“DoS attacks have become industrialised, and can be purchased as a service from professionals. You don’t need to be a hacker or part of an ideological movement to want to take down a site. Today, all you have to do is pay someone who’d take it down for you, for as much time as you like (and are willing to pay for),” the report says.
While the tools being used for these attacks were initially developed for ethical reasons – such as stress testing websites under development – they have now been corrupted and are being used by hacktivists and criminal groups.
“You have the knowledge, you have the skills, you have the tools, you just have to decide whether to use it for hacktivist or for [a] commercial end,” Tal Be’ery, one of Imperva’s senior web researchers told IBTimes UK ahead of the report’s publication.
“The weapon itself is not good or evil, just in the hands of one who operates it. Once you have the tool and it is out there, anyone can take it and use it for their own end.”
Porn and gambling
According to Be’ery the practice is currently in widespread use in certain business sectors, including pornography and gambling, and he compared it to a practice which has been in use by organised crime gangs for centuries: “It is very much the same as extortion in the real world, and in most cases the victim is just prepared to pay [rather than see their website go offline].”
Denial of service attacks see criminals flood specific websites with traffic, overloading their servers and forcing them to go offline. As well as the initial financial hit the website owners may take, the damage to the website’s reputation is an additional, longer-term impact.
A more efficient verions of this type of attack, is called a distributed denial of service (DDoS) attack, which uses huge networks of infected computers (called botnets) to attack a website. This helps prevent the attack being blocked as well as making it virtually impossible to detect where an attack is originating.
As well as using botnets, DDoS attacks can be carried out by convincing volunteers from around the world to contribute their own machines (PCs or mobile) to the cause. This is what Anonymous and groups like it try to do.
The prevalence and significance of these attacks was highlighted by the Financial Services Information Sharing and Analysis Center (FS-ISAC) in the US, which raised the cyber threat level to “high” from “elevated” in an advisory to members, citing “recent credible intelligence regarding the potential” for cyber attacks as its reason for the move.
This advisory was issued after both Bank of America and JPMorgan Chase experienced unexplained outages on their public websites.
Be’ery says that finding the criminals offering to carry out these attacks for you is not that difficult, as they have begun publishing ads promoting their servcies on various forums around the web.
He believes most people will be able to find them simply by using Google search, but to find the more efficient services, you may have to search forums hosted on the deep web, a part of the internet not searchable by Google’s crawlers.
One of the more prominent services is Gwapo, which promises to take down a personal website for an hour, for just $5. For larger websites the cost moves up to between $10 and $50 per hour.
To avoid detection, the service only accepts payment though anonymous services such as Liberty Reserve and Bitcoin. The company’s website says it will even provide potential customers with a free demo to show what it can do.
Be’ery believes more and more businesses will look to use denial of service attacks against competitors in the future: “It will become more of a grey area of practice which businesses might resort to, [the] same as other semi-legal actions they might take against competitor businesses.
“It makes perfect sense from a criminal point of view. Let’s say I have a competitor, if I can take down their [online] shop on the busiest day of the year and have all their traffic come to my site, then I have [a] clear financial motivation to do so.”
The problem facing website administrators is that DoS attacks do not target a vulnerability within the website’s code, they are successful because of the inherent limits of the internet’s architecture.
“The biggest thing about [a Denial of Service attack] is this is an attack without a vulnerability. Because, unlike other web applications attacks [such as SQL injection] where you can protect yourself by writing perfect code, in a denial of service attack you can write the perfect code but the way the internet was architectured allows an attacker to really flood an application,” Be’ery said.
While they are some things which websites can do to protect themselves – such as employing a web application firewall or using a proxy server service – the advantage is still very much with the attackers.
“There is no legal enforcement in this area and protection continues to be very lax. There is some realisation that web application owners understand that DoS is an important threat [to] web applications and they are looking for solutions in that area,” Be’ery said.
To report problems or to leave feedback about this article, e-mail:
To contact the editor, e-mail: