Following the news that Basecamp was hit by an extortion based DDoS attack (gist.github.com/dhh/9741477), there are three comments below from security experts.
Daniel Korel, Security Analyst, DOSarrest Internet Security:
It’s fairly easy today for someone with relatively little knowledge and malicious intent to rent a botnet or exploit known vulnerabilities in public systems, generating large amounts of traffic at their target. With the anonymity of the internet to hide behind, it can be an attractive proposition for an attacker to attempt to extort a high-traffic websites such as Meetup and Basecamp for money.
A DDoS mitigations service employs state of the art multi layered protection against DDoS attacks, coupled with a 24/7/365 security operations center that monitors traffic trends and makes strategic changes, it’s the best safeguard against these types of attacks.
Russ Spitler, VP product strategy, AlienVault:
DDOS is a rather unsophisticated attack and unfortunately these days the easy access to distributed botnets or amplification techniques make large scale attacks feasible for rather insignificant attackers. I applaud the fact that Basecamp refused to negotiate with these attackers – just like kidnapping we won’t see the end of this type of exploitation disappear until we have a consistent ‘no-negotiation’ policy across the internet. The shame of this type of attack is small companies like Basecamp (or meetup.com) are stuck between paying for protection or paying the attackers. My guess is that our small unsophisticated attackers are picking on the businesses they know, which unfortunately will mean that tech oriented businesses will be on the frontline of this. From a technical perspective there is no real weakness that these organisations have above and beyond the typical small business. Looking to the future you really hope that ISPs to start playing a bigger role in mitigating these types of attacks we currently pay them for bandwidth in the future I would hope that they do more to guarantee that it is good bandwidth.
Look at this in a real world analogy. Let’s say I buy a gallon of gas from a gas station and find out it is half water. When I complain, the gas station tells me that it is not their fault it is the fault of the people who sold them the gas and if I want to fix it I need to buy ‘gas dilution protection’ from a 3rd party. We would hold the gas station accountable. Just like this example, we need to do more to structure our bandwidth agreements to hold the ISPs accountable for these attacks.
Tim (TK) Keanini, CTO, Lancope:
Now with cryptocurrency, there will be more and more ransomware tactics due to the fact that just ‘following the money’ does not work so well.
Block a user from their files, block a business from their customers, block a business from their supply chain, we can continue to invent scenarios that would force an individual or business to pay a ransom. We are dealing with creative people who are motivated by money so the possibilities are endless.