[ISN] Internet sieges can cost businesses a bundle

InfoSec News isn at c4i.org
Fri Aug 26 04:20:44 EDT 2005


By Robert McMillan
AUGUST 25, 2005

When the first extortion e-mail popped into Michael Alculumbre's
in-box, he had no idea it was about to cost his business nearly

The note arrived in early November of last year, as Alculumbre's
London-based transaction processing company, Protx, was being hit by a
nasty distributed denial-of-service (DDoS) attack. Zombie PCs from
around the world were flooding, the company's Web site, Protx.com, and
the transaction processing server that was the commercial heart of the

In the extortion e-mail's broken English, someone identifying himself
as Tony Martino proposed a classic organized-crime protection scheme.  
"You should pay $10,000," Martino wrote. "When we receive money, we
stop attack immediately." The e-mail even promised one year's
protection from other attackers for the $10,000 fee.

"Many companies paid us, and use our protection right now," Martino's
message said. "Think about how much money you lose, while your servers
are down."

The attackers had one thing right: Online attacks can be expensive. A
2004 PricewaterhouseCoopers survey of more than 1,000 businesses in
the U.K. found that companies spent an average of more than $17,000 on
their worst security incident that year. For large companies, that
amount was closer to $210,000, the study found. For companies of all
sizes, most of the loss was due to the disruption in their ability to
do business, with expenses for troubleshooting the incident and actual
cash spent responding to it accounting for considerably less.

It's Expensive

Law enforcement authorities told Protx that it was the victim of
Russian organized crime, Alculumbre says, but criminal extortion is
not the only motivation for such attacks. In April, Australian
antispyware vendor PC Tools Pty. became a target of spyware companies
that didn't want users who were interested in PC Tools'
spyware-cleansing software to reach the actual PC Tools Web site.

Customers whose PCs had already been infected by spyware were greeted
with fake pop-up windows and shopping carts when they tried to
purchase the company's Spyware Doctor product, said Simon Clausen, PC
Tools' CEO. Instead of buying his company's antispyware software, they
were tricked into purchasing useless products that left their
computers infected, he said.

Even links that appeared to be from legitimate Web sites like Google
or Download.com were modified on fake pages displayed to users,
Clausen said. "Any link that said Spyware Doctor would be redirected
to the attackers' sites."

Clausen estimates that as much as 15% of his company's business was
lost, representing hundreds of thousands of dollars in missed sales.  
But the real cost was in lost productivity for his software
development team, which was forced to spend hundreds of hours changing
PC Tools' products and its Web site in an effort to stay one step
ahead of the attackers. "We probably had a dozen people involved
pretty heavily in it for about a month or two," he said.

By the time PC Tools developed a way of handling the attack, the
company had taken major hits in employee time and in lost business
opportunities because of product delays, he said.

Online Cat and Mouse

For its part, Protx managed to survive the first wave of the attack
against it by scrambling its IT staff and prohibiting traffic from
zombie servers (at one point, the company simply blocked all traffic
originating from the western U.S.).

But the 13-person company's biggest cost involved preparing for the
next assaults, consisting of thousands of server requests, which came
in January and April.

The April attack, which lasted for more than five days, was the most
severe, as Protx and the attackers engaged in a kind of online cat and
mouse. Just as Alculumbre's technicians found one way to block the
flood of unwanted server messages, the attackers would switch to
another tack. At one point, the cybercriminals used a new exploit of
Microsoft's Internet Information Services server that caused the Protx
Web site to crash whenever certain types of secure messages got
through. Protx responded by installing an SSL accelerator and
analyzing the messages before letting them through.

On the final day of the April assault, the attackers hit Protx with
everything they had. At the peak of the assault, the company's servers
were processing 800Mb of traffic per second, the equivalent of more
than 530 T1 lines firing at full capacity.

Protx's administrators spent some long, tense hours over that weekend,
scrambling with technicians from the company's Internet service
provider to keep the company's Web and transaction processing server

"It's like being in a war," Alculumbre said. "My three guys were
working with three other technicians in extremely tight hosting
facilities, trying to put all this bloody machinery in and wire it
up... it looked like Spaghetti Junction. How they ever knew what they
were doing was beyond me."

Expanding Horizons

Just a few years ago, financially motivated attackers tended to focus
on fringe businesses like online gaming sites. But transaction
processors like Protx are now choice prey for extortionists, according
to Peter Rendall, CEO of Top Layer Networks Inc., a security vendor
based in Westboro, Mass.

"If you bring down your payment processor, you can bring down hundreds
of [online] processors," he said. " Transaction processors like Protx
will do everything in their power not to be off-line; therefore, they
are investing heavily in security and bandwidth."

Proportionately, online security costs are greater for smaller
companies than for larger ones. According to the 2005 Computer Crime
and Security Survey conducted by the Computer Security Institute and
the FBI, companies with sales of less than $10 million per year spent
$643 per employee on computer security each year. For the largest
companies -- those with more than $1 billion in annual revenue -- the
amount spent on security was $247 per employee.

The survey found that companies in the utilities business spent the
most on computer security -- an average of $190 per employee per year.  
Next on the list were transportation and telecommunication companies,
with average annual costs per employee of $187 and $132, respectively.

But for companies under targeted attack, the costs are decidedly
higher. Protx, for example, ended up spending a whopping $38,000 per
employee on security over the past year.

Protx's Alculumbre says that he once thought that his company was too
small to draw the attention of organized crime, but the events of the
last year have taught him otherwise. "It's very alarming for us that
an unknown assailant can do so much to a business that I've spent so
many years trying to build," he said.

Though the first days of the assaults were stressful, Alculumbre said
that he's grown more accustomed to the high costs involved. "If you're
going to be in business, then you have to accept that DDoS attacks are
a part of this," he said.

More information about the ISN mailing list