What are the signs of a DDoS extortion attack?
Threat actors behind DDoS extortion campaigns use several methods. Some attacks start with a demonstrative DDoS attack that targets a specific element of an organization’s online services/application delivery infrastructure to prove the threat is real. This limited attack is immediately followed up with an extortion note or email threatening that a larger attack will follow if payment is not made.
Other attacks first send an extortion note or email that outlines the threat to the business and sets the extortion demand, payment form, and deadline for payment before the attack is launched. The attackers often claim they have upwards of 3 Tbps of DDoS attack capacity available if demands are not met.
Attackers may not always launch the threatened attacks, and some may not even have the capacity to do so, however, organizations should not rely on the assumption of empty threats.
DDoS extortion attacks often involve one or more of the following vectors:
- CLDAP reflection/amplification
- Spoofed SYN-flooding
- GRE and ESP packet-flooding
- TCP ACK-floods
- TCP reflection/amplification attacks
- IPv4 protocols launching packet-flooding attacks
As is true with all DDoS attacks once initiated, attacks combined with DDoS extortion target an application or service, overwhelming it with attack traffic that ultimately slows or crashes the service completely.