Anatomy of a DDoS attack: Extortion and mitigation

DDoS

Share this content

Facebook
Twitter
LinkedIn

Distributed denial-of-service (DDoS) is a cyber-attack that causes mass disruption of services. From 1996 (when first reports about DDoS attacks emerged) to 2010, threat actors used DDoS mainly to promote themselves or political agendas and to encourage social change; in recent years, the financial motive has been more prevalent and more DDoS activities have made extortion a major part of their strategy. In addition, prior to 2020, DDoS actors usually sent empty threats and did not follow up with attacks; since the second half of 2020, however, actors have made good on their threats and have followed up with attacks more frequently.

Although threat actors have monetised DDoS threats and attacks in the past, we believe that popularisation of cryptocurrency, willingness of some organisations to meet extortion demands (as was seen in the ransomware attack on Colonial Pipeline) and affordability of DDoS as a service (DDoSaaS) have encouraged threat actors to pursue these kinds of activities.

Attack Chains

DDoS extortion campaigns typically follow one of two kinds of attack chains:

  • The actors start with a DDoS demonstration: a show of force and an attempt to convince the attacked organisation that the threat is real. The actors target a specific resource that belongs to the attacked organisation’s web service or network infrastructure. The demonstration is large enough to slow down the organisation’s services but not large enough to knock them offline.
  • After or during the demonstration, the actors send an extortion email, where they threaten to launch a larger DDoS attack if the organisation does not make a specified bitcoin payment to the actors’ cryptocurrency wallet. If the organisation does not make the payment by the deadline, the actors follow up with the main DDoS attack and increase the extortion amount every day after the due date, until they receive the full payment.
  • The actors send the extortion email before the attack. The email contains the extortion demand, bitcoin wallet address, deadline, the attack’s capacity and other details. The group might also use the email to boast about their ability to send several terabytes’ worth of traffic packets per second. In most cases, these threats are not bluffs and are followed by full-scale attacks.

Mitigation

When planning for DDoS mitigation, organisations should consider not only their business obligation to keep services running but also the amount of service disruption they and their customers can tolerate. The Australian Cybersecurity Centre provides some basic guidance that organisations can take to reduce the likelihood and potential impact of a DDoS attack:

  • Determine which functionality is truly critical to the operations of an organisation. Create all backups necessary to keep it running despite the attack and allocate enough resources (if necessary, by moving them from non-critical functionality) to maintain it during the attack and ultimately, to restore it once the attack has been managed.
  • With service providers, discuss the details of DDoS prevention and mitigation strategies, namely:
    • The capacity to withstand DDoS attacks
    • Any costs likely to be incurred by customers
    • Thresholds for notifying customers or for turning off their online services during DDoS attacks
    • Pre-approved actions that can be taken during DDoS attacks
    • Arrangements made with upstream (for example, Tier 2) service providers to block malicious traffic as far upstream as possible
  • Protect an organisation’s domain names by using registrar locking and by confirming that the domain registration details are correct.
  • Ensure that customers maintain details of their service providers’ 24×7 contacts and that service providers maintain details of their customers’ 24×7 contacts.
  • Establish additional out-of-band contact details—for example, mobile phone numbers and non-organisational email addresses—that service providers would use if normal communication channels were to fail.
  • To detect DDoS attacks and measure their impact, implement availability monitoring with real-time alerting.
  • Prepare a static version of the company’s website. Ensure that it not only facilitates continuity of service during a DDoS attack but also requires minimal processing and bandwidth.
  • Use cloud-based hosting from a major cloud service provider—preferably from several major cloud service providers, to ensure redundancy—with high-bandwidth content delivery networks that cache non-dynamic websites. If using a content-delivery network, avoid disclosing the IP address of the web server that is under the organisation’s control (referred to as the origin web server) and use a firewall to ensure that only the content-delivery network can access this web server.
  • Use a DDoS mitigation service because it offers a variety of in-depth defense approaches that can be implemented in the infrastructure and application layers.
  • An effective DDoS mitigation posture will take into account all requirements and constraints of a business and it will implement controls focused on cloud infrastructure, on-premise systems, or a hybrid of thereof. As a general rule, the more complex the mitigation system, the more likely it is to fail due to misconfigurations or failed integration points. Organisations that are considering DDoS protection for the first time should start with simple systems that can be monitored and refined. DDoS attacks, just as with other cybersecurity threats, are constantly evolving in complexity and effectiveness; therefore, cyber-defenders must never stop improving their TTPs and defenses. This approach applies to DDoS mitigations, which require careful planning to ensure adequate maintenance and cutting-edge protection.
1-ISJ- Anatomy of a DDoS attack: Extortion and mitigation
Ali Sleiman

By: Ali Sleiman, Technical Director MEA at Infoblox

www.infoblox.com

Newsletter
Receive the latest breaking news straight to your inbox