DDoS Extortionist’s Behaviors

Smart and prepared organizations use DDoS Extortionist’s Behaviors as a Defensive Tool. We have a long history of DDoS Extortionists. In the early 2000s, we had DDoS Extortionists who would threaten “gambling sites” with a DDoS Attack 30 minutes before a match. This crew was later tracked by law enforcement and arrested. DDoS Extortion has many similarities to physical world extortion. The key difference is the ability to deter the Extortionist through law enforcement actions. The physical world has the strength of local law enforcement. On the Internet, the DDoS Extortionists are obscured and in other countries. Yet, the Extortion countermeasures used in the physical world have a direct application to the Internet world

DDoS Extortion is not very different from a protection racket. Imagine a store owner in a city somewhere in the world. An Extortionist who is part of a protection racket will come by with a bat, threaten the shop owner, break a few things, then say, “get me money or I’ll do worse.” The shop owner does not give in to the threats. They focus on increased protection for the store. They get new store alarms, security cameras, new locks, cages for the windows, and additional insurance. When the Extortionist comes back, they see all the protections, know that it will be more difficult, and decide to hit other victims first.

The extortion threat has not gone away. The additional defenses only push the extortion miscreants to other victims. Once the Extortionist finishes with their victim list, they return to the shops who have not paid. They then threaten, “you have not paid me, pay up work. I’m going to do worse.” To make a point, the Extortionist firebombs one of the stores to make a point.

This protection rack example is what is happening with the DDoS Extortion crew. DDoS Extortion mirrors the behavior you see in organized crime behaviors. Please take the time to review Akamai’s internal processes. Please have meaningful security conversations with your customers and make sure they have everything covered. We’re seeing many PLX and Kona customers exported to simple things like Authoritative DNS and Origin protections (systems weaknesses that DDoS Extortionist could spot).

Core Themes to Remember with DDoS Extortionist

There will always be a human and motivation behind every DDoS Attack. The security industry has a huge problem in combatting DDoS Attacks. People geek out on the details of the attack, the packet types, the sources, the protocols, the target, the impact, and the size of the attack. It is the equivalent of a Police Chief giving a process conference on a bank robbery and talking about the color of the gun, the size of the gun, how many guns were used, the type of bullets in the gun … with no description of the bank robbers.

GUNS DO NOT ROB BANKS! People use guns to rob a bank. Conversely, BOTNETS DO NOT START DDOS ATTACKS! People use botnets to launch the attacks. This core principle can provide organizations with tools to minimize the impact of DDoS Extortion through preparation focused response to extortion threats. Let explore some of these principles.

  • The DDoS extortionists continue their campaigns. They will only stop when they are arrested, feel threatened by arrest, or exhaust their pool of DDoS Extortion victims. The Internet is big with a lot of potential DDoS Extortion victims.
  • Invest in DDoS Preparation. We know a lot about these miscreants, but it’s also critically important to prepare for customer situations by understanding our processes and by being aware and knowledgeable about the materials listed below.
  • Call in Law Enforcement! DDoS Extortion only Stops when there is an Arrest or the Money Drys up! We – the public-private partnerships – do find and arrest the DDoS Extortionist. That only happens if the victims report the crime to the national/local police. If the local police do not know how to handle the case, ask them to contact the National Cyber-Forensics and Training Alliance (NCFTA). NCFTA plugs in law enforcement all over the world, works with Interpol, Europol, ISACS, and a range of private industry partners. NCFTA will always be in the middle of a big DDoS Extortion campaign.
  • Do not let down your guard! DDOS Extortion happens in cycles. DDoS Extortion has been coming every other year since the early 2000s with miscreants figured out that Extortion Protection Racket works on the Internet. They have continued to evolve over time using crypto-currency.
  • Do not think you are “immune” from DDoS Extortion. DDoS Extortion is about the criminals figuring out how to motivate you to give them money. Once they know how to get money from you, they will put you on the target list.

