During 2006 there was a noticeable decline in denial of service (DoS) attacks, according to a US based network security company. During the first six months of 2006 there was approximately 6,110 DoS attacks and only 5,213 DoS attacks in the second half of 2006. It is believed the primary reason for this decline is because DoS attacks are no longer viewed as profitable.
Decline of DoS Extortion
The typical DoS extortion scenario has become less profitable and more risky for cyber criminals for the following reasons:
• DoS attacks are highly observable events and Internet Service Providers (ISPs) are typically able to detect and delete bots that participate in these attacks. As a result, the effectiveness of DoS attacks may decline, while at the same time increasing the cost to the cyber criminal in the form of lost bots. Bots are compromised personal computers that can be remotely controlled by cyber criminals for illicit purposes and are therefore valuable resources to control.
• As defenses to DoS attacks improve there is no guarantee that the targets will pay the extortionist-cyber criminal.
• Some government’s, particularly the British, have increased the penalty for DoS attacks.
In current extortion schemes, the cyber criminal increases his risk of losing bots, as well as increasing his risk of legal punishment, while not increasing the financial rewards or odds of success. Given this reality, it is no surprise that cyber criminals have increasingly utilized their bots in other less risky yet still highly profitable schemes, such as sending spam. Not coincidently, the decline in DoS attacks coincided with an increase in spam.
While evidence indicates a decline in DoS attacks, it should not be assumed that cyber criminals would totally abandon this tactic. The assumption that cyber criminals will completely abandon DoS attacks relies on potentially flawed conclusions.
Why DoS Attacks Won’t Disappear
First and foremost, the cyber criminal’s concern over losing bots is inversely correlated to the expectation regarding the future supply of bots. Quite simply, if a cyber criminal believes bots will be easily replaced then he or she will likely be less concerned about losing bots. The future supply of bots is in part related to the continued discovery of software vulnerabilities and the development of exploit code. As long as vulnerabilities are continually discovered and exploits are easily created than bots will remain an available commodity.
Second, the primary concern of some cyber criminals may not be money. They may have other motives, such as revenge. The cyber criminals may also be able to secure payment from a third party prior to the initial DoS attack thereby ensuring profit.
Recent prominent DoS attacks demonstrate that cyber criminals still rely on this tactic and will likely continue for the foreseeable future.
For example, in the past two weeks many Estonian government websites fell victim to sustained DoS attacks. It is suspected that these attacks were related to the Estonian government’s decision to remove a statue of World War II Red Army soldiers. The removal of the monument triggered DoS attacks against the official Estonian government website, as well the Estonian National Police’s website.
Although it is unclear who was behind these attacks on the Estonian government’s web presence, it is apparent that either money was not the primary motive or that a third party paid the cyber criminals in advance for committing the attacks.
It is also possible that the cyber criminals had access to an extensive bot network and, therefore, were not concerned with losing a few bots during the attack.