Playing games is always out of date? Cyber-attack black production: one thousand yuan paralyzes the website for 9 hours

Why is it so old to play games? Cyber-attack black production: one thousand yuan paralyzes the website for 9 hours

　　Why is it so old to play games? Why can't the webpage open? Maybe it was a cyber attack.

　　Recently, the Supreme People's Procuratorate announced the country's first full-chain crackdown on hacker cross-border cyber attacks. Among the eighteenth batch of guiding cases announced by the Supreme People's Procuratorate, 11 cases including the destruction of computer information systems by Yao Xiaojie and others involved the well-known "dark night" attack team in the hacker circle.

　　At present, there are still a large number of hacker groups on the black market that profit from such network DDoS attacks. The Beijing News reporter ’s investigation from April 13 to April 17 found that in the black and gray trading platform, cyber attacks have become clearly marked commodities, and many employers directly publish the website addresses or APP names they want to attack. Hiring a hacker attack makes the target inaccessible and the service paralyzed. The price of the attack varies according to the security defense of the target website. Hackers who carry out attacks, traffic providers that supply "ammunition" to hackers, "walls" used to test attack power, employers in the same industry, etc., constitute a cyber-attack black industry chain.

　　"The" Dark Night "case is the first full-chain cross-border attack against hackers in the country. The case involves not only the" Dark Night Attack Team "but a group of 11 defendants who played different roles in the attack chain. Some have never met. But such cases often need to connect upstream and downstream behaviors to restore the facts and find out the truth. This is also the characteristic and difficulty of combating cybercrime. "Xiao Wei, senior researcher at Tencent ’s Cyber ​​Security and Crime Research Base .

Cyber ​​attack clearly priced

Hundreds of dollars launched an attack, extortion tens of thousands

　　"Access illegal websites, private servers, gaming, chess and card apps, DDoS attack services to help you fight against competitors", "URL XXX, private chat that can be played" ... On April 13, a Beijing News reporter investigated and found that it was outside a certain country. In the black and gray trading platform, cyber attacks have become clearly marked "commodities". Many employers directly publish the website addresses or APP names they want to attack, and hire hackers to conduct DDoS attacks, resulting in inaccessible targets and paralyzed services.

　　The Beijing News reporter learned that the principle of the DDoS attack is that the attacker controls multiple machines to access an IP address at the same time, resulting in a surge in access traffic. Eventually, the address webpage cannot be opened, and the service crashes. The principle is similar to that of a restaurant. Influx of a lot of "overlords" made normal customers unable to enter.

　　At 1pm on April 16, a reporter from the Beijing News contacted a hacker who provided a DDoS attack service. The other party said that they must first look at the IP address of the target website before they can provide a quote for the attack. The reporter gave the address of a small illegal website. The other party said that the website "had been hit before, there are 6 CDNs (content distribution network, which can reduce network congestion, and to a certain extent resist attacks). One IP can be used for 10 minutes, which can be done in about 30 minutes. Killed (paralyzed), the price is 1,000 yuan, from now to ten o'clock in the evening. "According to this calculation, as long as paying 1,000 yuan, you can paralyze the target website for 9 hours.

　　Snow Wolf, a senior security expert of the Tencent Guardian Program, told the Beijing News that the attacking target's network protection capabilities are different, and the cost of the attack is different. "The lowest level is basically 200 yuan per hit. Generally, there is a little defensive website. It's 1,000 to 2,000 yuan, and the price fluctuates greatly. "

　　For websites that place services on cloud servers or provide better protection, DDoS attacks with greater traffic and higher attack power are required.

　　"Basically, if a hacker can achieve a DDoS attack with a peak attack power of 450G per second in 2017, the cost of an hour is about 1,000 yuan. The purpose of the attack may be to paralyze the website only once, and then ransom. May be employed by people to continue to attack the normal services that disrupt the website. "Xuelang said.

