Akamai Diversity
Home > Web Security > Fresh Wave of Online Extortion Attacks Underway

Fresh Wave of Online Extortion Attacks Underway

Akamai CSIRT has identified a trend in online extortion that has the potential to impact customer websites and their users.

Attackers are using reflected UDP to launch direct-to-origin denial of service attacks at e-commerce sites, then demanding payment to stop the attacks, CSIRT's Mike Kun wrote in an advisory.

"We have seen these extortion attempts target e-commerce and retail sites, as well as online collaboration sites, but all sectors are vulnerable," Kun wrote. 

This advisory serves as a description of the attacker, their capabilities, and how to mitigate the threat.

From the advisory:

Denial of service attacks are nothing new and are often easily mitigated by Akamai before they affect customers. Recently, however, we have seen attackers using direct-to-origin attacks in conjunction with SYN floods and reflected UDP attacks to disrupt sites. Once the site is down, the attackers send a short demand note, usually for a payment in bitcoin to an anonymous wallet.

Because many of these attacks are direct-to-origin, the attack bypasses Akamai's edge defenses, including SiteDefender. This effectively blinds Akamai to the details of the attack. Reports from customers who have been attacked, however, all have a similar profile. The attacks are volumetric floods, either SYN floods or NTP floods. SYN flood attacks are generally in the 6Gbps range, with other victims reporting traffic floods in excess of 20Gbps.

In all these cases the payment demands were ridiculously low, ranging from $150-$300. This is either an attempt to see what organizations are willing to pay, or shows a lack of understanding about the true value of website uptime. There is the potential that as they improve their attack methods that the payment amount demanded will rise. There is also no guarantee that if a payment were made that the attackers would not return to demand more.

Knowing if you're affected:

Many of these attacks are volumetric floods. Customers seeing a network layer attack, either a SYN flood or UDP flood, hitting an Akamized property are likely a victim of a direct to origin attack. Sites that are not Akamized can be targeted with a volumetric flood in an attempt to disrupt the site.

If the attack is successful, the attacker will contact the affected organization by email and demand a nominal payment.

To date we do not know of any victim that has made the extortion payment.

Protecting yourself:

The Akamai platform will automatically drop SYN and UDP floods at the edge, so the risk is primarily to non-Akamized sites and from direct to origin attacks.

Direct to origin attacks indicate a level of sophistication on the part of the attacks and an understanding of how CDNs operate.

There are a few ways an attacker could determine the customer origin hostname,

  • Hostname Guessing: The attacker could guess likely hostnames for the origin and see if there is a response. We recommend that all customers change their origin hostname from "origin-www..com or "origin..com.
  • Check the pragma headers: Pragma headers are implementation specific headers. Akamai uses them for debugging and related tasks. It is possible that a customer's origin could leak in one of the Pragma headers. An attacker would need to know how to view request and response headers, assuming this vulnerability existed. Akamai recommends that pragma headers be disabled when not being used. 
  • Ensure the cache key does not contain the origin hostname. 
  • DNS information leakage: Public SMTP, NTP, or authoritative name servers on the same netblock may disclose the datacenter's netblock, which may be targeted by a volumetric attack.

Akamai's Site Shield and Prolexic's Routed Solution are both products that can protect a site from direct to origin attacks. Site Shield will allow a site to drop all packets except those from Akamai Edge servers and, in an emergency, the customer can ask an upstream provider to drop packets destined for the datacenter at the ISP level.

The Prolexic Routed Solution uses BGP to transfer all traffic to a Prolexic scrubbing center to filter out attack packets and only allow legitimate traffic through.

Leave a comment