Criminal gangs are increasingly using the internet as a tool to extort money from businesses, with thousands of distributed denial of services attacks occurring globally every day Jose Nazario says it

In recent years more and more companies have moved their business processes online. For many, e-commerce has been a massive source of growth.

However, while the rise of the internet has brought numerous business benefits, it also carries numerous threats, in the form of viruses, hackers, worms, and malware.

Most companies are aware of these risks and have put the appropriate processes and technology in place to mitigate them. But, over the last few years, these internet-based threats have taken on a more malevolent and sophisticated nature. Virus writing is no longer the pastime of teenagers with too much time on their hands. Instead, bespoke viruses are now being written for organised cyber criminals motivated only by money. The threat is no longer of simply being caught up in collateral virus damage; companies are now being deliberately targeted by blackmailers determined to extort money, and every business with an online arm is at risk.

The problem of DDoS extortion

These criminals are increasingly using a method known as distributed denial of service (DDoS) attacks. DDoS attacks are launched with the sole aim of crashing a company's website or servers by bombarding them with packets of data, usually in the form of web requests or e-mails. Unlike single source attacks (which can be stopped relatively easily), the attacker compromises a number of host computers which, in turn, infect thousands of other computers that then operate as agents for the assault. These infected host computers, known as 'zombies' or 'bots', then start flooding the victim's website with requests for information - creating a vast and continuous stream of data that overwhelms the target website, thus preventing it from providing any service.

Although they can be executed in minutes, DDoS attacks can last hours, weeks or months and are capable of bringing unprotected organisations grinding to a halt. All online services will be disrupted, which will not only prevent businesses from serving their customers but will also prevent employees from doing their work. The results will be a loss of customer and shareholder confidence, reduced productivity and a massive dip in revenue. Cyber extortionists are able to demand huge sums of money to cease the attack, yet these amounts are small in comparison with the financial impact of a sustained assault.

Every business is at risk

The cost of a DDoS attack can be substantial, and it has been estimated that as many as 10,000 occur world-wide everyday. DDoS extortion attacks were originally used against online gambling sites to extort money from bookmakers. Criminal gangs would initiate attacks that would bring the website down just before a major sporting event, inflicting maximum financial damage. Now, however, DDoS attacks are increasingly being used to extort money from all sorts of businesses.

Whilst the majority of attacks are launched with the intention of extorting large sums of money, they may also be initiated by disgruntled employees and techno activists, making it even more difficult to identify vulnerable companies. Every business that uses the web to transact with customers or partners is at risk.

There are numerous examples of DDoS attacks that can be cited. One of the most notorious occurred early last year. 'MyDoom' infected hundreds of thousands of computers before launching an attack on SCO (a Utah-based Unix vendor) that took the company out of business for several weeks.

The motivation for the attack has never truly been established. More recently, a US businessman who ran internet hosting company Footnet, was charged with employing a hacker to carry out DDoS attacks in an attempt to bring down his competitors. Earlier this year e-commerce firm '2checkout', which processes credit card payments for online merchants, rebuffed a blackmail attempt and was rapidly brought down by a DDoS attack.

DDoS attacks are a truly global threat, as the extortionists are not restrained by traditional borders. In September one of China's first e-commerce websites, 8848, took a competitor to court after accusing it of flooding its website with traffic that made it inoperable for 26 hours.

Even the Greater Manchester Police have fallen victim to an attack. Recently its chief constable was subjected to 2000 e-mails an hour in an attempt to crash the force's computer systems.

DDoS assaults are also increasingly being used for political purposes.

On Valentine's day this year animal activists set up a chat room and encouraged people to log on and chat at the same time. For every word typed an e-mail would be sent to the target organisations in the vivisection and fur industries in an effort to crash their websites.

The reality is that no company is safe. The problem is exacerbated by the fact that DDoS attacks do not simply affect the organisations they are targeted at, but can in fact bring down the internet service provider (ISP) that delivers its internet traffic. Thus the risk of being affected by such an assault is increased, as your ISP may be brought down if you share it with another company that becomes victim of a DDoS attack.