　　According to public reports, a recent case of DDoS attack was an attack on a smart technology company in Taizhou published by the Procuratorate Daily on April 10. In January 2019, the company received many complaints from gamers, reflecting frequent disconnections while playing games, and later confirmed to have been attacked by hacker DDoS. These attacks prevented users from logging in and caused a large number of users to be lost. The number of affected registered users on the server is nearly 20,000. In order to respond to the attack, the company specifically spent more than 50,000 yuan to purchase DDoS protection packages, but the effect was not significant. Eventually, the public security organ captured Luo Mou, the hacker involved, and found that he took the order from the employer at a price of 300 yuan, and rented a central control server to catch the "broiler" (that is, an illegally controlled computer information system that could provide an attack. Traffic), using DDoS attack technology to attack the company's servers.

　　Tencent Cloud's "DDoS Threat Report 2019" (hereinafter referred to as "Threat Report") shows that the cost of hackers buying attack services is hundreds of dollars, and the ransom for each ransom can reach tens of thousands of yuan; hackers build an attack site The cost is thousands of yuan, and the income from renting DDoS attack services can reach hundreds of thousands of yuan.

Clear division of labor

Someone provided "ammunition" hackers responsible for the attack

　　The Beijing News reporter found that the current DDoS attack in the black market has formed a clear division of labor upstream and downstream industry chain: upstream of the industry chain are various DDoS attack software sellers, they provide tools for "fool" network attacks, reducing The entry threshold for hackers; in the middle of the industry chain are traffic providers. These traffic providers either have their own professional computer rooms that can provide stable bandwidth, or have a large number of "broilers", which can provide sufficient "DDoS attacks." "Ammunition"; downstream of the industry chain is the hacker who executes the attack. In addition, some companies with anti-DDoS attacks actively participated in DDoS attacks. Their role is to provide a "wall" for testing DDoS attack power, so as to facilitate employers to verify the attack strength of hackers. It has also become a part of cyber attacks. .

　　Among them, the most important upstream of the hacker is the traffic provider. In 2016, the case released by the Wenyuhe Court of the Chaoyang Court in Beijing showed that the defendant once controlled 68 computers through the Trojan horse program and leased the traffic of the controlled computer to the hacker for DDoS. Attacked and profited from it. 1G traffic made a profit of 100 yuan a day and more than 30,000 yuan in 5 months. The defendant confessed that he was only responsible for catching "roosters" and was not responsible for attacking any servers and websites. But obviously the defendant also belongs to one of the chains where DDoS attacks the black industry chain.

　　"Threat Report" shows that the Trojan's personal computer is the biggest source of hackers, accounting for 46%.

　　On April 16th, a reporter from the Beijing News found on the overseas black and gray production platform that there were many hackers who "highly collected traffic" in the platform. When a traffic party said that it would sell traffic at a price of 50 yuan 1G, a hacker immediately said "All received", in addition, some hackers said that the real powerful people are "buy their own computer room."

　　In addition to buying and selling traffic, there are also many sellers who provide DDoS attack scripts and software on the black and gray production platform. People familiar with the black production "God of War" told reporters that many old attack scripts can still sell a lot of money. However, the real cutting-edge DDoS attack technology is still mainly imported from abroad. If a hacker can achieve a continuous attack of 300 to 500G, it will cost at least tens of thousands of yuan a month.

Who is vulnerable?

The top two games and e-commerce are mainly vicious competition

　　In terms of attack targets, most hackers expressed their willingness to attack illegal websites. "God of War" said that this is mainly because after such "black and black" attacks, the attacked people generally can only suffer dumb losses, and large Internet companies such as BAT are generally unwilling to attack these hackers, because " The difficulty is too high, the risk is greater. "

　　According to the "Threat Report", the game industry accounts for 42% of the industry distribution of DDoS attacks and is the most vulnerable to DDoS attacks. The e-commerce and network services industries account for 15% and 14%, respectively, ranking second or third. In the game industry, nearly half of the targets of attacks are mobile game apps.

　　However, a reporter from the Beijing News found that when talking with some hackers on the black and gray production platform, because the mobile game APP cannot display the IP as intuitively as the page game, it is often necessary to use some technical means to detect the IP location before carrying out the attack. Therefore, many hackers often ask the employer to give the IP address first when receiving the request to attack the APP. "It is too troublesome to check the IP yourself. You can give me the address directly so that I can quote you."

　　According to the Threat Report, in terms of the purpose of DDoS attacks, cracking down competitors, charging “protection fees” from Internet companies and selling “fried house hooks” and “drop hooks” to players are the three main types of revenue sources. Among them, more than 80% of hackers' motives for launching DDoS attacks stem from malicious competition.

