[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Tuesday, 31 May, 2005, 08:00 GMT 09:00 UK
Online service foils ransom plot
By Jane Wakefield
BBC News technology reporter

Screen grab of Nochex website
Nochex offered stark choice of pay up or fall over
Monday 23 August 2004 was a normal day in the office for Asif Malik, security director of online payment firm Nochex.

That is until an e-mail popped into his inbox at 7pm when most of his colleagues had gone home for the night.

The e-mail was a ransom note offering a stark choice - immediately send a wire for $10,000 to a European bank account or face an attack on the company's servers.

Others may have panicked but such a note was not out of the ordinary for Mr Malik.

"We get quite a few, maybe once a month so we don't always take it too seriously," he said.

Zombie attack

DDoS ATTACK EXPLAINED
DDoS = Distributed Denial of Service attack
Malicious hacker uses virus to hijack numerous computers
On command these zombie computers flood the targeted website with useless data
The target's internet servers are overwhelmed by junk data
Customers have trouble using the targeted website
Targeted website can be slow or inaccessible for days
Fighting DoS attacks is laborious and costly
Because the zombies are distributed across the internet, finding the attacker is difficult

It has become common practice for extortionists to target net firms and threaten to cripple their websites with deluges of data unless they pay a ransom.

Not all the e-criminals are able to follow through on their threats but when the Nochex site went down at 8pm it was time to sit up and take notice.

The first thing Mr Malik did was to contact his service provider Pipex.

"They told us we were being flooded by a zombie attack," he said.

So-called Distributed Denial-of-Service (DDoS) attacks overwhelm servers with customer requests until they are forced offline. Computers are innocently recruited from all over the world to take part in the attack, each sending only a small part of the entire data flood.

The recruiting of machines to take part in attacks is typically done by infecting them with a virus or worm. The net address of compromised machines - dubbed zombies or bots - is sent back to the criminal, who will use it to launch a DDoS.

The news that Nochex had fallen victim to a DDoS attack forced Mr Malik to open communications with the hijacker, and he offered to wire the money first thing in the morning.

Let battle commence

"I wasn't actually going to pay them but it bought us time to come up with a solution," he said.

Asif Malik, Nochex
Who is to say the hijackers wouldn't have come back next month and the month after?
Asif Malik, Nochex
Other firms do pay off the blackmailers, seeing it as preferable to have downtime on their site.

Such attacks have typically targeted online gambling and gaming firms, seeing them as malleable victims because of the amount they depend on their sites to generate income.

In the run-up to last year's Cheltenham Cup, a highlight in the racing calendar, these sites were targeted.

"A whole raft of them were threatened and they made payment because it was a drop in the ocean compared to what they would lose if the site was down," said Maria Cappella, general manager of sales and marketing for Pipex.

But for Mr Malik paying up was not an option. Instead it was a chance to see whether technology could do battle with the e-criminals and beat them at their own game.

In this particular case the criminals in question were part of a Russian gang, already well known to the UK police but not yet within the grasp of the authorities.

"Do what you have to do," Mr Malik was advised by his contact at New Scotland Yard.

Battle-scarred

The company turned to a network product developed by Cisco. Called Cisco Guard, it is designed to fight DDoS attacks by sorting the legitimate traffic from traffic intent on attacking servers.

THE NATURE OF DENIAL-OF-SERVICE ATTACKS
Average cost of mission critical services compromised $100,000 an hour
Britain has largest zombie PC population in the world
Over 1m connected computers are zombies
30,000+ internet connected zombie networks in 2004
Estimated 25% of all infected PCs are under control of hackers
Broadband responsible for 93% increase in infected PCs in 2004
11% of small to medium sized businesses suffered DDoS attacks in the last 12 months
"All of the traffic is diverted and we analyse the flow and identify aspects of the flow that we believe to be malicious," explained Kevin Regan, a security consultant with Cisco.

Once installed Mr Malik's attitude was one of "bring it on", confident that the new armour that had been put around the network would remain impenetrable.

The attacks did come and have continued to come ever since, but so far the system has remained online.

DDos attacks have become a big problem for businesses in the last 12 months.

At one point in the autumn of last year Pipex was seeing as many as three to five attacks each day, although that number has since slowed down.

Most of Pipex's high risk clients, categorised as gaming, gambling and payment gateway sites, have had the Cisco equipment installed and the patterns of attacks are becoming familiar to the backbone engineers.

"We have become veterans at it. Our guys have been doing it for 15 months and we have become quite battle-scarred along the way," said Ms Cappella.

Recognising customers' traffic profiles and spotting anomalies are key to foiling attacks although everyone is aware that the criminals will always be looking at new ways to break through the guards.

According to Mr Regan, such attacks are getting more sustained - lasting for days or even weeks - and more and more zombie machines are being recruited into the hijackers' armies.

Not cheap

According to the Honeynet Project, set up to create solutions to security problems, there are over one million zombie computers. Britain has the largest zombie PC population of anywhere in the world.

Mr Malik believes that, as denial of service attacks get stronger and more prevalent, all internet service providers will have to come up with permanent network-based solutions.

It has not been a cheap option for Nochex. In fact, with an initial cost of 20,000 and a further 3,000 a month, it would have been cheaper to pay off the hijackers.

But, as Mr Malik says, "who is to say the hijackers wouldn't have come back next month and the month after?"




SEE ALSO:
Rise of zombie PCs 'threatens UK'
22 Mar 05 |  Technology
Rings of steel combat net attacks
13 Jan 05 |  Technology
Child porn threat to betting site
27 Oct 04 |  Business
Worldpay struck by online attack
04 Oct 04 |  Business
Hacker threats to bookies probed
23 Feb 04 |  Technology


RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific