DDoS Extortionist’s Behaviors

Using DDoS Extortionist’s Behaviors as a tool to defend your organization.

Smart and prepared organizations use DDoS Extortionist’s Behaviors as a Defensive Tool. We have a long history of DDoS Extortionists. In the early 2000s, we had DDoS Extortionists who would threaten “gambling sites” with a DDoS Attack 30 minutes before a match. This crew was later tracked by law enforcement and arrested. DDoS Extortion has many similarities to physical world extortion. The key difference is the ability to deter the Extortionist through law enforcement actions. The physical world has the strength of local law enforcement. On the Internet, the DDoS Extortionists are obscured and in other countries. Yet, the Extortion countermeasures used in the physical world have a direct application to the Internet world

DDoS Extortion is not very different from a protection racket. Imagine a store owner in a city somewhere in the world. An Extortionist who is part of a protection racket will come by with a bat, threaten the shop owner, break a few things, then say, “get me money or I’ll do worse.” The shop owner does not give in to the threats. They focus on increased protection for the store. They get new store alarms, security cameras, new locks, cages for the windows, and additional insurance. When the Extortionist comes back, they see all the protections, know that it will be more difficult, and decide to hit other victims first.

The extortion threat has not gone away. The additional defenses only push the extortion miscreants to other victims. Once the Extortionist finishes with their victim list, they return to the shops who have not paid. They then threaten, “you have not paid me, pay up work. I’m going to do worse.” To make a point, the Extortionist firebombs one of the stores to make a point.

This protection rack example is what is happening with the DDoS Extortion crew. DDoS Extortion mirrors the behavior you see in organized crime behaviors. Please take the time to review Akamai’s internal processes. Please have meaningful security conversations with your customers and make sure they have everything covered. We’re seeing many PLX and Kona customers exported to simple things like Authoritative DNS and Origin protections (systems weaknesses that DDoS Extortionist could spot).

Core Themes to Remember with DDoS Extortionist

There will always be a human and motivation behind every DDoS Attack. The security industry has a huge problem in combatting DDoS Attacks. People geek out on the details of the attack, the packet types, the sources, the protocols, the target, the impact, and the size of the attack. It is the equivalent of a Police Chief giving a process conference on a bank robbery and talking about the color of the gun, the size of the gun, how many guns were used, the type of bullets in the gun … with no description of the bank robbers.

GUNS DO NOT ROB BANKS! People use guns to rob a bank. Conversely, BOTNETS DO NOT START DDOS ATTACKS! People use botnets to launch the attacks. This core principle can provide organizations with tools to minimize the impact of DDoS Extortion through preparation focused response to extortion threats. Let explore some of these principles.

• The DDoS extortionists continue their campaigns. They will only stop when they are arrested, feel threatened by arrest, or exhaust their pool of DDoS Extortion victims. The Internet is big with a lot of potential DDoS Extortion victims.
• Invest in DDoS Preparation. We know a lot about these miscreants, but it’s also critically important to prepare for customer situations by understanding our processes and by being aware and knowledgeable about the materials listed below.
• Call in Law Enforcement! DDoS Extortion only Stops when there is an Arrest or the Money Drys up! We — the public-private partnerships — do find and arrest the DDoS Extortionist. That only happens if the victims report the crime to the national/local police. If the local police do not know how to handle the case, ask them to contact the National Cyber-Forensics and Training Alliance (NCFTA). NCFTA plugs in law enforcement all over the world, works with Interpol, Europol, ISACS, and a range of private industry partners. NCFTA will always be in the middle of a big DDoS Extortion campaign.
• Do not let down your guard! DDOS Extortion happens in cycles. DDoS Extortion has been coming every other year since the early 2000s with miscreants figured out that Extortion Protection Racket works on the Internet. They have continued to evolve over time using crypto-currency.
• Do not think you are “immune” from DDoS Extortion. DDoS Extortion is about the criminals figuring out how to motivate you to give them money. Once they know how to get money from you, they will put you on the target list.

Understanding the DDoS Extortionist Behavior

The DDoS extortionists continue their campaigns until “something” stops the people behind the extortions. They will only stop when they are arrested, feel threatened by arrest, or exhaust their pool of DDoS Extortion victims. The Internet is big with a lot of potential DDoS Extortion victims. International law enforcement investigations do work, but these resources are specialized, scarce, and in high demand. Law Enforcement will take time to work with the industry to pinpoint the miscreants, collect evidence, build a case, align the international effort, and then make an arrest.

