what better place (from an objective POV) to park warez and illicit data (e.g. certain types of illegal pr0n), than on some unsuspecting schlep's machinery?

The mobsters then charge admittance by way of proxies (conceptual term, not 'w.x.y.z:8080') and advertise by way of spam?

/P

Re:botnet for personal projects?

[MoxFulder]

Got some nuclear research you'd like to do but don't have the resources to create a super computer? rent a botnet!

Funny, but unlikely I think.

Botnets wouldn't be all that good for supercomputing, except maybe of highly parallelizable problems (voluntary networks like SETI@home already work on those). Botnets don't have the fast communication links between nodes which are vital to the performance of most supercomputers... which often incorporate fancy network technologies like Infiniband or Fiber Channel or even just good ol' 100/1000-MBit ethernet.

As I see it, the main advantage of botnets is their massive outgoing network bandwidth: ten thousand desktops with broadband, averaging conservatively 5 kB/s outbound, gives a wopping 50 MB/s. A commodity computer can EASILY spit out 50 MB of email per second with some intelligent software... but *paying for* the bandwidth to actually send it that fast would be absolutely prohibitive. That's the real reason spammers use botnets.

(Of course, there's also the fact that botnets are a lot harder to isolate and blacklist than a single server.)

Assumptions

[sortius_nod]

I think it's a bit stupid to assume because the attacks have gone down are a result of not paying up. IMO it would be more of an indication of companies paying up.

Think about it. If you run a large corporation that downtime means losses that can run into the millions of dollars even for a short duration, add to this the cost of untangling any sort of mess associated with this downtime and that's a heafty bill. It would be stupid to risk the possibility of losing money (and possibly clients) due to downtime when it can be easily avoided by paying a fraction of the cost to some monkey with a botnet.

The last thing any corporation is going to do is admit to this. On top of that, any extortionist that knows you don't over extort organisations.

Seriously, saying that DoS attacks are down due to people not paying up is just stupid.

Do we expect anything less from Symantec though?

Re:No extortion ever, then!

[fermion]

No, by this logic it means that few would conduct such attacks for money. However we know that people conduct attacks for many other reasons. The assumption that attacks occur only for direct cash rewards results in miscalculations that cause significant holes in security systems and can even start wars.

On the relative benign side we know that people crack security just to see if it can be done, to test their wits against a verified expert. On the less benign side, fanatics might attack because they think the act will give them some other reward. For instance, if we take a purely hypothetical example, religious fanatics might be told by their Pastor to attack the web site of some godless politician so the preferred candidate might have a better chance of winning and installing other fanatics in traditionally secular positions. Such attacks would have a defined timeframe, and therefore predictable costs and risk, and win or lose, would have at least have a terroristic effect. Such an attack would be clearly logical, profitable, and effective.

People are better at security

[eraser.cpp]

I'm of the opinion that the software industry has just wised up a bit to security threats. IT too has become better at reducing their surface area of attack and patching products; Windows automatic updates probably did a world of good. Many ISPs filter the majority (all?) ports open by default on Windows as well. I help run a fairly large IRC network and we have seen the frequency of botnet activity and DDoS attacks drop dramatically over the last couple years. It's good and bad, I personally found things a little more exciting when a major hole would come out and chaos would ensue for the next week. Remember when blaster came out and the Internet grinded to a halt?

more DDoS prevention today as well

[linenoise]

Another factor why the DDoS extortion of today is less profitable than a few years back is the existence of mechanisms to mitigate attacks more effectively. Companies like Arbor Networks and Cisco make products that let enterprises and Service Providers quickly flip a switch to redirect and protect legitimate customer traffic. I helped design the Sprint IP Defender [sprint.com] solution, providing Sprint customers both quick notification of a security event AND the option to circumvent the issue. This takes all the control away from the extortionists.

Naturally, being employed in the managed security space, I have a dichotomy of interests that should not be forgotten - yes I want to see DDoS incidents being eliminated BUT yes I work for a company where fear of an incident leads companies to buy services from us which in turn drives up my 401k. There is big business in fear, but hey, if you lose $100k in revenue every 10 minutes your network is down, it only makes sense that you protect that income stream. Anyways, for every one extortionist, there are three script-kiddies hanging out in #l33tddos on EFnet wanting to see the level of damage he/she can impose.......

G'night all.

I think the real reason is:

[Anonymous Coward]

I think the real reason is that extortions do not make real sense in an online enviroment. Why:

There is no real threat. You will never get killed/injured it is just about numbers. And since: If you pay once you will pay twice (and thrice...) is so true it is better/cheaper to never ever pay and just take the pain once. You will just loose chash no fingers!

There is no way to protect a turf. If I pay a) then b) could extort me also or even worse a) could pretend to be b) or c) now to extort even more money. In real life I only pay they guys who own (and protect) the turf. And nobody else. Extortion in real life s either about protection also, or it is life/health threatening.

Re:No extortion ever, then!

[99BottlesOfBeerInMyF]

In the present scenario the potential extortionist has a choice - spam or extort. Spamming is currently more profitable, or so the argument goes, and therefore, there are fewer extortions.

That's a nice theory, but I don't think that is what happens in practice. From what I've seen no one runs a botnet that is constantly sending spam or performing attacks. They spend most of their time idle. If you know the right places to look there are some nice Web interfaces where you can transfer money from paypal to rent out control of a botnet for a set amount of time. The operator doesn't care if you're spamming or DDoSing people, only that he got paid. Thus, while people may find spamming more profitable, others will see a good extortion opportunity and take that as well, and still others will DDoS their competitors, or former employer, of government they dislike, or anyone else they are mad at.