The number of co-ordinated attacks by criminals aimed at bringing down corporate and ecommerce websites for blackmail purposes has increased sharply in recent years.
IT security firm Symantec estimates that distributed denial of service (DDoS) attacks rose 51 per cent in the past six months of 2005 and detected an average of 1,402 attacks a day. Research by NOP adds that 13 per cent of UK businesses were affected by DDoS attacks in 2005, at a cost of more than £558m.
Detective inspector Chris Simpson at London’s Scotland Yard computer crime unit says he expects to see a further rise in attacks: “The technology to launch such attacks is now in the public domain, or at least it is available to the technically proficient within the internet community,” he says.
Inquisitive teenage hackers through to international crime gangs are increasingly able to buy DDoS tools over the internet and crash websites by bombarding them with thousands of page requests, he says.
“DDoS attacks may be launched for a number of reasons: it could be extortion, as recent attacks against financial institutions have demonstrated through to revenge or political reasons,” says Mr Simpson.
But so far, attacks have focused mainly on e-commerce sites that depend on the internet as their sole revenue source.
One industry hit hard by DDoS attacks is online gambling. In March 2004, at the time of the UK Cheltenham horse races, several online bookmakers were targeted, including William Hill, Paddy Power and Blue Square.
Criminals took control of thousands of home computers, which had been surreptitiously infected by a computer virus. The compromised computers, or “bots”, were used to send thousands of page requests to betting websites in an attempt overwhelm servers and take their business offline.
The bookmakers were then contacted by extortionists: Blue Square, for example, was ordered to pay €7,000 to cease the attacks. Similar attacks have since occurred in the US in the build-up to the Super Bowl.
“Online bookmakers are a clear target for this because they have a large flow of money and if they miss a sale, it’s gone. You can’t bet on the FA Cup the day afterwards,” says Phillip Hallam-Baker, principal scientist at IT security firm VeriSign.
“Bots are being traded on internet bulletin boards. They start off being used for high value stuff like phishing and spam, and then the absolute dregs are used as DDoS attack droids,” he says.
But Elad Shaviv, head of Cisco’s European security operations, says that while the majority of criminals are targeting companies who rely on the internet for their survival, some gangs are launching DDoS attacks for political reasons.
For example, in 2004 political “hacktivists” distributed an e-mail virus called the Maslan-C worm. The e-mail tricked users into opening an attachment by claiming it contained pictures of a glamour model.
While computer users were enjoying the images, hidden malware commandeered their computers and used them to launch an attack on Chechen separatist websites.
Criminals have become even more sophisticated in their approach recently. In February, online payment processing firm StormPay was hit by a ferocious attack which closed its business for two days (see case study).
“Attacks are coming from everywhere,” says Mr Shaviv, who works with internet hosting firms, such as Telecom Italia and AT&T to mitigate the problem.
He says that the main problem businesses face is trying to spot genuine customer requests from those sent by cybercriminals. “There is no way to distinguish who really wants to do business with you. In the past, companies would just shut the door, but today you can filter traffic,” he says.
Cisco, Juniper Networks and Prolexic, among others, are developing DDoS mitigation technology, which routes web page requests via a filter looking for anomalies and abnormal amounts of activity coming from one computer or location.
Scotland Yard’s Mr Simpson advocates the use of such systems but says, as such protection can be costly, the decision should be balanced against the perceived risk a company faces: “If a significant percentage of your business is conducted online, then higher levels of investment are probably justified.”
But Dr Hallam-Baker at VeriSign believes “prevention is better than cure”, saying more needs to be done to stamp out the botnets being used to launch DDoS attacks. While better education of computer users and anti-virus software can reduce infection rates, internet service providers should also do more to improve online security, he says.
By introducing “reverse-firewall” technology into a computer’s modem connection, which can detect and block abnormal internet activity, problems could be greatly reduced, he says.
“As a casual internet user you’re only going to read a certain number of web pages, talk to a certain number of friends and send a number of e-mails during a day. If your computer is making more than, say, 10,000 outbound contact requests an hour, then this should be spotted,” says Dr Hallam-Baker.
“Ultimately what you need to do is drain the pond. Until you get rid of all the botnets you won’t get anywhere.”