Based on ~18 years of DDoS Extortion investigations, here’s what we know about those who are carrying out these DDoS campaigns:

• Their goal is to make money through criminal extortion. No potential for money = no attack.
• They do their homework. They figure out the emails that are most likely to see and react to the extortion letters.
• They scout their targets. They look for easy targets that take the least effort. Their goal is NOT to work too hard. Their first targets could be DNS Authoritative servers, web properties, API services, and other easy elements that can be whacked with a basic DDoS attack.
• They focus on industry verticals. We saw the miscreants start on Financial Services then migrate to Travel, then move on to other verticals. If we see an organization in one industry get hit (e.g. Oil and Natural Gas) expect a focus on peer companies within that industry.
• They pivot quickly. Their goal is to make money through criminal DDoS extortion. If organizations do not respond, then there is no point in persisting. They will move on to other targets.
• Many organizations have not been paying attention to the DDoS risk! Basic DDoS preventative actions work. The guides included later in this blog provide low-cost, low-risk countermeasures to mitigate DDoS risk when threaten by an extortionist.
• DNS authoritative name servers are targeted. DNS is critical to all Akamai services (see Akamai Reference Architectures). Migrating customers to Edge DNS has been a proven tactic in mitigating attacks from DDoS extortionists. There is a new guide to help customers review their DNS Resiliency options: Rapid Edge DNS Onboarding — DDoS Attacks Against DNS.

Using DDoS Extortion Behaviors to Prioritize Your Response

DDoS Extortionists follows patterns that mirror the Physical World Extortionist. Organizations that are threatened by DDoS Extortion can minimize their risk if they focus first on the preparation that discourages the people behind DDoS Extortion. Here are some examples of how you can leverage know DDoS Extortionist behavior as a “do these items first” measure.

Make it Easier to Catch the DDoS Extortionist. The Miscreants don’t want to get caught. Calling the appropriate law enforcement teams to let them know the Extortion is happening and providing them with the Extortion letter contributes to the larger efforts to find and arrest the Extortionist. Reaching out to your TLP: RED Trusted security group puts other peer organizations on alert as well as asking for their assistance. There is more you can do to help track down and catch the miscreants. The Team who helped track down the DD4BC DDoS Extortion crew crafted this guide to help organizations set up their security tools to collect data and contribute to catching the miscreants. Preparing for DOS Attacks — the Essentials (Reporting DoS Attacks are the Key to Fighting Back!)

Make the Miscreants Work Harder. The goal of DDoS Extortion is to use simple DDoS tools to make quick money. If they work hard, then the return on investment of their criminal time would not be worth it. Having the team look for simple attack vectors and plugging up those DDoS Risk are quick deterrence. A robust DNS Security architecture with 6 or more nameservers spread throughout the world deter attacks on weak DNS Authoritative architectures. Having the major web properties on CDNs, WAFs, or Anti-DDOS Scrubbing systems make it harder for the DDoS Extortionist. The key when under DDoS Extortion threat is to make life harder for the miscreant. Later, a review of the DDoS Resiliency Architecture will find the appropriate and customer effective solutions that maintain the difficulty for miscreants to attack the organization.

Look for “Coupled Dependencies.” Why attack port 80/443 on the organization’s web service when the exposed API supporting the applications is an easier target? DDoS Extortionists will do their homeworld. They will scout their target to see how best to prove their threat, entice payment, and then really cause damage if the payment is not received. That means they will look for the non-obvious elements that other services depend on. These coupled dependencies are often the “weak security underbelly” that takes little effort to whack. The most obvious “weaknesses” are the APIs and DNS Authoritative servers. Major organizations have been taken out because their two DNS Nameservers were behind two routers that were easily DDoSed. Every service depends on DNS. Again, DDoS Extortion is about an optimized return on investment. It is very cost-effective to turn DNS into a “Hidden Primary” and API into “hidden origin” with the visible service pushed to the cloud.

What is Next?

Remember, DDoS Extortion is launched by people. Your enemy is people. People have behaviors. Many times those behaviors mirror criminal patterns from the physical world. Those lessons can be applied to focus an Organization’s reaction to DDoS Extortion, triaging which actions to take first to best minimize risk.

What is next? Pull your team together. Take a few hours to walk through “what would we do if we received one of these DDoS Extortion letters.” The guides provided below help the team explore options and build a “DDoS Preparation Playbook.” Once you have that playbook, then call in the vendors and the ISPs.

Once you have the sketch of a playbook, review all the materials at DDoS Attack Preparation Workbook. This is a collection of anti-DDoS guides, playbooks, techniques, tools, architectural principles.

Originally published at https://www.senki.org.