DDoS Extortion Targets Social NetworkMeetup Website Hit with Three Attacks
Social networking site Meetup has been facing ongoing distributed-denial-of-service attacks. It received a notification the attacks would continue unless it paid a $300 fee, which highlights the rising concern of extortion tied to DDoS.
Meetup is an online social networking portal that facilitates offline group meetings in various locations around the world.
"Extortion has been a part of the DDoS threat landscape for quite some time and is very much a global problem generally targeting online businesses," says Dan Holden, a director at Arbor Networks, a DDoS mitigation company. "Because these targets generally make their core revenue via their Web presence, there is a greater likelihood of the extortion attempt working."
Rodney Joffe, a senior vice president at DDoS protection provider Neustar, says extortion attempts are "becoming more and more prevalent."
In the Meetup incident, the attackers are most likely out of Eastern Europe, based on the language used in the extortion e-mail, Joffe says. "It's becoming easier and easier for the bad guys to launch [DDoS attacks] because they're getting better and better at using compromised systems," he says.
CEO Describes Attack
Meetup CEO Scott Heiferman says the incident started with an e-mail he received stating: "A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300. Let me know if you are interested in my offer."
The company experienced three strong attacks, starting Feb. 27, when the extortion e-mail came through, Heiferman says in a blog about the incident.
"We got to work mitigating the attack, but we remained unavailable for nearly 24 hours," Heiferman says. "Service was restored Friday [Feb. 28] at 9:30 a.m. EST, but it took many hours for the changes we implemented to defend against the attack to be distributed across the Internet."
The company was attacked again on Saturday, March 1, at 4 p.m. EST and Sunday, March 2, at 8:09 p.m. EST, Heiferman said.
"We spent the past several days taking every step to ensure the site and apps are available," he said. "While we're confident that we're taking all the necessary steps to protect against the threat, it's possible that we'll face outages in the days ahead."
Heiferman says his company refused to pay the $300 demanded from the attackers because it won't negotiate with criminals.
"The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated," he said. "We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more."
Arbor's Holden says Meetup took the right position. "The amount asked is way too small and their assumptions are good ones," he says. "Most serious extortion is more around the lines of, say, $10,000, not $300. It's a slippery slope, and you are better off investing in defense rather than a slow bleeding of extortion dollars leaving every month."
Mitigating DDoS Attacks
Organizations need to ensure they have a process in place to handle DDoS attacks, Joffe stresses. "You really have to have in place a mitigation plan that allows you to filter out the bad traffic," he says.
Holden of Arbor Networks says preparing for a DDoS attack "should be much the same as other aspects of security in that what you are defending must be taken into consideration - and of course what the loss would be if things were to go down. Based on the answers to these questions, you can prepare a response process with a combination of internal resources and technology and external cloud or ISP services."