The comments from the FBI are really confusing. They seem to use terms like “dark web” to make it sound like these were sophisticated cybercriminals and the FBI had to use sophisticated tools to catch them.
But looking at the FBIs sophisticated analysis… it looks like the went to a clear web domain name, put in their credit card number, asked them to do an illegal thing, they did the illegal thing, and then they charged the owners of the domain. From my outside view, it looks like the FBI allowed DDoS as a Service providers to operate in public for at least a decade. Talking this up like it was hard work isn’t landing like they think it is.
It sounds like these are DDoS-as-a-service providers who try to appear to be legitimate businesses and cover themselves with terms of service. It's basically a legitimate looking site but they do a psst, hey we do DDoS.
To do that it sounds like they may advertise themselves on the dark web as an attack web site. They also don't bother to verify ownership of a target, like checking domain ownership for example is probably the most common use case here. They also use other people's mis-configured devices to amplify their attack. That last part is particularly salient I think.
It's very stupid to advertise yourself on the dark web for this if you host a site on the clear web. But you are probably right that LE lets this goes on for longer than it needs to. I don't know how long they have known about these sites or how they go about finding them. It sounds like it's just based on victim's sending in reports.
> LE lets this goes on for longer than it needs to
There's an incredibly limited amount of people working in cyber crime. Building a case, getting subpoenas takes a lot of effort. Even if something may be obvious to outsiders, building a case might still take a lot of effort. Those scarcely available people are usually put on the highest priority cases first. What they are, you might never know.
Then, if there's a network behind it you want to take down instead of only the fronts, you need to spend way more time on case building, writing, interacting with other agencies and I can go on.
A related example example would be all the stolen credentials over the years being sold on two or three well known clearnet forums, absolutely always described as "the dark web" in coverage.
Since card generators haven't worked since like the 90s I'd guess probably not.
The FBI has no problem spending tax payer money on criminal activities: drug buys, etc. They'll (hopefully) recover it from seized funds, otherwise its just part of their budget.
It's funny (kind of cute, honestly) that these site operators pretended that the outbound (booting) side of the service was the only legal risk, and that they could address this with click-through terms. Clearly, compromising third-party devices and services, or misusing services for amplification, is just as legally fraught as the attack itself.
That being said, I wonder if these services are actually the limiting factor here. There is probably some zero-sum game here, with a fixed quantity of exploitable booter hosts available and all the providers vying for control of these. Shutting down a set of providers would then just make others more powerful.
TBF these sites have been up for years, I recognize some from >decade ago, so it took quite some time for the law to catch up to them. They've probably taken in quite a bit of cash since their inception.
> ... and that they could address this with click-through terms
Honestly, this part is pretty funny on its own. Approximately nobody actually uses these services to test their own networks, and I'm sure the site operators are perfectly aware of that.
For the record, a company I worked for absolutely used one of the listed sits to test our own network. We used it regularly enough and requested so many new features that the operator (one of the men arrested here) set up <ourcompanyname>.php on there for our specific testing.
Nope. I worked for a company who paid another company to send large amounts of attack traffic to our network. We were a DDoS mitigation provider. It's very hard to test without real world traffic.
I'm not defending anything, although you clearly seem on the attack.
I worked for the company, I was not the decision maker. Many of us have worked at companies where decisions are made that are questionable or unethical, sometimes even illegal (although I don't believe this would have been illegal in my country at the time).
I've never worked someplace that paid criminals to do anything, and I'd resign before I did it. For one thing, who knows what my personal liability is. Much more importantly, it's plainly the wrong thing to do, and my society and community are in my hands as much as anyone else's.
I'm responsible for the consequences of my actions and the complexity of the world is not an excuse. Regardles, this question doesn't seem to fall in a grey area; they are obviously criminals who harm others; the company that paid them was not trying to fend off starvation, but simply wanted to test some software.
I reminded me of those warez sites in the 90s that asked "Are you a cop?", with "Yes" pointing to some other site (disney, nytimes, you name it) and "No" going to the actual content, because "cops mustn't lie about their position."