Some companies have chosen to meet the demands of extortionists. This is understandable, as sometimes the amount being demanded is far less than it would cost to implement the technology needed to filter network traffic on an ongoing basis. Moreover, the publicity that comes with reporting an attack can be extremely damaging in itself, and many companies just want the problem to go away. Inevitably, however, companies that have given in to blackmail have found themselves being targeted again. By giving in to extortionists businesses are simply encouraging their activities and making the problem worse.

Lack of awareness

Despite the substantial damage DDoS attacks can cause and the increasing frequency of the assaults, recent research released by IT Company IntY has revealed an alarming lack of awareness among businesses about the threat. According to IntY, more than half of all UK companies are at risk because this lack of understanding has resulted in a widespread failure to implement the necessary preventative technology. It is vital that senior decision-makers wake up to the very real threat posed by DDoS attacks.

A failure to do so could have far-reaching consequences. While most companies do succeed in getting their business back online following an attack, the damage done to brand integrity will be significant, and both customer and shareholder confidence will be affected. Companies must assess what the impact of their website being attacked would be and act accordingly.

All businesses with an online arm should implement the necessary preventative measures to mitigate the threat of a DDoS attack. However, it is important to understand that there is no silver bullet for remediating the risk.

At present, many companies rely on reactive measures such as blackholing, router filters and firewalls. Blackholing diverts all packets travelling to a victim's network to a 'black hole'. But this method is not very efficient as all traffic is lost - whatever its nature. Traffic filtering at the router level enables businesses to filter out malicious traffic, yet today's sophisticated cyber criminals will often use valid protocols and apparently valid IP addresses. Firewalls can be configured to accept only specific requests from approved external sources. Other techniques include simply throwing more bandwidth at the problem, altering the IP addresses of the attacked system and updating the domain name server.

A multi-layered defence

While all these tools do possess crucial security features, they fail to offer sufficient protection against the ever-evolving and sophisticated nature of these assaults. Moreover, as the huge levels of data being sent to crash a victim's site can also overload the ISP's data centre, it is vital that defences are implemented at the ISP level, as well as at enterprise and consumer endpoints. If companies are to successfully combat a DDoS attack, a truly multi-layered approach to defence must be adopted.

Thus it is vital to establish a solid relationship with your service provider early on and to ensure that you are aware of the measures that are available to protect your network and online business.

Recent research by Arbor Networks revealed that DDoS attacks are the most crippling threat facing ISPs today, yet only 29% of ISPs surveyed offer security and DDoS service levels agreements to their customers.

When an attack hits, time is of the essence. This is not the stage at which you should be determining whether your service provider has the necessary technology in place. A proactive approach by both the companies at risk and the ISPs that serve them is key.

Because DDoS attacks are launched from thousands of computers around the world it is essential that companies share information about the attacks if they are to be stopped. Such assaults cannot be fought alone and a collaborative effort is vital.

A number of ISPs, large and small (including Cisco, BT and MCI), have signed up to the Fingerprint Sharing Alliance, which enables them to share detailed attack information in real time and thus block attacks closer to the source. Once an attack has been identified by one company, the other ISPs in the Alliance are automatically given the 'fingerprint' enabling them to identify and remove infected hosts from the network. This enables businesses and their ISPs to stay abreast of security threats as they arise.

The Alliance is helping to break down communication barriers, and its rapid growth marks a significant step forward in the fight against cyber criminals whose assaults cross not only network boundaries, but also continents and oceans.

The threat of being blackmailed by organised criminals using DDoS attacks is very real, and businesses cannot afford to be complacent. Stand alone defences are insufficient to combat the sophisticated nature of these attacks, and a comprehensive approach to security must be implemented.

A multi-layered security strategy should be adopted at the enterprise level, and companies must also work with their ISPs.

- Jose Nazario is senior security adviser at Arbor Networks, www.arbornetworks.com