TechWeekEurope investigates the DDoS market, looking at how the dealers make their money, who’s buying and what can be done to counter their illegal activities
“I’ve put lots of sites offline,” the dealer says. “Shops, schools and another site, but I can’t tell you about that one here.”
Those pushing services on the Internet’s black market are unsurprisingly secretive about their targets when talking directly. Even with Skype’s encryption and peer-to-peer protections, this Distributed Denial of Service (DDoS) dealer wouldn’t reveal too much, for fear of being ensnared by law enforcement.
Sites across the web are being smashed offline by such DDoS dealers every day. Criminal organisations, disgruntled individuals, governments and private organisations pay them to knock enemies offline. And they know they can earn a lot by doing a little.
It isn’t difficult to find them either. Just head onto one of the many hacker forums and you’ll come across shiny DDoS advertisements, with tawdry, 90s-era banners displaying prices and contact details.
On the darker parts of the web, things are a little less glamorous, but the menus are largely the same.
More aggressive marketing
One seller going by the name of Gwapo is particularly open about the business he/she is running. Gwapo has a website called DDoS Service, which is remarkably simple, containing just two landing pages. But it also features a video advertisement of a young American man talking about what Gwapo can do.
The man claims Gwapo has four years of DDoS experience, in both attack and defence. It is a remarkably brazen piece of marketing. Perhaps even more remarkable is the fact that YouTube allows such videos to be published. Since being thrown on the site in mid-June, it has already acquired over 32,000 views. This is not the first promo vid Gwapo has put out either. The one below takes a more salacious tack.
DDoSers are unafraid of outlandish promotion. They know there is money to be earned here, and they know there is plenty of competition.
Dealing with the dealers
Whilst finding them is simple, getting dealers to open up is trickier. Gwapo was particularly reticent when speaking over Skype. But Tor Chat provided enough peace of mind for dealers to reveal more about themselves to TechWeekEurope, which has been contacting those pushing their wares on the DDoS market over the last month. To be clear, we did not ask the sellers to take down websites. DDoS is against the law and TechWeekEurope does not support it in any way.
Ned – not his real name – told us he was a 17-year-old computer science student. He claims friends introduced him to the illicit cyber services game. “Now I got some Russian friends,” he quips. His biggest ever hit lasted for two days, for which he was paid just over $250. In that case, he was asked to kill the attack early. The buyer got tetchy about how successful the hit was.
To carry out that brutal hit, Ned relied on a botnet of around 2000 bots, he says. Without prompting, Ned initiates a demo. His target? One of the most popular hacking forums on the Web. We go to the site as soon as he says it is down. He knocks it offline for around 30 seconds before killing the DDoS. Any site is fair game, it seems.
As for pricing, he was offering a small site without protection at just $4 an hour. For a larger website, the cost can be as much as $100 an hour. Initially, Ned comes across as ambivalent to the dangers of selling DDoS services. Is he not worried about getting chucked out of school and thrown in jail? “Nah,” he coolly responds. But when we push him, asking if he would be happy to take down a major banking site, Ned backs down. “I don’t want to get in trouble,” he says.
Another dealer, who claims to focus his botnet’s energy specifically on sites using Cisco, Juniper and Cloudflare gear to mitigate attacks, says he has done single deals for over a $1000. Like Ned, he says some buyers will pay as much as $100 for each hour a big-league website is downed.
Yet, as with many other dealers, BProof said he will happily accept between $5 and $10 to take easy targets offline for an hour. The bots he was herding could apparently do plenty of damage with just a little effort. “I can take down CloudFlare lines with 30 bots, that’s nothing for me,” was one claim (CloudFlare is a content delivery network). He offers us a 10 minute test. We decline. It was already clear how easy it was for these denizens of the dark web to kill websites.
It’s also clear that acquiring services can be very cheap indeed. Even the most impecunious of businesses could knock a competitor down. For many companies, having a website taken offline for a while causes nothing more than a little embarrassment. But for others, it can cause substantial financial damage.
All kinds of organisations are getting pummelled by DDoS attacks in today’s world. And all kinds of organisations are paying for them too.
Some even get creative with their DDoS strikes. André Stewart, president international at Corero Network Security, said he knew of a telecoms company that saw its services downed by a competitor after launching a free VoIP service. The envious rival set up an online game, which, when played, sent very small UDP [User Datagram Protocol] packets to attack the site from which free VoIP was being offered. It was a rare case of malicious gamification.
“That was almost undetected. We looked at it very carefully and analysed the packets and saw what was going on,” Stewart said. “There are cases of companies attacking other companies. That exists – for competitive advantage or to deny something that has been competitive.”
DDoS is well-known as a protester’s weapon. Hacktivists like Anonymous and LulzSec have proven that, with successful strikes on big-name sites, from Theresa May to the CIA. But Stewart believes everyday people are now buying DDoS services too, simply to vent their discontent at whatever organisation they’re frustrated at.
“Low-cost airlines get attacked, for instance, and government entities that manage speeding fines,” he said. “It has almost become the new way of customer dissatisfaction.”