That worked approximately as well as you would imagine.
You can see people making similar post-truth legal arguments on HN (and doing the same in other domains). It elides from a rhetorical or philosophical game into people thinking it's reality or advocating the post-truth culture like it's a cause. When it doesn't map to reality it's going to hurt, like Wiley E Coyote running too far off that cliff.
IMO most of their customer demographic is the edgy online teenager who wants to mess with someone on the internet, not adults or companies going after any businesses or the like.
Just look at the ADs to these sites that are super flashy and cool to cater to these teens
That's ok. I wouldn't necessarily advocate jail time for them but there should be real consequences. Lots of community service or internet usage resrictions would help them learn that people aren't fucking around about this.
Its a known tactic in competitive online games where you can see your opponents IP address to try to "boot them" via DDOS their local IP so they go down or have lessened performance and you win the match. Also harass or shake down kids they think have money. Fortunately the vast majority of people have dynamic IPs, and could likely get a non effected one by just unplugging their router and letting it get a clean IP.
Because of this, a lot of games companies will try to mask the actual IP of the other users now, and Steam has tooling for games they support for devs on their platform.
Yeah ddosing and gaming have a long history. Over a decade ago these type of services were very popular on other games like Halo, CSGO, & runescape. I was pretty active in the runescape PVP community and around ~2010 onwards tons of people were using these types of services to ddos other players/rival teams & even the game servers themselves. It was especially bad on runescape because ddosing had a financial motive (killing someone for their gear that is worth real money is earlier when they lose connection). At the time hiding your IP wasn't as easy as it is now (Skype was super popular like you pointed out, but so were things like teamspeak & 3rd party forums).
Hopefully they will. My whole apartment complex was under ddos attacks for 6 months early during covid. Hundreds of people without a stable connection because someone had a grudge and an account on one of these ddos services.
I would be very grateful if you could share any info about this.
Our small company's site got DDoSed a month ago and we just let it pass since we're not too convinced that the authorities will take us seriously. We don't even know where to start, just saved the logs with a few hundred random IPs from different countries hoping some day we can do something about it...
We report each DDoS attack our company receives to a special department our police has, your country likely has something similar and I guess it doesn't hurt reaching out to them.
From my experience they will get back to you quickly (usually in <1-2 hour) and they can try helping out if you are still under attack / need some consultation.
Will we ever get compensated for the wasted engineering time to stop these attacks? probably not, but if the police ever finds them and they have extra logs of companies that reported issues, its likely an aggravation of the case.
You're right, I guess I'm still thinking on a few experiences I had way in the past when the Internet was still early and contacting them was a waste of time: they couldn't understand you nor had the time to do so. It's true they now have many more resources and experts in their departments and, as you say, may at least give some good advice on what to do during the panic stage to try and at least mitigate it. Providing them with logs and proof would have been a good idea too.
Oh my, the attack caused so much wasted time and stress that it's still haunting me and the team, specially when thinking that it may not stop there and the attacker/s is just waiting for the next chance to hit us. The days after the attack the first thing I did after waking up was check the servers to see everything was safe. And our roadmap was severely affected too, prioritizing many security features we had in the backlog.
Things are significantly better now, I can't comment on how good the aid is if you are under attack since we always had a team ready to handle DDoS, however, their follow-up has always been fast.
Regarding security features, if you are on a cloud such as GCP, AWS or Azure things are complicated since you can't easily route the traffic elsewhere(you can have BGP connections to DDoS mitigation inside GRE/L2TP tunnels only when attacks occur and it would be cheap to rent on a monthly/yearly basis). Voxility is an example that comes to mind and they are very affordable in general terms.
HTTP or HTTPs attacks are easier to handle with Cloudflare, however, there are other interesting solutions such as Stackpath.
We were under a DDoS attack about a month ago too, but were lucky that it didn't manage to affect our business. With that in mind, we took it as a (precious) learning experience - how often do you get the chance to learn about DDoS defence 1st hand?
I realize we were lucky that the attacker didn't find any of the soft spots (or at least none that hurt us). We do prioritize security though, always.
