Meet the online protection racketeers

During the SANS Institute's Conference in October 2004, the Institute's Alan Paller claimed that "Every online gambling site is paying extortion... Hackers use DDoS attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.' "

In the same month as this revelation, UK-based bookies Blue Square received an email from Serbia. It read: "You have time until 5pm your local time. I will now start an attack for one hour. This will be 1/20 of the power I can do." Blue Square's website was duly subjected to a small DDoS attack, but the company had been a victim before and had installed systems capable of identifying and absorbing the malicious traffic. Then things got really nasty.

Blue Square received a sinister phone call. An Eastern European voice said that unless the company paid €7,000 immediately, emails containing child porn would be sent in the company's name. Communications officer Ed Pownall decided to go public about this sinister follow-up threat: "How could we ever explain to shareholders we had paid out to extortionists?" he argued. "We have decided to go public so that if people do receive one of these emails they know it's not from us."

Attacks on the up

Since then, DDoS attacks have leapt almost immeasurably in their sophistication, power and – in some cases – their ingenuity. In March 2008, the eCrime Congress held in London heard from Peter Bassill, Information Security Officer at UK-based bookmaker Gala Coral. He reported that last year, an organised gang set up thousands of seemingly legitimate accounts with his company, using stolen identities. A large botnet then generated masses of seemingly legitimate web traffic for those accounts. The attack produced around 10GB of traffic per second, taking the company offline. Bassill also said that Gala Coral now suffers an average of two such powerful DDoS attacks a year, usually preceded by ransom demands in excess of $100,000.

Luckily, cutting-edge anti-DDoS protection is catching up, and big companies pay for that rather than paying out to extortionists. However, Bassill also warned that while all commercial companies are now under threat, it seems that not all DDoS attackers want money.

Getting revenge

The motives for using botnets are becoming increasingly trivial as they fall into younger hands. Like a drive-by shooting to avenge an insult, upsetting the wrong person online could now end in overwhelming retaliation. Security site CastleCops, which hosts community efforts to investigate malware, became the target of such malice last year.

During a five-day DDoS attack in March, nearly 1GB of data flooded the CastleCops site every second, pushing both it and its service provider off the web. Moving to a secondary ISP merely moved the focus of the attack. The perpetrator, according to US prosecutors, was a disgruntled 21-year-old Californian named as Greg C King. His history of actively trying to provoke angry reactions from site owners before launching DDoS attacks stretches back to 2004 when authorities raided his parents' house.

It's not usually the botnet owner performing the attack for his own ends, however. The owner – or 'herder' – simply keeps on growing his botnet, renting it out to other parties on the side. This means that attacks are far more likely to have been commissioned by a third party.

When scam baiting site 419Eater fell victim to a DDoS attack in September last year, it was obvious that Nigerian fraudsters had taken exception to the whistle being blown on their crimes. So who are these botnet herders – and what kind of power is available for rent?


Today, with the internet shrinking distances, the people renting botnets could be anywhere. The owners of the largest botnets, however, tend to be from Eastern Europe. One such group is the shadowy Zhelatin gang, named after the official designation of the trojan used to grow their botnet.