DDoS hitmen for hire
Ted Swearingen, director information security operations, Neustar
It had to happen sometime. With virtually everything – software, infrastructure, you name it – now available as a service, it was only a matter of time before cyber attackers would offer up their services.
A new phenomenon has recently been gaining momentum to take the cyber security industry by storm. In this unfortunate scenario, dubbed “DDoS-for-hire,” sites are now publicly offering distributed denial-of-service attacks (DDoS) as a service (like the aptly named “DDoS Service”).
Now, anyone with a hidden agenda or even the slightest touch of animosity can hire an “online hitman” to bring your site down. And sites like “DDoS Online” say it can all be done for the low, low price of just $10 per hour.
It's an unfortunate and ugly perversion of the “If you build it, they will come” mantra. In this case, what's coming is not only an audience drawn in by your compelling online presence, but also a series of debilitating online attacks that has the potential to cripple your site and make it entirely inaccessible.
The fact that these DDoS-for-hire sites exist and are able to offer their services for a little more than minimum wage is disconcerting, to say the least. These criminals are essentially commoditizing illegally sourced bandwidth, made available through a botnet, and packaging the resulting “product” into a criminal venture.
And while cyber security pros continue to evaluate the frequency and effectiveness of these criminal services, they continue to proliferate at an alarming rate.
The DDoS-for-hire trend is becoming a pressing issue, mainly due to how easily accessible and world-flattening online traffic has become. The problem is only exacerbated by the difficulty we face in prosecuting criminals internationally. It's the equivalent of trying to catch a vandal who smashes a window in Houston and flees to China to avoid prosecution, except this type of vandalism can cost a company upward of $100,000 for every hour their website is down. That translates into one pricey window.
But it's not all doom and gloom. While DDoS-for-hire sites are becoming an unfortunate reality, potential victims should know that being aware of the issue and running training drills to mitigate attacks helps immensely. However, beyond practice drills, companies should also consider reporting these attacks to local authorities. Though not every municipality will have the ability to deal with cyber attacks in the near term, notifying the police is an important step in raising ongoing awareness.
While no one likes talking about their online security vulnerabilities, failing to report the attack will only breed confidence in the criminals offering DDoS-for-hire services, engendering the belief that they can get away with impunity.