Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Analysis of the economic damage caused by Internet crime
Volodymyr Mosorov
Department of Computer Science in Economics
University of Lodz, POLAND
• Cybercrime
• Types of cyberattacks
• Classifications
• Statistics of Cyberattacks
• DDoS attack trends
• Real life attack scenarios
• Cost aspect
2
Agenda
Introduction
• 24% of adult population world wide cannot live without the Internet
• 41% of adult population world wide needs access to the Internet daily
• number of adult victims of cyber crime in 2011 was three times greater than the number of victims of traditional crime
• 431 millions of Internet users were cyber crime victims (more than one million daily internet users in 2011)
3
Distributed Denial of Service (DDoS) attack
Botnet Network
5
Attack result
DDoS attack cont.
A DDoS attack can be perpetrated in a number of ways
Attack Classification: • Consumption of computational resources, such as bandwidth,
memory, disk space, or processor time. • Disruption of configuration information, such as routing
information. • Disruption of state information, such as unsolicited resetting of
TCP sessions. • Disruption of physical network components.
Schema of botnet creation
Most DDoS attacks are very small, usually less than 10Gbps.
A typical DDoS attack is not very long, usually less than 30 minutes.
Interesting Facts (2012):
89% of DDoS traffic was generated in 23 countries US and Indonesia made up a 10% of attack traffic
Online shopping sites, including e-stores, auctions, and buy and sell message boards made up 25% of all targeted sites
80% of all DDoS attacks take place Monday through Thursday
23% of the week’s DDoS attacks occur on a Tuesday
DDoS attack parameters (Arbor Special Report: Worldwide Infrastructure Security Report, 2012)
DDoS attacks against customers remain the number one of operational threat seen during the survey period, with DDoS attacks against infrastructure being the top concern for 2014.
DDoS remains a key issue; therefore, it should not be surprising that nearly two-thirds of service provider respondents are seeing an increasing demand for DDoS detection/mitigation services from their customers.
9
Averaged attack time, 2012
Targets of DDoS attack, 2012
What is the financial impact of DDoS attack?
DDoS attack inflicts a grave
toll on revenues.
The reported 2013 revenue risk
was slightly lower than in 2012,
due to the increased
investment in DDoS protection
solutions.
More companies in 2012 (74%
versus 65% in 2011) claimed
that DDoS outage would cost
them up to $10K per hour, the
rest reported that revenue
risks will be $50-100K per hour.
The largest DDoS attack (February 2014)
A record-breaking distributed denial-of-service (DDoS)
attack peaked at 400 Gbit/s, which is about 100
Gbit/s more than the largest previously seen DDoS
attack.
DDoS defense firm CloudFlare disclosed the attack --
against one of its customers: "Very big reflection
attack hitting us right now. Appears to be bigger than
the #Spamhaus attack from last year, which peaked
at a record-breaking 300 Gbit/s.”
Facts
• According to CNBC, U.S. banks were main targets of DDoS attacks during 2013. These events resulted in their inactivation of 250 hours in total. Calculated losses (related only to income) amounting to 12,450,000 $
• Interesting fact: one man, who was taking part in anonymous attack on Koch Industries during 1 minute ONLY was sentenced to two years of probation and penalty of paying 183 thousands dollars!
Business model of a cyberattack DDoS as a commercial service
Preparation of malicious software
Propagation of malicious software
Establishing command & control
Selling the service
Delivering the attack
13
Business Model
The attacker hopes to obtain some revenue by extorting the victim.
The expression of the profit:
Profit = E - C > 0 where
E - represents the attacker’s revenue,
C - the cost of DDoS service’s hiring.
The attacker’s revenue
The attacker’s revenue can be expressed in the following way:
E = n ×R where
n - is the percentage of victims, who in the attacker’s opinion will give in to blackmail R
Estimation of blackmail
Estimation of blackmail: R = k *AR
where AR is the victim’s annual revenue, k is some ratio. Estimation of a victim´s annual revenue: We have compared these amounts with the annual revenue of some of the online sites and we have estimated that extortions are approximately 1,000 times smaller. Hence k=0.001. According to the reference (SEGUR@ Project, 2013) the amount of the extortion was between 20,000$ and 50,000$.
According to the Arbor Networks Inc. (Arbor Networks Inc. is a leading provider of network security and management solutions for enterprise and service provider networks) an estimated average revenue:
R = k × AR = 0.001 x 20000 × 30(price/per month) × 12 month = 7200$/year
Estimation of blackmail cont.
Estimated costs of hiring DDoS attack service
To estimate these costs we need to obtain the following data:
•the revenue of attackers
•the cost of hiring DDoS service
Hiring of DDoS attack service
*There are plenty of forums on the Internet where everyone has an access to this kind of service.
An example of conversation with DDoS service provider
Botnet Rental Pricing (Segura and Lahuerta, 2013)
DDoS Service - Estimated Costs
Example
Bitcoins - cybercrimes' currency Bitcoin is a payment system introduced as open-source software (2009)
Bitcoin price: $653.08
Bitcoins - cybercrimes' currency
•Bitcoins are associated with cybercriminal behavior. •Used to obfuscate online transactions. •The Washington Post calls it "the currency of choice for seedy online activities." •The FBI stated in a 2012 report that "bitcoin will likely continue to attract cyber-criminals who view it as a means to move or steal funds." •Bitcoins are money laundering like the use of botnets or exchange for illegal items/services.
Conclusion
• The economic motive seems to be the main pushing force of the Internet crime’s incidents. When that happens, attackers´ behavior is rational and predictable.
• Under some assumptions, it is possible to model the conditions that will influence the attacker´s behavior. If we are able to collect data for our model, we can estimate the probability of the attacks.
• A simple economic model fits in a real scenario based on a Intenet provider service.
• This model represents the incentives of a potential attacker for launching DDoS attacks.
• To apply the model, data from two sources should be collected: prices of hiring DDoS attack services and percentage of victims, who paid extortion money in the past on online gambling sites (to estimate the amount of money that attacker could demand in the service).
• The analysis performed enables to estimate the incentives for launching DDoS attacks based on objective data.
• Applying this approach is not always possible, because not always the necessary data are attainable.
Conclusion cont.
28
• Creation of botnet market in near future?
• DDoS attack as bussiness activity?
Future vision
29