Understanding the DDoS Extortionist Behavior

The DDoS extortionists continue their campaigns until “something” stops the people behind the extortions. They will only stop when they are arrested, feel threatened by arrest, or exhaust their pool of DDoS Extortion victims. The Internet is big with a lot of potential DDoS Extortion victims. International law enforcement investigations do work, but these resources are specialized, scarce, and in high demand. Law Enforcement will take time to work with the industry to pinpoint the miscreants, collect evidence, build a case, align the international effort, and then make an arrest.

Based on ~18 years of DDoS Extortion investigations, here’s what we know about those who are carrying out these DDoS campaigns:

  • Their goal is to make money through criminal extortion. No potential for money = no attack.
  • They do their homework. They figure out the emails that are most likely to see and react to the extortion letters.
  • They scout their targets. They look for easy targets that take the least effort. Their goal is NOT to work too hard. Their first targets could be DNS Authoritative servers, web properties, API services, and other easy elements that can be whacked with a basic DDoS attack.
  • They focus on industry verticals. We saw the miscreants start on Financial Services then migrate to Travel, then move on to other verticals. If we see an organization in one industry get hit (e.g. Oil and Natural Gas) expect a focus on peer companies within that industry.
  • They pivot quickly. Their goal is to make money through criminal DDoS extortion. If organizations do not respond, then there is no point in persisting. They will move on to other targets.
  • They will return. Just like the story of the street thug firebombing a store, the DDoS Extortionists are likely to return.  “We survived that attack, let’s get back to business” will be capitalized by the miscreants. Letting the guard down after a DDoS Attack is a mistake organizations make when dealing with DDoS Extortionists. The time after the attack is best used to increase the preparation, review the DDoS Response plans, and be ready for the next DDoS attack. 
  • Expect DDoS Extortion during Critical Timing. The DDoS Extortionist will look for events and times where the business is at most risk, timing the attacks during those times. For example, in one of the first major DDoS Extortion waves (the early 2000s), DDoS Extortionists timed their attacks with key events. These events resulted in visible business consequences. A prudent DDoS preparation would explore critical timing. What time of the day, week, or month is there some type of event that an outage would have a critical impact on the business? If you know it, then expect the DDoS Extortionist to also know it. 
  • Many organizations have not been paying attention to the DDoS risk! Basic DDoS preventative actions work. The guides included later in this blog provide low-cost, low-risk countermeasures to mitigate DDoS risk when threaten by an extortionist.
  • DNS authoritative name servers are targeted. DNS is critical to all Akamai services (see Akamai Reference Architectures). Migrating customers to Edge DNS has been a proven tactic in mitigating attacks from DDoS extortionists. There is a new guide to help customers review their DNS Resiliency options: Rapid Edge DNS Onboarding – DDoS Attacks Against DNS.

Using DDoS Extortion Behaviors to Prioritize Your Response

DDoS Extortionists follows patterns that mirror the Physical World Extortionist. Organizations that are threatened by DDoS Extortion can minimize their risk if they focus first on the preparation that discourages the people behind DDoS Extortion. Here are some examples of how you can leverage know DDoS Extortionist behavior as a “do these items first” measure.

Make it Easier to Catch the DDoS Extortionist. The Miscreants don’t want to get caught. Calling the appropriate law enforcement teams to let them know the Extortion is happening and providing them with the Extortion letter contributes to the larger efforts to find and arrest the Extortionist. Reaching out to your TLP: RED Trusted security group puts other peer organizations on alert as well as asking for their assistance. There is more you can do to help track down and catch the miscreants. The Team who helped track down the DD4BC DDoS Extortion crew crafted this guide to help organizations set up their security tools to collect data and contribute to catching the miscreants. Preparing for DOS Attacks – the Essentials (Reporting DoS Attacks are the Key to Fighting Back!)