DDoS attack combat problems:

Difficulty in obtaining evidence and international cooperation

　　Snow Wolf said that in recent years, with the development of the network, the bandwidth and performance of cloud servers have been greatly improved, and defense and countermeasure technologies have also been continuously improved, so the traffic required for DDoS attacks has also increased year by year. Compared with previous years, the polarization of hacker groups is more serious. Small hackers pose no threat to large enterprises, and large hacker organizations generally involve overseas. This is the most troublesome problem. In addition, with the development of the Internet of Things, more and more Internet of Things devices have become "roosters", and the use of Internet of Things devices to carry out UDP reflection attacks has more and more attacks, which brings greater difficulties to forensics.

　　The "Threat Report" shows that the number of DDoS attacks in 2019 has declined slightly compared to 2018, but high-traffic attacks are still prominent; overseas DDoS threats have increased significantly. In 2019, overseas attacks accounted for 15%, compared with 2018 Almost doubled.

　　At present, the more well-known hackers who have been arrested include the Knight Attack Group and the Night Attack Group. Among them, the Cavaliers attack team was arrested in 2010. According to public reports, its earnings reached 100 million yuan when it was arrested. The Dark Night Attack Team is one of the most well-known hacker teams in the country after the Cavaliers. The case had nearly half of the domestic DDoS attack share.

　　"The Dark Night Group can organize extremely high-traffic DDoS attacks in a very short period of time and launch attacks against unspecified targets at any time, which is very terrible." Xiao Wei told reporters, "an attack of this scale requires the integration of upstream and downstream links. This can only be achieved if, for example, "Dark Night" has employers providing funds and designated goals, external "broiler" controllers provide traffic for it, and "Dark Night" itself also has an organizational division: there are those responsible for daily management, and there are special acquisitions of attack traffic and ' The “wall-testing”, some analyze the IP and control the “broiler” attack, some are responsible for software debugging and computer maintenance, some are responsible for money transfer and money laundering, and some are responsible for logistics services. All of these people have played different roles in DDoS attacks. Not the same, some people do n’t even know each other. "

　　"God of War" told reporters that it is difficult to combat DDoS attacks at present, because "domestic operators must cooperate with Chinese public security, traceable amplification attacks must be coordinated with foreign operators, and foreign operators are unlikely to fully cooperate with Chinese public security."

　　According to Xiao Wei, the difficulty in combating DDoS attacks is that, first, in the case where the source cannot be traced objectively, it is difficult to establish a one-to-one causal relationship between each attack and the damage result; second, only from the "direct" The evaluation of "economic loss" and "necessary cost of repair" cannot objectively reflect the actual damage caused by cyber attacks to cloud service providers and the order of the network; third, the current mainstream cloud services generally use pre-protection to maintain network security, this part Cost input cannot be mapped into economic loss, making it difficult for the case to meet the criminal standard. In addition, high concealment and cross-border characterization are common characteristics of current DDoS attacks, which also brings great challenges to the crackdown of cases and the collection of evidence.

　　In addition, relative to the damage caused, the current domestic penalties for cyber attack cases are mostly only one to two years. For example, in the guiding case published by the Supreme People ’s Procuratorate on the Dark Night Group, 11 defendants were eventually sentenced to imprisonment ranging from one year to two years for damage to the computer information system.

　　Some game industry practitioners believe that, compared with the damage caused by hacking, the result of one to two years is "very light". "A server crash will directly affect the user experience. Some hackers specifically attack when the number of online users is the largest, causing users to be unable to log in. , Which ultimately resulted in the loss of users, which caused us incalculable losses. "

　　In this regard, some people in the legal profession told the Beijing News reporter that the crime of destroying the computer information system is punishable by imprisonment of up to five years or detention; if the consequences are particularly serious, imprisonment of more than five years is imposed. According to national regulations, it is "serious consequences" to cause more than ten computers to not operate normally, but at present, in the context of cloud services, it can no longer be calculated according to ten or one hundred. Therefore, the laws and regulations related to hacking attacks are updated in a timely manner. Imperative.

　　Beijing News reporter Luo Yidan