On Monday, Meetup.com, a popular online shared interest meeting service, was knocked off-line for four days by a targeted distributed denial of service (DDoS) attack. In the ransom email the site’s administrators received, it was suggested that the DDoS attack was ordered by a “competitor” and that the attack could be stopped for $300.
“The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated,” said Meetup’s cofounder and CEO Scott Heiferman in a blog post. “We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.”
This type of “cyber-hostage taking” is appearing more frequently among the business community. A DDoS attack is typically in response or protest to a particular issue or policy — such as the hacktivist community Anonymous’ attacks of government websites, but a growing number of hackers are turning to DDoS to make money.
A DDoS attack occurs when a large pool of computers — either under attack participants’ control or, more likely, influenced by a virus — requests a single resource on a server repeatedly. This cascading wave of requests eventually exceeds the allocated bandwidth of a server, forcing the server to ignore all requests. The net effect of this is that all of the websites serviced by that server go off-line and stay off-line until a technician can reset the server and find a way to block or stop the cascading request wave.
As a DDoS attack does not involve personal or subscriber data, there is no legal requirement for a business to disclose that it was subject to a DDoS attack. Law enforcement tend to ignore these types of attacks, as they usually only last for a few days and usually result in no physical damage to the server or network. However, the loss of business the server’s websites suffer can be crippling.
“It’s no different than a criminal standing outside the door of your business and not letting anybody in,” John Pirc, chief technology officer for NSS Labs, told NBC News. “That being said, the likelihood of getting caught is not very high.”
Meetup.com reported that 60,000 meetings were scheduled during the time of the attack, leading to upset and frustrated users.
Meanwhile, the attacks seem to be escalating. Last month, the largest single DDoS attack recorded — an almost 400 gigabyte per second assault that was 30 percent larger than the previous largest documented attack — was stopped by Internet security firm Cloudflare. February also saw attacks on bitcoin processors, the Internet registration firm Namecheap and Internet address redirector bit.ly. A report from security firm Prolexic shows that DDoS attacks were up 32 percent in 2013 and responsible for 18 percent of all outages in American data centers.
As attacks become more targeted and more focused, the damage a DDoS attack can cause is expected to rise. Currently, the average DDoS attack and outage costs $630,000, according to the Ponemon Institute. But with security software and proactive defenses from DDoS potentially costing hundreds of thousands of dollars per year, many companies are willing to accept a DDoS attack as the more economical option.
As the means to launch a DDoS attack become easier and cheaper to acquire, though, the economics of being hacked may force significant changes in how businesses respond to DDoS attacks.
“It’s very hard to know what to do,” said Alexander Klimburg, a cyber security expert at the Austrian Institute for International Affairs. “The tools to do this can be purchased online incredibly cheaply, while the damage they can do and the cost of mitigating it is exponentially higher.”