Financial Times; Nov 12, 2003
The latest wave of attacks on online gambling sites, web retailers and internet payment systems follow similar bombardments of companies
worldwide.
Distributed denial of service attacks, once the preserve of mischievous hackers, have become the weapon of choice for organised criminals
seeking to
extort money from unprotected corporations. It is no less than a
high-tech
protection racket.
In September, more than a dozen offshore betting sites serving the US
market
were brought down by DDoS attacks. E-mails were then reportedly sent demanding payments of up to $40,000 (?24,000) or the attacks would be resumed. The Russian Mafia, with assaults traced back to St Petersburg,
was
thought to be behind the extortion attempts.
"We have seen these peaks being hit around the world," said Paul
Lawrence,
Europe and Asia manager for Top Layer, a US company that provides
protection
against DDoS attacks. "It does seem to be a trend, where they find a specific type of company - like online gambling - and geography is no barrier to them. They seem to be working their way around the world,
picking
people off quite happily."
Law enforcement agencies say these are not groups of amateur hackers.
"While
we still see offences that are done purely for mischievousness, here we
are
seeing great deals of money changing hands", said Mick Deats, detective superintendent in charge of operations at the National Hi-Tech Crime
Unit.
"These are for-profit crimes and all intelligence suggests that
organised
crime is involved."
The classic DDoS attack begins with a break-in at a computer which then becomes the master computer for the intended attack. Several other
computers
are then hacked and a command is sent through the master telling them
to
bombard the servers of the target with bogus requests.
Industry experts say huge numbers of computers are not needed to bring
down
a transactional website. A single computer can issue a rapid series of
data
packets that can help to tie up the target's servers. It is compared
with
saying "hello" repeatedly and starting numerous unfinished
conversations.
"It's a relatively simplistic brute-force tool," said Mr Lawrence. "[Hackers] will monitor the success of the attack and they will then
try
something slightly different if the site is not brought down."
The data of users of the site are generally not compromised. The
culprits
are not interested in confidential details, they are concentrating on bringing the target network to its knees.
Tracking down the criminals can be difficult. The computers used are
not
their own, so tracing their internet protocol addresses can prove
fruitless.
The bogus requests are also bounced off other servers around the world.
If
the blackmail request is made by e-mail, investigators have some opportunity, but anonymous addresses are always used and finding the
source
proves impossible. Law enforcement agencies are enjoying more success through following the money trail back to the blackmailers if the
payments
are made.
Other big DDoS attacks have included one on the root servers of the
internet
last year and two on the website of Microsoft in August. Before DDoS, criminals tried to blackmail companies, such as Fujitsu and Visa, after breaking into their networks and actually stealing data. Increasing the strength of firewalls has made this more difficult.