Can Hiring A Cyber Criminal Be As Simple As Booking A Travel Package Online? Cyber Expert Explains!
Not much is needed to actually rent a botnet. It boils down to a PayPal account, ill-will towards the target and willingness to break the law.
Primetech, a Mumbai based Fintech startup, application launch failed for over 6 times before they could realize that it can't be mere technical glitch or coincidence. The alpha test and UAT were always green, but the beta version crashed on day 1 of each launch. It was then that Ankit decided to take consultation from an expert on the issue of application failure of his Startup.
After a detailed audit of the application and systems, the Consultant raised 2 alarms, one being the weak security framework and other being an exploit of DDoS attack. The Consultant referred Ankit to a Cyber expert who could help him investigate the issue further.
The Cyber expert backtracked the links of the DDoS attacks to an Internet Service Provider (ISP) based in Scandinavia. Contacting the ISP did not pay much, as they would not reveal the User details without a Judicial order. The User was looking for a professional DDoS attack company. The irony is, that they were absolutely legal in their services as per the law of the land. After getting the required paperwork from the courts in India, the Cyber expert contacted the ISP again, this time with all complete readiness invoking international treaties. The ISP helped set up a meeting with the DDoS-for-hire service provider, also known as 'Stressers'. Their business was to provide DDoS Botnets, a network of malware-infected computers, which are subleased to the subscriber. With no steps taken to actually verify the subscriber identity or ownership of the target server, they would allow the subscriber to "stress test" just about anybody, enabling cybercrime, cyber-vandalism and many other types of DDoS-related activities.
It turns out, not much is needed to actually rent a botnet. Usually, it boils down to a PayPal account, ill-will towards the target and willingness to break the law. As strange as it may sound, today just about anyone can use a 'Stresser' to paralyze an unprotected website for a small fee. To locate one of these you don't even need to school yourself in the mysterious ways of the Deep Web, just conduct a simple Google search and the results are as simple as day to day e-commerce services.
The meeting with the DDoS-for-hire company fruited no response, except for verbal information on the name of the person who hired the service to run Ankit's company out of business. The Cyber expert now set out to gather information regarding this buyer of DDoS service, which resulted in a link with Primetech competitor. Ankit had a clear view of his problem by now, it was the competitor who contracted a professional DDoS-for-hire service provider to take down his business.
By now Primetech had enough material to open a round of discussion with the top management of the competition. The meeting resulted in a settlement, in form of compensation and non-compete in west India, which was the primary playground for Ankit.
The fun part is to know how these DDoS-for-hire companies build this attack network of Botnets by infecting common internet user's devices, which are now not limited to computers or laptop, they include mobile phones and even Home routers, IP cameras along with other IoT devices. As the infected applications request the device administrator permissions during the installation of, they allow them to launch a background service and participate in the DDoS attacks even if these apps themselves aren't actively used or when the device is locked.
In April 2018, Europol shut down Webstresser.org for letting buyers knock websites offline, for as little as $18.99 a month, the site offered access to DDoS attacks, which can overwhelm an IP address or website with enough internet traffic to disrupt access to it. The service provider had over 151000 registered users. An FBI crackdown on 15 such DDoS-for-hire service providers in 2018, found that these companies were responsible for more than 2,00,000 attacks.
Hackers count on users losing access to your site during an attack. Some users never return. Since your users do not need to know and do not care that you are under attack, any mitigation technology must continue to let people into your site without delay and without being sent through holding areas, splash screens or receiving outdated cached content. Once hackers know their attacks are going unnoticed, they are unlikely to return.
Bots Can't Talk, Humans Can!
Hackers conduct DDoS attacks to cause a nuisance by inconveniencing websites and users. Give users a legitimate fail-safe outlet for complaining or addressing automated lockouts. Users will appreciate that you are thinking ahead of the hacker's plot, giving them the outlet to report their experience. Plus, this outlet provides you with further insight into how well, or lack thereof your anti-DDoS system is performing.
Whacking All Bots
Most sites have very little headroom; even 50 excess page views per second can slow down or take down your site. Make sure your screening is airtight, blocking all application layer bot requests. However, it should not come at the expense of blocking the good bots such as Google, Bing and all other benevolent Internet bots that should be granted access at all times.
Expect The Biggest Tidal Wave
Network attacks are getting bigger and amplification techniques are getting more widely used. For example, sending a 100byte spoofed DNS request to an open DNS or open "public" SNMP server results in 20 times the amount of traffic hitting your website. Ensure that your site can absorb an arbitrary amount of traffic. Service providers do this by building large 20 Gig data centres and distributing traffic among them, when possible. Network DDoS is less about brute force and more about preparing a database of open DNS servers, or SNMP servers with open "public" communities.
Without Accurate Detection, It Will Be Too Late
There are actually two parts to DDoS protection: the first is detecting a site is under attack and the second is applying an effective defence. Detection often gets overlooked, due to its tricky nature. Be sure your solution is capable of accurately detecting the attack but remains inactive when the site is not under attack. Needless defensive measures are just as bad as no defence measures at all.