8 steps for dealing with digital extortion

Recently, the CEO of a business received an email from an extortionist group known as DD4BC, notifying him that his company’s Web sites would face a distributed denial-of-service (DDoS) attack if he didn’t pay 50 Bitcoins to the attackers within 24 hours.

The message read, in part, “please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps, so don’t even bother.” The note stated that the extortionists were currently running a small demonstrative attack on one of the company’s IP addresses, “just to prove that we are serious.”

This was a relatively low-stakes crime; the value of the online currency the attackers were initially demanding equates to about $11,500. But the attackers threatened to increase the amount and launch a “long-term attack” if the CEO ignored the threats.

This kind of digital extortion is on the rise. The Internet Crime Complaint Center (IC3), a partner of the FBI, in July issued an alert that it was receiving an increasing number of complaints. In a typical complaint, the alert says, the business receives an email threatening a DDoS attack to its website unless it pays a ransom. The ransoms vary in price and are usually demanded in Bitcoin, the alert says.

And according to research released in April 2015 by cyber security firm F-Secure, there has been an increase in the amount of malware designed to extort money from unsuspecting mobile phone and PC users.

A confluence of factors have created a perfect storm for high-tech extortion: It’s relatively inexpensive for criminals to conduct this type of DDoS activity; many companies don’t have the tools needed to mitigate such an attack; and Bitcoin provides a crypto currency payment method that’s virtually untraceable.

And for most companies, the risk of not paying this kind of extortion could be really high. Businesses rely on their websites performing at full capacity every hour of the day and every day of the year. For sites to be down or slow for even brief periods can be extremely costly.

Fortunately, there are steps organizations can take to handle digital extortion incidents.

1. Educate the people who are most likely to be targeted

Enterprises should take the time to educate staff — especially senior-level executives — who are most likely to receive emails from extortionists. Employees need to understand that ignoring these messages could result in a DDoS attack against the organization.

Make it clear that employees receiving an extortion letter should immediately contact IT security or IT management. Better yet, set up an email alias and socialize it out to employees (e.g., securityquery@yourdomain.com).

2. Make friends with your hosting provider

DDoS attacks can be crippling for companies when they saturate your Internet connectivity or overwhelm your servers. If you can take preventative measures before this happens, you may be able to weather a DDoS attack.

If the attack does overwhelm your infrastructure, you won’t be able to tackle the problem alone, but your hosting provider can help. Work with your hosting provider ahead of time to understand their mitigation capabilities and how they can help. If an attack does happen, getting their attention shouldn’t be hard, because the provider has a strong incentive to stop a DDoS attack before it gets worse.

3. Filter web traffic before it gets to your IP

DNS can sometimes be the weakest link and the target of a DDoS attack, but it can also be one of your best tools for mitigation. If the attackers are targeting your domain name in an HTTP DDoS attack, preventing them from reaching your server IP is your first line of filter defense.

You can use geo filtering to route traffic away from your true IPs from any geographies that don’t matter to your business or that are not essential to your operations. With the right configurations, you can go as far as dropping traffic that is coming from hosting providers or non-essential networks

4. Play infrastructure hot potato

If the above fails, the attackers are likely targeting your IP addresses directly. In that scenario, move your web infrastructure to a new IP. While the attackers are busy punishing your old IP, your domain traffic will be safely pointed to a new IP address that is free and clear.

For this to be effective, you have to be prepared ahead of time. You will need to be able to spin up a clone of your web infrastructure on a different IP range or to change your IPs. Most hosting providers have easy mechanisms to enable this. The other key point to remember is to have low DNS TTLs, otherwise the traffic shift will take hours if not days to propagate around the world.

5. Institute basic rate limiting

Perform basic rate limiting so that you are able to slow down any one IP that is being abusive. Most load balancers or caching proxies have rate-limiting capabilities. If you see that someone is requesting five to ten pages per minute, you can slow that down. The key is to do this on a device ahead of your web server. Be careful not to implement rate limiting directly on the web server as it will not be able to support the same scale of traffic. It’s all about keeping the web servers from being saturated with non-legitimate traffic.

6. Find a pattern

DDoS attacks are almost always scripted attacks, meaning they are predetermined static requests. Look through your logs and try to find commonality among the malicious requests to filter them out using a Web Application Firewall or your load balancer. To do this effectively, you should already have a comprehensive logging system in place. During an attack, you will not have the time to react and change your logging rules. You should not only record the request URI, but also every incoming header from User Agent to Accept-Encoding; you never know where a pattern might emerge.

7. Use a mitigation service

If the above all fails and your web servers are under water, you can quickly deploy a DDoS mitigation solution. This can be costly, however, and might not be a viable option for companies with limited resources. Also, if you wait until you’re already under attack before deploying these solutions, you might be slammed with even higher costs because of the “desperation” factor.

8. Have a plan in place

Above all, have a comprehensive plan in place for dealing with an extortion incident that includes a DDoS threat. This includes knowing what steps to take and when, who to contact at the Internet or managed service providers, how to conduct rate limiting, how to use geo filtering, etc.

With this kind of preparation, you can help minimize the risks to the organization.

Rami Essaid is CEO and cofounder of Distil Networks, a bot detection and mitigation company.