Distributed Denial of Service Attacks (DDOS) have been used by hackers since the earliest days of the web.
Get enough internet-connected devices to ping a server at the same time, and you can knock the server offline.
Keep the pressure on and you can keep it offline, pretty much indefinitely.
These days, given the web's importance, that can easily bring financial ruin to all but the most deep-pocketed companies. Hackers know this of course, which is why such attacks are still in use to this very day.
Recently though, there's been a notable surge in their use, and not only that, hackers have begun changing the way they use this form of attack. Specifically, they'll threaten to perform a sustained DDOS attack against a target company unless that company pays them a fee to go away. This is a marked departure from the way DDOS attacks have been used in the past, and makes it much more similar to a ransomware attack. They simply issue the threat and wait to see if they get paid.
According to statistics gathered by researchers at Neustar, DDOS attacks increased by a staggering 154 percent between 2019 and 2020 and there's no sign that the surge is slowing down. Now add in the new wrinkle of threatening to hit a company with such an attack, and the scope and scale of the threat resolves into stark clarity.
It's easy to see why this is an increasingly popular option for hackers around the world. Of all the types of attacks available to hackers, the DDOS option is the simplest and most straightforward. Literally anybody with access to a botnet can do it. Given the massive size of some of the botnets available for hire on the Dark Web, it's not hard to understand why an increasing percentage of companies are choosing to pay rather than run the risk of being shut down.
Nustar's Vice President of Security Product Management Michael Kaczmarek, however, advises against simply paying the toll.
He writes:
"Organizations should avoid paying these ransoms. Instead, any attack should be reported to the nearest law enforcement field office, as the information may help identify the attackers and ultimately hold them accountable. Beyond this, organizations can prepare by setting up a robust DDOS mitigation strategy, including assessing the risks, evaluating available solutions, considering mitigation strategies, and keeping their plan and provider up to date."
Although the threat is very real, there's actually a lot a company can do to ward off such an attack, and paying the toll only emboldens future threats. The best way forward is to see these criminals held to account. Don't pay. Make them pay.