Last Friday, June 10, a member of the IT team at German payments processor Computop retrieved an email sent to one of the company's public addresses threatening to hit the firm's customer websites with a massive DDoS attack if a ransom of 15 Bitcoins (about £7,900) was not paid to the attackers by June 15.
The attackers had launched a smaller demo DDoS to prove their intent, the email said, something IT staff confirmed after checking monitoring systems. This was clearly a threat with the capability to do serious damage.
"If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there's no counter measure to this. You will only end up wasting more money trying to find a solution.," the email warned in broken English.
"We will completely destroy your reputation amongst Google and your customers and make sure your website will remain offline until you pay."
When Computop's CEO Ralf Gladis heard of the threat he was tempted to pay up. But after speaking to contacts in the industry over the weekend instead he resolved to do something rare and, frankly, quite extraordinary.
Instead of simply ordering his company to defend itself in conventional fashion he was going to write to all 5,000 of Computop's customers and partners telling them that on 15 June his firm's website was likely to be hit with a DDoS attack big enough to cause everyone serious problems.
Computop's engineers confirmed that an attack of 80-90Gbits/s would be more than enough to cause an outage to the platform and anyone in its vicinity in the datacentre.
"We don't want to hide behind a wall of silence and are determined to keep you in the loop with regard to what's been going on," wrote Gladis in a second follow-up email sent a matter of hours before the DDoS deadline was due to expire.
"DDoS attacks happen every day, and they can hit each and every one of us. Which is why we should take advantage of our community of business partners - stick together, learn from each other and ensure we are prepared for when the s**t hits the fan."
The story of a DDoS extortion attack - going public
Gladis probably didn't consider it at the time but he was making history. Companies hit by or threatened with DDoS attacks rarely talk about their experiences and absolutely never put such information into the public domain prior to an attack. It just isn't done. Business wisdom says that it's just too much of a reputational risk and might even seriously annoy the attackers. It's almost as if the industry sees the attack as being the victim's fault.
Fired by the liberation of disclosure, Gladis and Computop decided to go a stage further and publish a detailed account of their experience complete with lessons for other firms that might one day find themselves in the same predicament [Computerworld will link to this when it is posted online].
What seems to have crystallised the unusual decision to go public was a simple discovery.
"If you investigate you find out that they [DDoS attackers] target our industry," Gladis told Computerworld UK. DDoS extortion threats were routinely being sent to other firms in the German payments sector, he realised, but nobody seemed prepared to discuss this open secret.
Sensing an opportunity to break a taboo it struck Gladis that this kind of secrecy might be precisely what the attackers thrived on. Having decided to defend itself, the firm came up with a plan of action.
"My first reaction we need to talk to our data centre because they will get as overwhelmed as much we will," says Gladis.
"We have a trusted relationship with many important merchants all over the world. They trust us and to honour this and we have to let them know that there is a threat. Some of them might want to take precautions knowing that in two days there might be a problem with their payment processing.
"A lot of large retailers came back saying that they liked being given a heads up. Nobody complained."
Having enlisted the support of the firm's datacentre provider, that company in turn told its upstream providers. Then Computop hired an ethical hacking consultancy to advise it before taking the decision to use cloud DDoS sink-holing from Imperva's Incapsula division.
Did the plan work?
The date and time for the promised attack came and went and nothing happend. Gladis was told by the company's pen-testers that the attackers would have been able to detect that the vulnerable servers were now within a mitigation cloud and probably simply backed off.
"We don't want to look like heroes who have beaten the enemy. We were just well prepared."
The attackers went elsewhere, most likely to less well defended targets.
The story of a DDoS extortion attack - firewall cluster
A fascinating side detail is that at the time period of the threatened attack the company was still struggling with a new firewall cluster it had recently installed. This sort of infrastructure would normally help with e-commerce and website availability but the trouble was it wasn't working as a single logical entity. In the nick of time, the firm's IT team resolved the issue with a software update.
Did Gladis have any worries about being so open?
"We knew we were taking a slight risk but it's worth it. It is about fighting criminals and complying and hiding is not going to help."
Computop involved cyber police in the German state of Bavaria who were able to trace some of the IPs used in the demonstration attack launched by the extortion gang. According to Gladis, police used police forces across Germany to visit the offices of the innocent companies in which rogue servers were operating, asking for them to be taken down.
Not only was Computop fighting back against DDoS extortionists it was also party to a botnet take-down.
Computop's story stands as a remarkable refutation to the idea that security is best served by secrecy. In fact, as Gladis, suggests, secrecy is what makes these crimes more potent than they would otherwise be. When there is no learning, criminals are able to target companies one at a time, picking them off at will.
"There is nothing to hide. This can happen to all of us. Better to talk about it and let people know," he says. "Our customers will be better prepared than we were."
Computop's DDoS defence 101
The company has now published a more detailed set of recommendations for anyone who faces the same type of attack. Below we extract the main lessons but the published document offers more depth:
- Inform your datacentre. This might seem obvious but it is critical that they know as soon as possible of the threat. When choosing a datacentre makes sure it is one that is open to helping in these situations.
- Don't pay the ransom and don't communicate with the extortionists. "They might just attack anyway and ask for more money. They might come back under a new name. They might tell their friends that we are willing to pay."
- Reach out to your partners for advice. Many of them will have had similar experiences.
- Don't underestimate the usefulness of firewalls, including your datacentre's upstream infrastructure. That filtering can lighten the load.
- Consider using DDoS mitigation and expert consultants. It costs but the price is small compared to the protection it offers. Techies or pen-testers with experience in DDoS can also offer the sort of advice that saves valuable time, including how the attackers operate.
- Phone the police. The Bavarian state police reacted extremely quickly to help defuse part of the extortionist's botnet (see above).