The denial-of-service ransom threat

The art of hacktivism and using cyber attacks to protest have taken huge steps in the past six months. Owen Cole, technical director at F5 Networks, looks at the threat, capability and ease with which these tactics can be deployed.

In the past few years, we have seen an unprecedented wave of hacking attempts across the Western world. The rise of the Anonymous collective in 2008 has gained pace in the past 18 months with its support for Wikileaks founder Julian Assange and its protests against copyright and Scientology.

The wide availability of the Zeus Trojan, which can enable people to control large networks of compromised PCs (botnets), and the coordinated Night Dragon attacks on corporate networks has caused widespread alarm in the IT community.

Although many attacks in the past have been either hacktivism or simply recreational hacking, the ease of access of these tools has led to a great deal of speculation. The Zeus Trojan, for example, has been noted on sale for a mere $5000.

Hacking, rather like much of the online world, is getting easier and more serious and we have seen a rise in commercial hacking attempts. In future, we may well see more advanced blended threats, such as a blend of physical and online threats and even broader denial-of-service ransom attacks.

It doesn't take a genius to work out other possibilities. Amazon.com makes $A62,000 a minute. Although DoS attacks are illegal (in many countries), many organisations rely on the internet as their sole avenue of trade and DoS attacks can cripple an online trader that isn't insured against loss of earnings and even then, the reputational damage can be severe.

Even the threat of a DoS attack from a hacker may be enough to make online retailers reach for their wallets. These kinds of attacks go in and out of vogue and Britain has already seen a few such attacks in previous years. However, the tools to conduct a DoS attack are becoming more easily available, making the threat more alarming.

To all intents and purposes, the criminals may be untraceable. Even consumers can hide their online presence using software such as ToR (The Onion Ring), which bounces a network signal around a number of computers, scrambling your online presence. Such attacks may even be conducted from public WiFi hotspots, leaving Starbucks or McDonalds within the liability chain for criminal activities.

It would be an easy matter for a hacker to control a botnet via the Zeus Trojan (which consists of millions of compromised PCs in the US alone) and threaten to carry out a denial-of-service attack against a website unless they are paid off.

According to the BBC, a wave of DoS ransom demands was carried out in 2004 against online betting companies prior to the Cheltenham Festival, when thousands of people bet on the horse racing. Fifteen bookmakers were reported to have been offline, with Full Tilt Poker going offline for approximately 48 hours and four companies even admitting to receiving extortion demands prior to the attacks.

Financial sector organisations, which could lose considerably more than online gambling sites and healthcare organisations (unable to access online patient records), could also be exposed to such threats.

There are a number of things that organisations can do to protect themselves against such attacks without carrying out a server migration. Companies can use software and equipment that sets rules to detect when site latency (i.e. response time) goes up by a certain percentage (eg 500 percent) or latency reaches x milliseconds.

Alternatively, companies can check the number of transactions (requests for information) a second and block sources when it increases by a certain percentage or reaches a certain figure.

These solutions can easily be handled on the basis of rules and policies, allowing or denying server requests, or simply ignoring all subsequent similar requests.

Another solution to a DoS attack is using JavaScript to automatically determine whether the server request comes from a browser, or whether it is generated by an automated script ‘pinging' the server for information. Traditional web browsers are not designed to generate large numbers (up to a million a second) of server requests, so this is also a good way of separating genuine requests from DoS attacks.

According to The Guardian, cyber warfare is now rated on a similar level to international terrorism, so it is clear that the government is taking this kind of crime seriously.

However, it will be interesting in future to see how the eCrime unit, for example, will work together with organisational security forces. After all, reporting a DoS attack to the traditional ‘bobbies on the beat' would be an exercise in futility, even though these attacks have been illegal since 2006.

It is worth acknowledging a potential weakness in our argument. Bruce Schneier refers to certain specific security threats as ‘movie plot threats', implying that they only occur in the realm of film. However, these attacks have already taken place against major betting companies and with botnets becoming increasingly easy to acquire, this kind of attack will no doubt occur again.

That is not to say that DoS ransom attacks will happen this year and beyond. Either way, we need a smarter, more integrated and better funded approach to IT security. In an ever-increasing number of cases, policing the online world is more important than having bobbies on the beat.

This article originally appeared at scmagazineuk.com