Make the Miscreants Work Harder. The goal of DDoS Extortion is to use simple DDoS tools to make quick money. If they work hard, then the return on investment of their criminal time would not be worth it. Having the team look for simple attack vectors and plugging up those DDoS Risks are quick deterrence. A robust DNS Security architecture with 6 or more nameservers spread throughout the world deter attacks on weak DNS Authoritative architectures. Having the major web properties on CDNs, WAFs, or Anti-DDOS Scrubbing systems make it harder for the DDoS Extortionist. The key when under DDoS Extortion threat is to make life harder for the miscreant. Later, a review of the DDoS Resiliency Architecture will find the appropriate and customer effective solutions that maintain the difficulty for miscreants to attack the organization.

Look for “Coupled Dependencies.” Why attack port 80/443 on the organization’s web service when the exposed API supporting the applications is an easier target? DDoS Extortionists will do their homework. Their motivation is to make money. They are looking for the best “extortionist return on investment” (eROI). They will scout the network of their victim. They will see the obvious attack points and all the non-obvious attack points. They have a list of all the “recommendations to build a DDoS Resilient Network,” using that list to explore vulnerabilities. Scouting their victims allows them to see how best to prove their threat, entice payment, and then really cause damage if the payment is not received. That means they will look for the non-obvious elements that other services depend on. These coupled dependencies are often the “weak security underbelly” that takes little effort to whack. The most obvious “weaknesses” are the APIs and DNS Authoritative servers. Major organizations have been taken out because their two DNS Nameservers were behind two routers that were easily DDoSed. Every service depends on DNS. Again, DDoS Extortion is about an optimized return on investment. It is very cost-effective to turn DNS into a “Hidden Primary” and API into “hidden origin” with the visible service pushed to the cloud.

What is Next?

Remember, DDoS Extortion is launched by people. Your enemy is people. People have behaviors. Many times those behaviors mirror criminal patterns from the physical world. Those lessons can be applied to focus an Organization’s reaction to DDoS Extortion, triaging which actions to take first to best minimize risk.

What is next? Pull your team together. Take a few hours to walk through “what would we do if we received one of these DDoS Extortion letters.” The guides provided below help the team explore options and build a “DDoS Preparation Playbook.” Once you have that playbook, then call in the vendors and the ISPs. The guide Demanding Security from your Vendors would help you with meaningful security conversations with your vendors. But first, it is helpful to have your own team craft what they know with DDoS Preparation.

DDoS Preparation Guides, Playbooks, and References

DDoS Extortionist will never go away. They have been cyclic since 2003. It is best to prepare and expect a DDoS Extortion in the future. The following are tools all organizations can use to get ready for DDoS Extortion Attacks. Each of these documents focuses on cost-effective essentials. They are key even if you need 3rd party cloud-based Anti-DDoS services.

DDoS Attack Preparation Workbook

Internet DDoS Attacks are a force of nature on the Internet. They are like earthquakes, hurricanes, floods, tornados, tsunamis, and all other disasters. Organizations need to prepare for a DDoS Attack the same way they prepare for severe weather and natural disasters. These guides have been crafted based on my personal experience (+25 years of DDoS experience) and the experience of my peers who I’m constantly working with to mitigate, disrupt, push back on the DDoS threats. The DDoS Attack Preparation Workbook pulls all the work into one location. This would make it easier for teams to pull down materials, guidelines, tools, and techniques that have proven to mitigate the effects of DDoS Attacks.

7 Habits of Highly Effective Cybercriminals

Yes, there are habits of success used by highly effective cyber-criminals use to be successful! We can leverage the knowledge of these habits to better prepare, defend, and attribute attacks. To understand where these habits were first observed, we must go back to the point where the Internet explosion was creating the opportunity for new criminal enterprises. These principles are not limited to the behaviors of DDoS Extortionists. They apply to many types of crime and threats to our organizations. 

Preparing for DOS Attacks – the Essentials

Created by several members of the DD4BC investigation. DD4BC was a prolific DDoS Extortionist operation that woke up many in the industry. The objective was to help organizations to prepare for the next wave of DoS attacks.

Demanding Security from your Vendors

How does any organization have a productive and meaningful security conversation? This guide offers a simple and meaningful security conversation guide. These conversations would help the organization determine the real security risk from their vendors. This is an updated version of a set of questions Operators (and vendors) can use to have these meaningful conversations.

