At 7pm on Monday 23 August 2004 Asif Malik, a Leeds-based technical director, arrived home after a busy day at Nochex, the online payments firm he had co-founded four years earlier.

A few minutes later he received a phone call from a panicked colleague - back at the office his IT team had received an email that made disturbing reading.

'We attack your servers for some time,' the extortionist threatened in pidgin English.

'If you want save your business, you should pay 10.000$ bank wire to our bank account. When we receive money, we stop attack immediately. If we will not receive money, we will attack your business 1 month, and destroy your router and DNS? think about how much money you lose while your servers are down.'

Ten minutes later Malik's worst nightmares came true. The blackmailer launched a distributed denial of service (DDoS) attack which pummelled his servers with internet traffic at a rate of 155Mbit/s.

'The usual traffic we receive is at a rate of seven or eight Mbit/s,' said Malik. 'The attack crippled us, and our web servers died immediately. It was scary stuff. We spent four years building up the business and this guy could have wiped us out in days.'

Nochex is just one of hundreds of UK businesses that have been targeted by DDoS attacks in the past year, according to the National Hi-Tech Crime Unit (NHTCU), which works with corporate victims to track down blackmailers.

Recent research from the NHTCU revealed that 14 per cent of firms questioned were targeted by denial of service attacks last year, at a cost of more than £555m.

In one operation, codenamed 'Catterick', the NHTCU discovered that Russian extortionists had managed to launder £1.3m over a period of 90 days, after blackmailing dozens of UK betting sites during major events, such as the Cheltenham Races.

'Over 50 UK companies have been hit by DDoS attacks and extortion demands, with some companies losing £40,000 an hour and at risk of going out of business,' said detective superintendent Mick Deats, deputy head of the NHTCU.

'Any company that handles part or all of its business online is at risk from DDoS attacks, although not all of these will result in an extortion demand. Very often it can just be a disgruntled ex-employee,' he said.

But whereas some firms give in to ransom demands, Nochex took action to stop future attacks.

'We did think about paying them, but we were advised by the NHTCU that they would keep coming back,' said Malik. 'So I made contact with the guy and told him I would get the cash, but said we needed time to get the money. He agreed and this bought us time.'

Malik immediately contacted his ISP, Pipex, who in turn contacted technology partner Cisco, to shore up Nochex's network defences. The company routed its traffic via Cisco security systems, which tried to eradicate the traffic being sent from the zombie network - thousands of hijacked home PCs that the perpetrators controlled to launch DDoS attacks.

'At this stage it was only a makeshift response, so we had a period of intermittent downtime. They would take our servers down for 15 minutes and then we would get them back up again, but they kept changing their attack patterns,' said Malik.

On 25 August the extortionist, who kept switching his email's IP address from the US to Hong Kong and then Russia to avoid police capture, emailed again.

'Hello, we will destroy you because you are liar,' he wrote in response to Nochex's decision not to pay.

The intensity of the attacks increased, until one week later the extortionist finally gave up, after failing to have any significant impact on Nochex's newly improved network security.

'Even today we are still being attacked on a regular basis,' said Malik. 'But the reason the criminals are not emailing us is because they can't bring down our servers.'

While online payment and gambling firms have traditionally been the victims of attacks, criminals are spreading their net, says Barrett Lyon, chief technology officer of DDoS mitigation firm Prolexic.

'Some of our clients suspect they've been attacked by ex-employees or competitors wanting to shut them down,' said Lyon. 'And in terms of extortion it's not just sports books, banks, foreign exchange and online payments firms - they're targeting everyone right now, even chat sites and women's underwear retailers.'

Rather than wait for criminals to target them, business managers need to audit their business to see how reliant it is on the internet, says Lyon.

'You need to have the right measures in place, and you need to know what you are going to do if you are attacked. In many cases firms don't even know simple things such as how to contact the ISP in an emergency,' he said.

Malik agrees but says ISPs also need to take their share of responsibility if denial of service attacks are to be stamped out.

'ISPs should be monitoring traffic, and where a PC is being controlled through an internet relay chat channel [often used to launch attacks] they should block it, unless the person using them notifies the ISP beforehand why it's needed,' he said.

'They also need to raise public awareness to ensure that home PCs are not compromised [by viruses] and used as part of a zombie network.'

These attacks are not going away; firms need to protect their internet assets in the same way as they would their physical premises, adds the NHTCU's Deats.

'You should do everything possible to deter the criminals from this,' he said. 'It's like burglaries: they're not going away, but we protect our homes and companies with burglar alarms.'

Strengthened systems beat the blackmailers

Online betting firm Blue Square upgraded its IT systems last year after an organised crime gang targeted its site with distributed denial of service (DDoS) attack.

On 25 October 2004, Russian criminals phoned saying they would take Blue Square's business offline unless they were paid £4,860 (Computing, 14 April).

The extortionists followed up by threatening to email child porn to Blue Square's customers unless the money was paid within two days, says Blue Square chief technology officer Peter Pedersen.

Blue Square refused to pay up and contacted the NHTCU. The betting firm was then hit by DDoS attacks producing traffic at a rate of 200Mbit/s.

After having difficulties with its ISP, Blue Square switched to a network capable of handling DDoS attacks over 2Gbit/s. It also introduced additional network monitoring, intrusion prevention, and containment systems.

Despite facing downtime and loss of business, Blue Square's strengthened systems finally became too much for the attackers, who moved on.

'The success of any attack usually comes in the first half-hour. If they realise you're able to contain it, they often move elsewhere,' said Pedersen.

Blue Square has now founded the Internet DDoS Forum, with competitor Eurobet and the NHTCU, to share information on criminals' tactics and to take preventative measures.