Going After the People Behind DDoS Attacks

DDoS attacks happen every day. Well-prepared organizations can repel an attack with few repercussions. Poorly-prepared organizations sustain the attack, often to their detriment. They experience downtime, lost business, and customer loss of confidence, and they might even be subjected to ransom demands. Lately there has been a rash of attacks where the perpetrators have demanded a ransom paid in Bitcoins in order to avoid or stop the attack.

Whatever the circumstances, many attacks have one thing in common: the victim organization rarely reports the crime to law enforcement if they don't “have to.” The reasons for no report range from not wanting to garner the attention that an investigation would bring, to the belief that the attackers will never be brought to justice anyway, so why bother? Of course, some attacks are so high profile that law enforcement feels compelled to get involved.

Fortunately for everyone, the “lack of justice” excuse is diminishing. Law enforcement agencies around the world are having some success in busting the people behind the attacks.

The most notable bust came in December 2015 with Operation Pleiades, in which European authorities arrested two people in Bosnia and Herzegovena who are connected to the cyber crime group DD4BC (DDoS For Bitcoins). One of the two individuals that were arrested is described as being a leader of the loosely affiliated criminal group. DD4BC has been definitely linked to a series of DDoS extortion attacks over the past 18 months, many of which were targeting online gambling sites.

In announcing the arrests, a statement from Europol said, “The action was initiated as part of a global law enforcement response against the criminal organisation. Key members of the organised network were identified in Bosnia and Herzegovina by the UK Metropolitan Police Cyber Crime Unit (MPCCU) which provided vital information to the investigation. Police authorities from Australia, France, Japan, Romania, the USA, Switzerland and INTERPOL supported the coordinated activities.”

The statement further said, “Operation Pleiades resulted in the arrest of a main target and one more suspect detained. Multiple property searches were carried out and an extensive amount of evidence was seized.” It's possible that the arrest of more DD4BC members is likely in the coming weeks and months.

The investigation that led to these arrests included, in part, examining entries for Bitcoin transactions related to the DDoS threats, and studying the email messages that contained the threats and ransom demands that were sent to the targeted companies. Victim participation was necessary for this part of the investigation and a vital part of cracking the case.

In other arrest announcements, teenage perpetrators seem to be behind a number of attacks. Law enforcement is tending to tread lightly with the teens in the belief that they aren't fully aware of the criminal aspects of what they are doing. Nevertheless, their actions still prove to be very damaging to the victims of the attacks.

For instance, a 17 year old male from Norway was found to have launched DDoS attacks against a number of organizations, including Danske Bank, DNB, NetCom, Nordea, Norges Bank, Norwegian, SAS, Sparebank 1, Storebrand, Telenor and Widerøe. Following his arrest, the youth claimed to have posed as a member of Anonymous in order to draw attention to security flaws that the companies overlooked.

In August 2015, four teenagers between the ages of 14 and 17 and a 21-year old man were identified as suspects in connection with two major DDoS attacks against Dutch internet provider Ziggo. The attacks left many of the company's 1.8 million customers without Internet access for several days. What's more, the service provider received ransom demands via videos in which the youths threatened more attacks.

These are quite serious crimes for anyone to be committing, let alone a group of kids. This goes to show just how easy it is to acquire the tools necessary to launch effective DDoS attacks. In effect, anyone can be an attacker.

There are two aspects of fighting DDoS attacks. One is remediation—stopping the attack when it comes in. Corero and other providers have this part of the equation covered. The other aspect of stopping attacks has to do with going after the people who commit them—especially the organized criminal groups that profit from their actions. This can only be done with the help and support of the victim companies.

ICAAN stresses the importance of reporting a DDoS attack. The Internet governing organization has posted the following information on its blog regarding how to report an attack:

Should I contact Law Enforcement?

Contact your national law enforcement agency if you believe that a crime is being committed; for example, you should contact law enforcement if your organization received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened.

Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Provide Good Intel

At an operational level, you, your hosting provider or ISP should gather as much information related to the attack as possible. The Operations Security Trust Forum recommends collecting the following kinds information:

  1. Provide as much time information as possible: identify the start of attack, end of attack, whether the attacks are repeated, and whether there are observable patterns or cycles to the attacks.
  2. Share any insights or suspicions you have regarding the nature of the attack. Does it appear to correlate with a geo-political event? Did you receive threatening correspondence prior to or during the attack and if so, what was the nature of the threat?
  3. Provide detailed traffic information including: type of traffic (ICMP, DNS, TCP, UDP, application), source and targeted IP addresses and port numbers, packet rate, packet size, and bandwidth consumed by the attack traffic.
  4. Describe any unique traffic or packet characteristics you observe. Is the attack targeting a particular virtual host or domain? What have you observed from application protocol headers? Have you observed any unusual patterns of flag settings in underlying protocols (TCP, UDP, ICMP, IP)?
  5. Identify any changes you observe in the attack over time (i.e., to packet sizes, rates, unique IPs seen per epoch, protocols, etc.). These may be indications that the attacker is reacting to mitigation efforts you or others have implemented.
  6. Provide your assessment of the impact; for example, explain whether you are managing the attack using mitigations and assistance, or that your services or performance is {moderately, severely} affected, or that your services have been disrupted entirely.

DDoS attacks are on the increase, both in frequency and strength of the incoming traffic, and any organization can become a victim. Everyone should be prepared with a mitigation plan and the willingness to support law enforcement that is trying to bring down the people behind the launch button.

Subscribe DDoS Blog