How do you really stop DOS Attacks?

Are you prepared for the next DoS Extortion attack? DDoS Attacks will not go away. All the threat actors use DDoS as a tool to achieve their objectives (State Security, Cyber-criminals, Political Activities, and Corporate miscreants). DDoS Extortionist Groups will cyclicly appear every 12 to 18 months.  DDoS is not something to ignore. It is time to review those “DoS” preparation checklist. This white paper explores the data that would need to be collected to successfully push back on DoS attacks. It includes information your “DoS Defense Allies” will need to help you mitigate, remediate, and potentially whack down the DoS attack.

Reporting DoS Attacks & Fighting Back Against DOS Attacks

Expect DDoS Attacks. Prepare for DDoS Attacks. Don’t wait until you have an active DDoS Threat to start your work. There is no perfect anti-DoS solution. But with forethought, planning, coordination, and practice any organization minimizes the impact of the DoS attacks. What follows ten essential steps that have proven to help organizations prepare for DoS attacks. The fundamental principles you will find in this article apply to all organizations – large and small. They focus on low-cost – low-impact anti-DDoS essentials that add DDoS Resiliency to the entire organization.

Are you ready for the next attack? (Part 1)

Are you ready for the next attack? As many of my colleagues know, I’m constantly on the lookout for tools that would help my peers in all networks find ways to mitigate the security risk in their operations.

The Practical Security Checklist – Part 2.1

This is part “2.1” of a multipart post to help organizations take security action. Stay tuned for next week’s practical security checklist item. Board members, CxOs, and professionals are saturated with security advice. This security advice is often confusing, contradictory, and always biased toward “buying something.” “Good security advice saturation” results in paralysis of action.

Operator’s Security Toolkit

It is time for a refresh of the SP Security materials used by many over the years. Back in 2002, several people in the emerging “Service Provider Security” field pulled together a list of top practices every Operator should deploy. These “NSP-SEC Top 10” techniques became the foundation of our toolkit that is used daily to mitigate DDoS Attacks.

Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customers – What are you doing to prepare for the next “scanning malware” and “Internet Worm?”

Operators (CSPs, ISPs, Cloud Companies, and Hosting Companies) are strongly encouraged to deploy Port Filtering on the known Exploitable ports and Source Address Validation (SAV) on their customer edge of the network as a default configuration. Filtering Exploitable Ports will minimize risk to the Operator’s infrastructure, the Operator’s Customers, and Proactively minimize risk to the collective Internet & Telecommunications network. Customers who need access to their ports can request bypass through the Operator’s customer support.

This document is a consultation and education tool for those Operators who have yet to deploy Exploitable Port Filtering. The document is maintained for the community.

UK National Cyber Security Centre (NCSC) one-page checklist on Preparing for DoS Attacks

This advice is written for technical and security IT professionals and summarises how to prepare for denial of service (DoS) attacks. It is not possible to fully mitigate the risk of a DoS attack affecting your service. However, the following five practical steps, if implemented, will lessen the impact of any incident. For more information visit www.ncsc.gov.uk/dos

Australian Cyber Security Centre (ACSC) – Preparing for and Responding to Denial-of-Service Attacks

Although organizations cannot avoid being targeted by denial-of-service attacks, there are a number of measures that organizations can implement to prepare for and potentially reduce the impact if targeted. Preparing for denial-of-service attacks before they occur is by far the best strategy, it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.

AKAMAI WHITE PAPER – 8 Best Practices for Building and Maintaining a DDoS Protection Plan

Akamai’s Anti-DDoS services emphasize planning and preparation with the Tools to execute on those Anti-DDOS “playbooks.” This guide can be used by anyone to start their own Anti-DDoS Playbook for their organization. The companion white paper, 8 Steps to a DDoS Mitigation Plan supplements the first guide. Finally, the new DDoS Extortion Battle Checklist covers many techniques that would “trigger” DDoS Extortionist behavior to go find easier targets.

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.