The goal of a DDoS attack is to flood a website, server, or online service with massive amounts of traffic. (Image source: 123RF) South African cyber security experts are raising concerns over the increasingly low ransom demands being issued by cyber extortionists targeting local internet service providers (ISPs) with distributed denial-of-service (DDoS) attacks.The experts warn the trend could point to the growing availability of cheap DDoS attack tools and services on the dark web, or more sophisticated threat actors quietly testing the resilience and response capabilities of SA’s internet infrastructure, before potentially escalating to larger-scale operations in future.This, as a number of South African internet service providers (ISPs) this week disclosed they were battling large-scale DDoS attacks, which disrupted services.On Monday, ITWeb reported that web host 1-Grid was experiencing intermittent service disruption due to a large-scale DDoS attack affecting parts of its infrastructure.The goal of a DDoS attack is to flood a website, server, or online service with massive amounts of traffic so they become slow, unstable, or completely unavailable to legitimate users. See also Seacom today confirmed to ITWeb that it experienced disruption caused by a high-volume DDoS incident, which led to a surge of traffic that temporarily impacted parts of its network.According to the subsea cable operator, this was not due to any failure of Seacom’s infrastructure, but rather the result of targeted malicious traffic, with wider ecosystem impact.“Seacom’s monitoring and mitigation systems worked as designed, enabling rapid identification and isolation of the affected traffic. Services were restored to normal shortly thereafter. We confirm there is no evidence of any cyber breach, and customers using Seacom’s dedicated DDoS protection services were not affected,” says the company. Xneelo yesterday also reported some disruptions to its network, as the DDoS attacks persisted. In its latest update, the web hosting company says: “Traffic is returning to normal, connectivity has stabilised and normal service has resumed. As mitigation work continues, some intermittent disruption may still occur.”Another ISP affected is Network Platforms, which issued an update stating: “At present, the attack activity has subsided significantly. However, as neither we nor the affected clients have engaged with or complied with the ransom demands received from the attackers, we believe there remains a strong possibility of continued or recurring attack activity.” Some of the attackers are demanding ransom in crypto-currency worth less than R20 000, ITWeb has learnt. Dr Manny Corregedor, CEO of Telspace Africa, says these current attacks don’t appear to be financially motivated, because the demanded ransom does not economically align with the massive infrastructure costs required for threat actors to perform these types of multi-vector attacks.He points out that a more plausible theory is that these attacks are a smokescreen where a well-funded, perhaps a nation state, is using these attacks to map out network dependency trees, locate single points of failure (like the undersea cable landing stations) or to test the latency and effectiveness of international scrubbing centres.“Somewhere in between these theories is the truth, but in recent times South Africa has become an incredibly attractive target for both commodity extortionists and advanced threat actors due to a perfect storm of technical, economic and geopolitical factors,” Corregedor says. “This is further exacerbated by DDoS-for-hire services becoming more easily accessible to less skilled threat actors.”Jason Jordaan, principal forensic scientist at DFIR Labs, believes ISPs and local hosting infrastructure are being targeted because they represent critical pressure points in the South African digital ecosystem.“Based on the information currently available to me, many of these attacks appear to be linked to extortion. In other words, criminal groups are targeting these organisations with DDoS attacks, or the threat of DDoS attacks, in an attempt to extort payment, usually in crypto-currency,” says Jordaan.“What is interesting is that the amounts being demanded in some of these extortion e-mails do not appear to be particularly large.”From a threat assessment perspective, he notes that this may suggest the country is not necessarily dealing with a highly-sophisticated state-linked actor, or a major global organised crime group. Today, Jordaan says, it is relatively easy for less sophisticated criminal actors to rent or lease access to botnets or DDoS-for-hire services and use them to launch disruptive attacks.The methodology appears to support this, he adds. “The use of broad ‘carpet bombing’ style attacks suggest a relatively blunt approach, rather than a carefully targeted, highly-sophisticated operation. That does not mean the threat is insignificant. Even when DDoS attacks are carried out by smaller or less sophisticated cyber criminal groups, they can still be extremely disruptive and damaging.”For Jordaan, the key point is that the impact of a DDoS attack does not depend only on the sophistication of the attacker.“It depends on the dependency of the victim organisation, and its customers, on the availability of the affected infrastructure. For ISPs, hosting providers and other service providers, availability is not a minor technical issue, it is central to the service they provide. That makes them attractive targets for extortion, even where the attacker’s underlying capability may be relatively low.” Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa, is of the view that cyber criminals are increasingly opportunistic and automated in their approach.“Tools for launching DDoS attacks are cheap, accessible and can even be rented as a service on underground forums, making this easy.” Collard adds that many South African businesses and service providers are undergoing rapid digital transformation, but not all organisations have invested equally in cyber resilience and infrastructure hardening.“Attackers often look for organisations where disruption will have a high public impact but where defence may still be developing. We are also seeing cyber attacks increasingly used not only for disruption, but for extortion, political messaging, hacktivism, or as a smokescreen to distract security teams while other malicious activity takes place in the background.”According to Collard, ISPs and connectivity providers are particularly attractive because a successful attack can create widespread downstream disruption affecting thousands of businesses and consumers simultaneously.Ian Jansen van Rensburg, head of security engineering for Africa at Check Point Software Technologies, says SA has become a more attractive target because companies are increasingly relying on digital platforms and connected services with more people working from home.“One thing that is very concerning to me is that attackers appear to be focusing more on shared infrastructure and service providers rather than only individual organisations. Disrupting a major provider can create a much wider impact and affect multiple businesses and users at the same time.”He concurs that DDoS attacks have become more accessible. “The tools and infrastructure used to launch these attacks are easier to obtain than they were previously, lowering the barrier to entry for threat actors.“What makes incidents involving shared infrastructure more concerning is the ripple effect. When a key provider experiences disruption, the impact can spread across industries and affect businesses and users far beyond the original target.”According to the cyber security experts, there is no one-size-fits-all defence against DDoS attacks, as effective protection requires a layered, proactive security strategy tailored to each organisation’s specific services, network architecture and operational environment.