Are online firms doing secret deals with DDoS attackers?

A security expert from IBM has controversially suggested a number of large companies are still "more often than not" paying off cyber criminals threatening them with distributed denial-of-service attacks.

The accusation comes despite claims from many major online businesses who say they do not negotiate with criminals.

Speaking at Virus Bulletin 2005 in Dublin, malware specialist at IBM, Martin Overton, said the DDoS scams, which typically target companies that rely upon peaks of online transactions such as internet bookmakers, are still a major money spinner for the criminals.

Discussing the dilemma many bookmakers have faced, Overton said: "If you're a bookmaker and somebody comes to you and says we're going to take you down during a major sporting event, what are you going to do?"

"More often than not they pay up," Overton told delegates.

And it's not just the bookmakers who are paying up, Overton said, explaining that one compelling incentive employed by the criminals is to ensure their ransom demands undercut the cost of preventing or cleaning up such an attack.

Stories of companies paying the extortionists' ransom in the earliest days of this type of threat are not uncommon but many reputable online firms have long maintained they do not do deals with criminals.

Companies have also been open about criminal approaches in order to get the issue into the open, rather than paying up and keeping quiet. So Overton's words will come as a surprise to many.

Although there have even been significant successes even among smaller firms who have refused to pay and have withstood subsequent attack due to effective planning and provisioning, Overton said no business can ever be entirely protected from DDoS.

He said: "You can put systems in place to ease the pain but you can't stop it altogether."

Also speaking at Virus Bulletin 2005, Dmitry Gryaznov, from McAfee, said the potential will always exist for a DDoS attack "powerful enough to take down any website – no matter how powerful their servers are" – a claim which is at odds with those on the carrier and infrastructure side who argue such attacks can be diverted and sidetracked to minimise impact on the targeted business.