I hope all goes well for you and that in time this is just another learning experience. Maybe next time you'll smile when an attack is thwarted because of what you've all learned.
We get attacked several times a month, we rely on Cloudflare & Corero to mitigate attacks.
Cloudflare handles HTTP/s attacks and Corero handles network level attacks.
Both require tweaking and are far from being 1-click setup tools (despite some marketing attempts that try to make it seem that way), however, if you can manage them, they are very powerful and considerably cheaper than other alternatives.
Thank you, I didn't know about Corero, will check them out. CF we use, and as you said, they are a tool. Plenty of ways they could be better, but they are still the best (in moderate price range) we know.
Glad to hear there's hefty sentences, many attackers don't realize how much damage they're doing and all the stress and effort that goes into trying to mitigate such attacks.
You might want to look into using Cloudflare for your infrastructure - the same folks that provided DDoS protection for most of the now-busted Ddos-for-hire sites!
DDoS is really one of the most disgusting things on the current internet because there is legitimately no way to defend yourself except to have more money than the other guy. And even that might not help, you practically have to be Google or Cloudflare to be able to fight against the largest DDoS attacks.
I see DDoS and BGP as fundamental problems undermining our freedoms, somebody needs to solve this.
Maybe there is some passive aggression here. I think DDoS would be aggressively policed, except that there is a strategic advantage in not doing so. You can demand more policing powers if the scourge of DDoS is actively hurting people. Cloudflare can become a powerful business. There are perverse incentives.
> “None of these sites ever required the FBI to confirm that it owned, operated, or had any property right to the computer that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose),” reads an affidavit (PDF) filed by Elliott Peterson, a special agent in the FBI’s Anchorage field office.
So perhaps the next wave of booter sites can avoid scrutiny by adding a dialog asking the customer if they own the target or are authorized to attack it (in addition to not publishing ads advertising targets like websites and game servers) ?
Sure, if they implement verification steps to ensure that the site is owned by the person attacking it. The verification steps could be similar to the ACME challenges:
That would still be a terrible idea. If you do it domain-based it's obviously insecure (validate -> change a-record -> attack), if you do it IP based you basically allow attacks on cloud services that rent cheap virtual servers.
Also keep in mind that a DDoS affects infrastructure on the way whose operators have not consented.
I don't really think there's an ethical way to run a DDoS "stresser" service on the public Internet.
What about a file-based validation? Require that a file be located at the root of the server with a validation code, and check that file regularly during the stress test.
The only way I can think around that would be to have a reverse proxy that forwards most traffic but not requests for that one file, but then your DDoS isn't actually distributed.
I wonder why people even do ddos attacks. What possible gain could there be from denying a service for a short while? Maybe competing webshops? It’s still seems overly childish to me. That said I never really looked into this.
1. Money. Most online business can't make money if they are offline. If being offline or unstable is costing you $x / hour and you can stop it by just paying a fee. It's an easy way to end it.
2. Hurt your competition. In some online businesses DDoS attacks are used to compete with other businesses since if your competitor is offline more people will come to you.
3. Power. Some people want to flex the power they have over others.
4. Fame. You can get notoriety for taking something offline.
DDOS can be the definition of a heckler's veto. It's like blasting super loud music so nobody can hear what a person is saying.
Dont like what a site is saying? DDOS so it cant load and people cant read it. For bonus points you are preventing site from getting clicks and thus ad revenue.
There are communities on discord that setup donation links to make sure sites they dont like keep getting hit by DDOS via crowdfunding.
How is domain-based insecure? There are tons of services that use DNS records to validate ownership of a domain. If someone has managed to get control of a domain and modify its DNS records, they can do a lot more damage than a DDOS.
Domain verification doesn't do anything to prove that the target is a willing participant. A DNS record doesn't indicate that you own the underlying IP or CNAME target. At best DNS based verification are only good at verifying things that specifically relate to the domain (SSL for example).
But the DDOS attack isn't against the domain, it's against whatever server the domain points at.
