What is a DDoS extortion attack?
A DDoS extortion attack, also known as a ransom DDoS (RDDoS) attack, occurs when cybercriminals threaten individuals or organizations with a DDoS incursion unless an extortion demand is paid. These demands call for payment in cryptocurrency in order to avoid traceability by law enforcement authorities.
DDoS extortion/RDDoS attacks should not be confused with ransomware attacks, in which malicious software encrypts an organization’s systems and databases, preventing legitimate owners and users from accessing them until the ransom is paid.
What are the signs of a DDoS extortion attack?
Threat actors behind DDoS extortion campaigns use several methods. Some attacks start with a demonstrative DDoS attack that targets a specific element of an organization’s online services/application delivery infrastructure to prove the threat is real. This limited attack is immediately followed up with an extortion note or email threatening that a larger attack will follow if payment is not made.
Other attacks first send an extortion note or email that outlines the threat to the business and sets the extortion demand, payment form, and deadline for payment before the attack is launched. The attackers often claim they have upwards of 3 Tbps of DDoS attack capacity available if demands are not met.
Attackers may not always launch the threatened attacks, and some may not even have the capacity to do so, however, organizations should not rely on the assumption of empty threats.
DDoS extortion attacks often involve one or more of the following vectors:
- DNS
- NTP
- ARMS
- WS-DD
- SSDP
- CLDAP reflection/amplification
- Spoofed SYN-flooding
- GRE and ESP packet-flooding
- TCP ACK-floods
- TCP reflection/amplification attacks
- IPv4 protocols launching packet-flooding attacks
As is true with all DDoS attacks once initiated, attacks combined with DDoS extortion target an application or service, overwhelming it with attack traffic that ultimately slows or crashes the service completely.
Why are DDoS extortion attacks dangerous?
A DDoS extortion attack is like any DDoS attack in that it prevents legitimate network requests from getting through, which can disrupt operations, cost money, and harm business reputation. Conventional wisdom states that paying the extortion demand is not advisable because there is no guarantee the attackers won’t return to demand additional payments in the future.
With the exception of those cases in which a demonstration attack takes place first, it is difficult to know whether the threat is legitimate. Attackers may claim affiliation with well-known attack groups that have already received media coverage in order to lend credibility to the attack threat. Because many security professionals have heard of major attacks by groups such as "Armada Collective", high jacking the name is believed to heighten the urgency of the threat, thus compelling the target to make payment. It’s important to note that copycat threats still may be real.
More often than not, cyberattackers have conducted preattack reconnaissance before issuing their threat. This type of probing looks for weak spots to exploit, such as inadequately protected public-facing applications and services. Sometimes, the attacks target upstream transit providers. By attacking ISPs supplying internet connectivity, attackers can cause targeted organizations to experience significant disruption.
How can organizations mitigate and prevent DDoS extortion attacks?
As is the case with most DDoS attacks, adequately prepared organizations generally experience little or no significant negative impact related to DDoS extortion campaigns. DDoS attack vectors and targeting techniques are well-known and can be mitigated via standard DDoS countermeasures and protections.
NETSCOUT recommends the following mitigation steps:
- Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational best current practices (BCPs) have been implemented, including situationally specific network access policies that permit internet traffic only via required IP protocols and ports. Internet access to network traffic from internal organizational personnel should be deconflated from internet traffic to and from public-facing internet properties and served via separate upstream internet transit links.
- Critical supporting ancillary services, such as authoritative Domain Name Systems (DNSs), should also be designed, deployed, and operated in a manner consistent with all relevant BCPs.
- Upon receipt of any demands for DDoS extortion payments, targeted organizations should immediately engage with their peers/transit ISPs, other organizations providing critical internet-facing services (such as authoritative DNS hosts), and situationally appropriate law enforcement organizations. They should ensure that their DDoS defense plans are activated and validated, and maintain a vigilant alert posture.
- DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to the organization’s servers/services/applications are incorporated into its DDoS defense plan. Organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services to ensure maximal responsiveness and flexibility during an attack.
- It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers, services, applications, datastores, and infrastructure elements are protected against DDoS attacks and are included in periodic, realistic tests of the organization’s DDoS mitigation plan.