Local municipal police forces seldom have the resources to track down cyber criminals, but the U.S. federal government has resources, and they want to help stem the surge of distributed denial of service (DDoS) attacks. Last week the U.S. Federal Bureau of Investigation (FBI) issued an appeal to organizations that have been victims of DDoS attacks to share details and characteristics of those incidents with an FBI Field office and the IC3.
Some may argue that it’s not worth reporting incidents because it’s too difficult to identify the hackers. However, in some cases, law enforcement agencies successfully track down perpetrators. As a case in point, GovInfoSecurity reported that at the Information Security Media Group's Fraud and Data Breach Prevention Summit in London,
“Detective Constable Raymond Black, a cyber investigating officer for the Metropolitan Police Service, highlighted the upsides of sharing attack information with police. He also emphasized that sharing attack details need not lead to an investigation being launched.
Black noted that a small case - initially not reported to police - involving a September 2015 SQL injection attack and extortion demand against a London-based cigar retailer helped crack the case involving the October 2015 hack attack against London telecommunications giant TalkTalk.”
The FBI wants to know about large and small DDoS attacks, and it requests the following incident details from victims:
- Identify the traffic protocol or protocols used in the DDoS attack - such as DNS, NTP, SYN flood;
- Attempt to preserve netflow and attack-related packet capture;
- Describe any extortion attempts or other threats related to the DDoS attack;
- Share all correspondence with attackers "in its original, unforwarded format";
- Provide information about themselves;
- Estimate the total losses they suffered as a result of the DDoS attack;
- Provide transaction details - if the victim paid a ransom or other payment in response to the attack - including the recipient's email address and cryptocurrency wallet address;
- Describe what specific services and operations the attack impacted;
- List IP addresses used in the DDoS attack.
There is no legal obligation to report attacks, so should organizations report every DDoS attack, large and small? That is an interesting question. No organization is completely immune to DDoS attacks, but some organizations undergo frequent attacks because they have 1) a large attack surface, 2) sensitive data that is worth stealing, or 3) a high profile that is subject to activist attacks. Some attacks are small and sub-saturating, intended to mask a more serious security breach. Others are volumetric attacks, intended to disable a website or business application. Gaming companies, financial service companies, hosting providers and Internet service providers are frequently targeted; if they reported every DDoS attack attempt, the FBI would be very busy, indeed.
No one wants to deal with the costs of a DDoS attack, or be bothered with reporting an incident to law enforcement. There’s no question that it’s better to mitigate an attack than be victimized by one. That’s why it makes sense to have an automated, real-time DDoS protection solution that not only detects and blocks DDoS traffic, but also provides sophisticated DDoS attack analytics.
For more information about how you can protect your network from DDoS attacks, contact us.