The impact that a DDoS (Distributed Denial of Service) attack can have on a company’s online operations is well known. In recent years, large and high-publicized DDoS attacks have been motivated by revenge or ideology (Cyberbunker vs. Spamhaus, Anonymous vs. the Church of Scientology), vanity (Mafiaboy vs. CNN et al., Lizard Squad vs. Xbox Live et al.), and politics (Russia vs. Cyxymu, China vs. GitHub). Others have been conducted as a “cover operation” for a more sinister purpose such as DDoS attacks aimed at banks in order to infiltrate their systems during the confusion.
A new DDoS motivation has surfaced over the last year, and it can target small companies as well as large ones – DDoS as an extortion tactic. Cyber criminals operating under the organizational name of DD4BC (which stands for “DDoS for Bitcoin) has been launching attacks against a number of companies’ websites since late 2014, demanding ransom payments.
The typical DD4BC attack goes something like this: a small-scale DDoS attack is launched against the company, in order to demonstrate the organization’s ability to disrupt website operations. DD4BC then demands a ransom payment, threatening to begin a full-scale attack if the payment isn’t made. There have been other incidents, however, in which a large attack begins before the ransom demand is made.
The group’s first foray was conducted against a bitcoin wallet and exchange service called Bitalo; the low-level disruption was accompanied by an email promising a much larger attack unless Bitalo paid DD4BC one bitcoin in return for “help” in protecting against further DDoS events. More recently, the cyber criminals have been demanding payments of 25 or 40 BTC from most targeted victims, and some demands have gone as high as several hundred bitcoins. There have been also threats to increase the price for every hour that a ransom payment isn’t made. DD4BC claims not to be “all bad,” though – they promise that once they’ve been paid off, they’ll never be heard from again. In their words: “We do bad things, but we keep our word.”
At first DD4BC appeared to be targeting only bitcoin exchanges and operations, with BTC firms like BitQuick, CoinTelegraph, BitBay and Expresscoin among the victims. Some have apparently been hit because of their support for Bitcoin XT, a controversial plan to increase the size of bitcoin blocks. But targets have been expanded to banks and other firms dependent on the availability of their website for online financial transactions. Companies in Switzerland, Australia and New Zealand are among those which have been most frequently hit.
The attacks have sometimes been counterproductive. Bitalo refused to pay the ransom demand, and instead set up a 100 BTC bounty for any information on the identities of those involved in the attacks. Another operator, Bitmain, added another 10 BTC to the pool after being attacked. Others, however, have given in and paid off the group. In any event, the DDoS attacks have disrupted operations and caused large financial losses for many companies.
DD4BC claims to be able to conduct large-scale attacks which can consume as much as 500 gigabits per second in bandwidth by using amplification techniques involving protocols like DNS or NTP, and computer experts in the Swiss government who have been investigating the case believe those claims. The cloud-based delivery platform Incapsula, though, says most DD4BC DDoS attacks to date have been smaller, application-layer forays on the order of 150 requests per second; however, they can last as long as 18 hours.
The Swiss government isn’t the only one concerned about the DDoS-and-ransom activities of DD4BC, as the New Zealand National Cyber Security Centre is among several organizations actively investigating the group. Even major multinationals like Barclays are concerned, with Barclays saying it is working closely with law enforcement agencies in different jurisdictions to share information about the attacks. There’s no confirmation that Barclays has been among the victims, but only a few specifics of those DDoS’d have been made public – they include at least one bank and one BTC gambling operation.
There has been speculation that the actual reason for DD4BC’s tactics is to divert attention from simultaneous local application-level attacks on a different vector, intended to obtain information from an application while the target is preoccupied with mitigating or stopping the high-volume DDoS attack. But there has not yet been confirmation of such lower-level attacks occurring during DD4BC operations. It would benefit firms at risk of a DDoS ransom attack to also be on the lookout at the on-premise level for low-end hacking efforts aimed at applications which might occur at the same time.
Mitigation of even large DDoS attacks like the ones which have launched by this group is definitely possible. In most cases, it requires a multi-layered approach involving both local and cloud-based technologies; simple reactive strategies which rely only on firewalls, routers and local monitoring are not sufficient.
Most companies are not equipped to operate their own servers with full and effective protection against DDoS attacks, so utilizing the services of a web hosting company which specializes in DDoS mitigation is the most desirable preventative approach. These companies employ sophisticated real-time and automated monitoring of traffic patterns, analyzing all incoming traffic and filtering out illegitimate requests while detecting and intercepting attacks before they can affect server operations.