subject: Online service foils ransom plot
posted: Tue, 31 May 2005 10:41:28 +0100


http://news.bbc.co.uk/1/hi/technology/4579623.stm

Online service foils ransom plot
By Jane Wakefield
BBC News technology reporter

Monday 23 August 2004 was a normal day in the office for Asif Malik,
security director of online payment firm Nochex.

That is until an e-mail popped into his inbox at 7pm when most of his
colleagues had gone home for the night.

The e-mail was a ransom note offering a stark choice - immediately
send a wire for $10,000 to a European bank account or face an attack
on the company's servers.

Others may have panicked but such a note was not out of the ordinary
for Mr Malik.

"We get quite a few, maybe once a month so we don't always take it
too seriously," he said.

Zombie attack

-----------
DDoS ATTACK EXPLAINED
DDoS = Distributed Denial of Service attack
* Malicious hacker uses virus to hijack numerous computers
* On command these zombie computers flood the targeted website with
useless data
* The target's internet servers are overwhelmed by junk data
* Customers have trouble using the targeted website
* Targeted website can be slow or inaccessible for days
* Fighting DoS attacks is laborious and costly
* Because the zombies are distributed across the internet, finding
the attacker is difficult
-------
It has become common practise for extortionists to target net firms
and threaten to cripple their websites with deluges of data unless
they pay a ransom.

Not all the e-criminals are able to follow through on their threats
but when the Nochex site went down at 8pm it was time to sit up and
take notice.

The first thing Mr Malik did was to contact his service provider
Pipex.

"They told us we were being flooded by a zombie attack," he said.

So-called Distributed Denial-of-Service (DDoS) attacks overwhelm
servers with customer requests until they are forced offline.
Computers are innocently recruited from all over the world to take
part in the attack, each sending only a small part of the entire data
flood.

The recruiting of machines to take part in attacks is typically done
by infecting them with a virus or worm. The net address of
compromised machines - dubbed zombies or bots - is sent back to the
criminal, who will use it to launch a DDoS.

The news that Nochex had fallen victim to a DDoS attack forced Mr
Malik to open communications with the hijacker, and he offered to
wire the money first thing in the morning.

Let battle commence

"I wasn't actually going to pay them but it bought us time to come up
with a solution," he said.

Other firms do pay off the blackmailers, seeing it as preferable to
have downtime on their site.

Such attacks have typically targeted online gambling and gaming
firms, seeing them as malleable victims because of the amount they
depend on their sites to generate income.

In the run-up to last year's Cheltenham Cup, a highlight in the
racing calendar, these sites were targeted.

"A whole raft of them were threatened and they made payment because
it was a drop in the ocean compared to what they would lose if the
site was down," said Maria Cappella, general manager of sales and
marketing for Pipex.

But for Mr Malik paying up was not an option. Instead it was a chance
to see whether technology could do battle with the e-criminals and
beat them at their own game.

In this particular case the criminals in question were part of a
Russian gang, already well known to the UK police but not yet within
the grasp of the authorities.

"Do what you have to do," Mr Malik was advised by his contact at New
Scotland Yard.

Battle-scarred

The solution, in this case, was a network product developed by Cisco.
Called Cisco Guard it has been created specifically to fight DDoS
attacks by sorting the legitimate traffic from traffic intent on
attacking servers.

----------
THE NATURE OF DENIAL-OF-SERVICE ATTACKS
* Average cost of mission critical services compromised $100,000 an
hour
* Britain has largest zombie PC population in the world
* Over 1m connected computers are zombies
* 30,000+ internet connected zombie networks in 2004
* Estimated 25% of all infected PCs are under control of hackers
* Broadband responsible for 93% increase in infected PCs in 2004
* 11% of small to medium sized businesses suffered DDoS attacks in
the last 12 months
----------

"All of the traffic is diverted and we analyse the flow and identify
aspects of the flow that we believe to be malicious," explained Kevin
Regan, a security consultant with Cisco.

Once installed Mr Malik's attitude was one of "bring it on",
confident that the new armour that had been put around the network
would remain impenetrable.

The attacks did come and have continued to come ever since, but so
far the system has remained online.

DDos attacks have become a big problem for businesses in the last 12
months.

At one point in the autumn of last year Pipex was seeing as many as
three to five attacks each day, although that number has since slowed
down.

Most of Pipex's high risk clients, categorised as gaming, gambling
and payment gateway sites, have had the Cisco equipment installed and
the patterns of attacks are becoming familiar to the backbone
engineers.

"We have become veterans at it. Our guys have been doing it for 15
months and we have become quite battle-scarred along the way," said
Ms Cappella.

Recognising customers' traffic profiles and spotting anomalies are
key to foiling attacks although everyone is aware that the criminals
will always be looking at new ways to break through the guards.

According to Mr Regan, such attacks are getting more sustained -
lasting for days or even weeks - and more and more zombie machines
are being recruited into the hijackers' armies.

Not cheap

According to the Honeynet Project, set up to create solutions to
security problems, there are over one million zombie computers.
Britain has the largest zombie PC population of anywhere in the
world.

Mr Malik believes that, as denial of service attacks get stronger and
more prevalent, all internet service providers will have to come up
with permanent network-based solutions.

It has not been a cheap option for Nochex. In fact, with an initial
cost of £20,000 and a further £3,000 a month, it would have been
cheaper to pay off the hijackers.

But, as Mr Malik says, "who is to say the hijackers wouldn't have
come back next month and the month after?"


---
* Origin: [adminz] tech, security, support (192:168/0.2)

generated by msg2page 0.06 on Jul 21, 2006 at 19:03:50

 search: