Service Providers under attack - what should you do?

Blog Post created by smillerjones on Nov 11, 2015

DDoS for Ransom?

There have been a recent spate of DDoS for Ransom attacks against email service providers which have made the news.  As a provider of website and content delivery services, I wanted to make sure we provided you, our customers, with information about what to do if you come under attack or a ransom is demanded, and what we can do to help you.


The recent DDoS for Ransom attacks are coming from multiple sources including a new group calling themselves The Armada Collective. Our security partners indicate that the group first surfaced in September 2015 with a series of attacks on banks, e-commerce sites and hosting services in Russia , Thailand and Switzerland.


The Armada Collective, like other groups including DD4BC, has been blackmailing companies for Bitcoin under the guise of a DDoS attack. The targets receive an email demanding that a ransom to be paid.  Refusal to pay within an allotted time-frame is met with a threat of a persistent multi-vector attack, and to demonstrate that they have the capability and capacity to do this, the target is threatened with a 15-30 minute sample attack.


In November 2015, The Armada Collective and additional sources began targeting email service providers. According to the information we have seen, companies are being held ransom for 6000 BTC.  The attacks being monitored are multi-vector attacks that include network and application based attacks, as well as volumetric DDoS attacks in the range of 30- 50 Gbps.


What to Do If You Are Targeted

If you are targeted with such a ransom demand, these are the steps we recommend you take:

  • Inform the authorities
  • Notify your infrastructure hosting company, ISP and other service providers about the pending attack
  • Make sure proper DDoS detection and mitigation is in place for networks and applications


How Limelight can help

We don't know who the next target of a ransom group will be, but ensuring that you can detect attacks, having a process in place for such an incident and reviewing and proactively preparing your systems is important.


If you are faced with a threat from a blackmail group, it is important to be able to know it is happening and be able to take steps to mitigate the attack.


These are areas you should consider:


  • Delivery and security services that can protect your applications and infrastructure from:
    • Volumetric attacks that can saturate the Internet pipe
    • Multi-vector attacks including network and behavioral application based DDoS


  • A solution that includes cloud-based detection and protection for volumetric and behavioral attacks with options for mitigation
    • Provides quick detection and mitigation
    • Protects networks from volumetric attacks that aim to saturate the Internet pipe.


  • An emergency response plan that includes an emergency response team and process.


  • Monitor security alerts and examine triggers carefully.
    • Tune your application and infrastructure  monitoring policies and protections
      • Prevent false positives
      • Identify real threats if and when they occur.


Orchestrate Performance and DDoS Attack Interceptor

Limelight's Orchestrate Security can ensure that your web applications are protected from volumetric and behavioral application layer DDoS attacks.


Our DDoS Attack Interceptor service combines the best-in-class web application acceleration and delivery of Orchestrate Performance with always-on attack detection within our CDN and attack mitigation with our cloud scrubbing partners.


Capable of detecting known attack vectors and forming unique attack signatures based on your traffic profile in real-time, our processes ensure fast alerting if your applications come under attack and cloud-based scrubbing to mitigate active attacks. We also provide cloud-based Website Application Firewall services with our security partners.


Using Limelight's CDN services to accelerate and deliver web applications offers many security benefits and provides a highly scaled and distributed application surface that can both protect your content and infrastructure, and detect volumetric and behavioral attacks against it.


Some of the benefits of our solution are:

  • Deflect network layer attacks
  • Filter unwanted traffic
  • Check Headers, Query terms & cookies
  • Assess user location for access rights
  • Mask web application infrastructure from the Public Internet
  • Protect access to content with time limited and individualized URLs
  • Real-time status code reporting describes user and application behavior
  • Real time reporting and live logs integrate with monitoring systems
  • High performance global SSL infrastructure