A category I have been watching from a distance is now operationally clear. DDoS extortion against online-gambling operators has matured into a structural threat. The attacks have specific signatures; the demands are predictable; the operator response across the sector is uneven.
This post is going to be a longer treatment because the category illustrates the broader trajectory of bot infrastructure being put to commercial criminal use.
The pattern
The structural pattern is consistent across multiple incidents:
A demand letter arrives. Usually by email; usually in passable English; usually demanding a specific sum (typically $20,000 to $100,000) in exchange for not attacking the target's site.
A small demonstration attack precedes serious extortion. Brief-but-visible DDoS — perhaps 30 minutes, perhaps an hour — that demonstrates the operator can deliver. The demonstration is calibrated to be disruptive without producing complete outage; the message is that the larger attack is held in reserve.
The deadline is short. Typically 24-48 hours. The short deadline is designed to prevent the target from organising a coordinated response; the operator wants the payment to be the path of least resistance.
Payment requested through alternative channels. e-gold, intermediated cryptocurrency-style mechanisms, occasionally direct wire transfer to specific accounts. The payment paths are designed to be hard to trace.
A second attack if payment is not made. Sustained DDoS aimed at peak revenue periods (specific sporting events, major weekends). The damage is calibrated to exceed the demanded ransom; the implicit message is the rationality of payment.
Why online gambling
Specific structural properties of the sector make it the natural early target.
Revenue is heavily concentrated in specific time windows. Major sporting events produce most of the year's revenue. Disruption during specific events produces disproportionate financial damage. The sector is uniquely sensitive to availability.
The customer base is unsympathetic. Online gambling customers do not generate political support for the operators; specific incidents do not produce the broader public concern that, say, an attack against a hospital would.
The legal posture is complex. Operators in some jurisdictions are technically illegal; reporting incidents to law enforcement is structurally difficult. The asymmetric law-enforcement response favours the attackers.
Specific operators have bandwidth and revenue exposure. A medium-sized gambling operator may have moderate bandwidth (susceptible to attack) and substantial revenue (worth attacking). The cost-benefit favours targeting.
The category is not unique to gambling — extortion against any online operator is conceivable — but gambling is the leading indicator.
The bot infrastructure behind the attacks
The attacks I have seen analyses of share a structural pattern. The bot population is the substrate; the operator rents a portion for the attack window.
Specific properties:
The bot count is large enough to saturate medium-sized targets. Tens of thousands of bots, geographically distributed, can produce traffic volumes that small-to-medium operators cannot absorb at their own infrastructure level.
The attack types vary. SYN floods, UDP floods, HTTP request floods. The attacker can switch tactics mid-attack to defeat specific defensive responses.
The attack windows are sustained. Hours, not minutes. The operator can deliver sustained attack for the duration of the demonstration or the punishment.
The bot infrastructure is the same Phatbot/Agobot-class population I have been writing about. The DDoS plugins exist; the operators rent capacity from the bot herders; the customer-attacker pays for an attack and the bot-herder pays for the bot population.
What targets should do
For online operators in any high-availability sector:
Refuse to pay. Payment funds the criminal infrastructure; specific operators report repeat extortion against the same target after payment. The sector-level outcome is worse if payments become routine.
Prepare incident response in advance. Specific upstream relationships, specific contacts at the relevant ISPs, specific procedures for emergency filtering. Setting up these relationships during an attack is operationally impossible; setting them up before any attack is bounded preparation.
Consider DDoS-mitigation services. Several companies now offer DDoS-mitigation as a service; the customer routes traffic through the mitigation provider; the provider absorbs attacks. The cost is non-trivial but, for high-availability operators, increasingly necessary.
Coordinate with law enforcement where possible. Specific UK and US agencies are building capacity for cross-border cybercrime investigation. The cumulative effect of operators reporting incidents is positive even when individual cases are unresolved.
Communicate with customers transparently. When attacks happen, telling customers what is occurring builds trust; opaque outage messaging damages the relationship.
What this teaches
Three observations.
The economic infrastructure of cybercrime is now operational. Specific bot operators, specific extortion operators, specific payment channels — all are mature enough to support sustained criminal commerce. The category will not contract; it will expand.
The defensive economics are bad. A few thousand dollars produces a sustained attack; mitigation infrastructure costs tens or hundreds of thousands. The cost asymmetry favours attackers; only structural responses (carrier-level mitigation, ISP responsibility, BCP 38) can shift the balance.
Specific sectors will be targeted in succession. Online gambling is first; online retail will follow; specific other categories will emerge. The trajectory is predictable; the specific timing is uncertain.
What I am doing
For my own infrastructure: the realistic exposure is bounded — I am not a high-value target. The standard defences (BCP 38 egress, monitoring, ISP relationship) are in place.
For client work: increased emphasis on DDoS-readiness as part of the standard security review. Specific operational disciplines (bandwidth headroom, upstream relationships, prepared procedures) get explicit attention now.
For my structured-log analysis: tracking reconnaissance traffic that may precede targeted DDoS. Some of the pre-attack reconnaissance is detectable.
What I expect
Three predictions:
Continued growth in DDoS-extortion incidents. 95%. The economic infrastructure favours growth.
Spread to additional sectors. 80%. Online retail, payment processors, specific high-availability infrastructure operators.
Specific public incidents that cross threshold for mainstream visibility. 70%. The cumulative pressure produces visibility.
For my own writing: more on this category as it develops. The trajectory is structurally important.
More in time.