The New DDoS: Silent, Organized, and Profitable

Depending on how unscrupulous your business practices are, a denial-of-service attack can give you a competitive advantage. From keeping competitors offline to engaging in outright extortion, there are organizations (some more obviously criminal than others) now using DDoS attacks to make big money.

For those on the receiving end, DDoS attacks are expensive. If you want to avoid losing a lot of money, it pays to be insured. And it's better to get your protection from the good guys.

Corero Network Security is a company that fits into a small but growing sector of the information security community. It looks at ways to combat the increasingly sophisticated -- and often untraceable -- denial-of-service attacks targeting organizations of all kinds. The company says the bulk of the attacks today are not the spectacular, ideology-driven kinds that grab headlines.

"Most of the attacks, we know, involve things like unfair competition," says Neil Roiter, research director of Corero Network Security Inc. "In other words, another company in your own market, your own sector, hitting you to knock you offline, to chase away customers, to lure customers to their own site."

Roiter adds that when Corero surveyed companies in the U.S. subjected to DDoS attack, more than half believed they had been targeted by the competition. Then there are other attacks: ones that are essentially information age protection rackets.

"It's like the old protection racket where guys come into your shop, your store, like in the movies and they say, 'You have a nice place here. It would be a shame if something bad happened to it. Or happened to you.'

"You'll get an email or phone call saying, 'Pay us $50,000 by such and such a time, transfer it to this account, or we're going to knock your site offline.'"

At first glance, Canada appears to have avoided the scourge of these sorts of "professional" DDoS attacks. David Black, manager of the RCMP technology crime branch's cyber crime fusion team, says he hasn't encountered many cases of DDoS extortion in Canada, though the threat is certainly present.

"Any company is vulnerable to this, in a sense," says Black. "If their business depends on 24/7 network connection, extortion could be a reality."

He adds that it's "very rare" to catch a company knocking down a competitor's site in Canada. But again, he cautions that this doesn't mean they won't occur in the future.

"We are at high risk, don't get me wrong," Black says. "Just the examples aren't there."

But Roiter suggests there may plenty of examples that the police simply don't know about. Extortion, he says, is a crime that usually goes unreported, making it impossible to know how prevalent it is. While countries do differ in terms of the types of DDoS attacks they experience, certain industries are magnets for these types of crimes, Roiter says. He notes, for example, that Canada has a "healthy online gambling industry."

"Gambling sites are very popular targets. There's a lot of that that goes on in online gambling. And usually they'll pay the ransom. Think of it this way: somebody gives you that call before World Cup match when you know you're going to be doing hundreds of thousands, maybe a million dollars in business, and they say, 'pay us $50,000' or '£30,000' or whatever it is. You're going to pay."

Roiter says part of the reason that companies are forced to give into criminals' demands is not necessarily that they haven't taken protective measures, but that they haven't taken the right ones. They may be protected from network-based attacks and aren't ready for the newer application-level attacks.

"The networking flooding attacks, the SYN flood, the UDP attacks, the ICMP attacks, those sorts of things are becoming less prevalent, and application-layer attacks, which use far less bandwidth and are much harder to detect and mitigate, are becoming dominant."

To combat such attacks, Corero's security platform uses analysis to examine whether a protocol is behaving properly and a rate-limiting technique that assigns it either a credit or demerit point. With enough demerits, the system will perceive a threat and immediately block it off.

The company has more than 20 major Canadian clients, including financial and government institutions. Dave Millier, CEO of Toronto-based Sentry Metrics Inc., says his company was the primary reseller for Top Layer Networks Inc., a company Corero acquired in 2011 that was one of the biggest players in the DDoS market.

Millier says in general, Corero's "claim to fame" in preventing DDoS attacks is their ability to ensure business continuity in the midst of an attack. "They can sustain multi-hundred megabit attacks, while still allowing acceptable performance of the Web services that are running on the systems inside the network itself."

This is accomplished by placing the Corero boxes outside of the network and firewall to identify and block threats more quickly. "All the data still comes to the Corero box, but it's intelligent enough to actually in effect drop the connections before they ever get to the devices that are trying to be connected to."

From the RCMP's perspective, says Black, one of the best ways to combat DDoS crime in Canada is to seek guidance from the Canadian Cyber Incident Response Centre (CCIRC). Businesses can also report cyber threat incidents to the Centre. And as they increase, it will play an increasingly important role, he says.

"As this business grows and matures, for advice on how to prevent ... (that's) a great role for CCIRC," he says.

Subscribe to the Security Watch Newsletter

Comments