This year has also seen a new target: non-profit groups. Avaaz, which campaigns against what it believes are immoral measures of nation state regimes, including the US and China, one can guess who would be keen to knock down their site. Removing Avaaz’s website also removes its donation page – i.e. its main source of funding.
The Pirate Bay has obvious enemies too – copyright holders. “I do think the music industry, the film industry, where there is a serious amount of money leaking, they would like to see it close down,” Stewart added. “They [music and film industry organisations] can operate in ways that are completely anonymous. If they want they can attack those types of sites [like The Pirate Bay].”
DDoS services are in high demand and for myriad reasons. Big corporations, small businesses, governments and irascible individuals all take an interest in them.
But DDoS dealers don’t just rely on money from clients. They can go direct and extort those businesses whose very survival relies on an Internet presence. This can provide them with much more income than working the black market.
For those who go after online gambling businesses, the financial rewards can be huge, according to Stewart. “Somebody will send a note to the betting guys, saying ‘we will stop the service just before the game for an hour or two hours’. They will be able to calculate very easily how much it means to them and their business stopping for that amount of time,” he explains. “If the person is only asking for $50,000 they will pay for it. If they feel their security is not up to scratch.”
Such businesses are easy targets. Corero works with a number of gambling firms and claims to have difficulties in upgrading their kit to mitigate against DDoS strikes. “We’re not able to do any upgrades to their network or any changes until a major competition is off. And then there is always another one that starts,” Stewart adds.
Geopolitical issues also affect gambling firms’ level of security against DDoS, he says. “Because a lot of these betting companies are based in tax havens, there aren’t many authorities that are ready to say ‘we will protect you’ because they’re already seen as dodging taxes – a lot of taxes they should be paying onshore. So they’re relatively unprotected.
“They will know how protected they are. If something new comes out and they’re not up to scratch, then they will not talk about it, but they will make the payment.”
Stewart knows of businesses who have paid “£100,000 here and £100,000 there” just to pay off those threatening to kill their sites. “That’s not uncommon.” If they didn’t pay, the losses would be much greater. “Companies have been known to go down for 6 hours, and the losses are in the millions.”
Symantec recently spotted a crimeware bot known as “Zemra” being used in DDoS attacks against specific machines for extortion. It featured a command-and-control panel hosted on a remote server, as well as a tonne of functionality, including 256-bit DES encryption/decryption for communication between server and client, and propagation through USB.
Zemra comes at a cost though. It first appeared on underground forums in May 2012 at €100. Even those dealing to the DDoS dealers can make a killing.
Infiltrating the markets
What is clear from TechWeekEurope’s trips to the underground markets is that botnets are at the core of the problem. No doubt many are using tools to carry out application-level DDoS attacks, such as Slowloris and Hulk, but botnets appeared to be the weapon of choice on the market.
If such markets are to be countered in the coming years, killing off botnets would be a fine place to start. Many efforts to slay these nasty networks have seen operations sinkholed, where bots are directed to servers belonging to the good guys, rather than the bad guys’ command and control centres.
Others, like the dismantling of DNSChanger, look to completely take apart the physical hardware. This can lead to issues, however. Many fear the hundreds of thousands still connected to the infrastructure of DNSChanger will lose internet connectivity when the FBI pulls the plug on 9 July.
But prophylactic measures are not good enough. Just taking servers offline or sinkholing operations only suspends malicious activity.To kill a botnet, arrests need to be made. “If you’re going to tackle it long-term, it really is going to involve apprehending the people who are behind it,” says David Emm, senior regional researcher at Kaspersky Lab.
Taking down more botnets will require greater cooperation between private and public bodies, and across borders too, Emm believes. Whilst there have been notable successes in the past year, there remain problems. Overcoming global demarcation of cyber policing is one of the biggest. Emm says most activity continues to happen at a “more informal level”. If major players such as the US and EU nations could organise more formal frameworks, this would speed up the intelligence sharing operation, he claims.
“One of the difficulties comes with speed of response. Although there is quite a lot of activity where law enforcement agencies in different parts of the world can cooperate, unless there is a supranational agreement that they can combine activities under, it is difficult with the informal stuff to be as quick as say the spammers or DDoSers can be,” Emm adds. “There are always going to be limits given you’ve got different zones of legislation where the cyber criminals don’t.”
Behind all this additional cooperation, “just good old-fashioned policing” is needed, says Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory. “Even the UK police have had occasional successes. It’s just a matter of trying. Even crooks in Russia can be arrested if the Foreign Office starts to care about it,” he adds.
One recent case proved how more surreptitious means can help bring down cyber crime operations too. When the FBI announced the arrest of 24 people in June, it hinted at a maturation of cybercrime efforts. The cops set up their own market, where unwitting crooks went to sell and buy credit card details. IPs were collected and activity tracked across other nasty websites. Then the suspects were apprehended, not just in the US, but across the globe, with six taken into custody in the UK. It was one of the most impressive cyber operations in recent times.
Infiltrating the DDoS markets, or setting up honey traps as the FBI did, looks like the most efficient way to bring them down. In turn, botnets will become inactive and other cyber crimes mitigated too. The tools are there, police just have to be given the opportunity to start using them more.
Are you a security pro? Try our quiz!