Requiring the owner to post a file at a specific URL would prove actual control of the server in a way that domain records don't. I can point a domain at whatever server I want, no need for it to be my own.
Agreed, when I read this my first thought was it'd have to be some sort of IP based authentication, so you'd have to have a way to prove ownership of the target IP itself, however this doesn't really solve the problem of upstream impacts. Your ISP, colo facility or dedicated service provider probably won't be ok with you running these kinds of tests on their network.
Would be nice for ISPs if they could get something from the DDoS site that their customer authorized it, then they could drop the account and not feel bad about it.
Typically a service using domain verification will ask you to create a specific, randomly generated TXT or similar record on your domain. After you’ve created the record you click a button or something and they do a query for it.
Only someone with access to DNS for the domain can create such a record.
No I didn’t. I was speaking to domain name validation generally - as in a way for you to prove your ownership and control over a domain name.
Yes, of course DDoS or any kind of traffic can be pointed at an IP or any arbitrarily created DNS record.
The only way for a “reputable” stress testing platform to validate IP space would be RIR validation via WHOIS or similar, PTR records, etc. Of course this isn’t practical because most people don’t control their IP space or even have the foggiest idea what any of that means (because why should they).
> Only someone with access to DNS for the domain can create such a record.
That's why OP specified their DNS record. You buy/use a random domain name you own, point the A record at the IP you wish to attach, and then simply complete the TXT record verification since you have full control over the domain, while the booter resolves the A record to the true target.
I wouldn't, but all of the incoming requests would be served on your domain name, so it would be pretty easy for me to find out who that was registered to (or at least who the registrar is) and have it flagged for abuse. Bonus points if the "legit" booster site add their abuse contact info as header or user-agent.
> all of the incoming requests would be served on your domain name
No, most (?) DDoS attacks aren’t botnets sending HTTP requests directly, those would have terrible throughput and be trivial to mitigate. Instead they use amplification from third party servers where you send a small packet to get a big packet in response, mistakenly routed to the victim. There’s usually no way to attach a Referer to those, most of which aren’t even HTTP-based.
Because you don’t control my domain. Suppose I own joespizza.com and you want to attack it using a supposedly legit load-testing service. You would go to the service, sign up, enter joespizza.com/order as the page you want to test, and then be given a random string to add to a TXT record on joespizza.com. You don’t own joespizza.com, and you haven’t compromised my hosting service account, so you can’t create a legit DNS record. The service refuses to stress test my site, and you move on to the next thing.
I imagine that I would register tedspizza.com, create a TXT record that says blast away, and set the A record to point to the same IP as joespizza.com.
Typically you just verify it by requesting a known name path like /allow-ddos-attacks.txt and it must contain a unique key generated for the account. Some have you add it as a special rule in /robots.txt
It's important to note that this would not be enough, since a DDoS also impacts carrier infrastructure.
The company I work for actually contemplated creating such a service (strictly for testing purposes, which is our business), and one of the major problems was that we would actually need to have contracts with all ISPs and transit providers that the traffic would pass through, even if we could make sure that the destination was owned by whoever was paying for the test.
42. Finally, many of the booter services also use DDoSprotection services,3 such as those provided by the company Cloudflare (a company headquartered in the United States). While Cloudflare offers both paid and free services, the operator of one of the SUBJECT DOMAINS, bootyou.net paid Cloudflare for services relating to the operation of their website.
This is cool and all, but I'm still waiting for the FBI to pivot from investing time into piracy and DDoS-for-hire to website operators who run sites that distribute truly awful media.
I get that there are anti-piracy lobbies. I get that if you piss off enough companies they're going to put heat on you (see: this). But there are dozens of copycats of Ruben Rosales (https://www.justice.gov/usao-az/pr/mexican-national-sentence...) and they are truly awful people.
Honestly, one weird/humorous/sad thing I've noticed is that -- for purposes of "what is actually censored," messing around with celebrity images is often literally the worst thing you can do, ostensibly worse than violence, racism, etc.
> The charges unsealed today stemmed from investigations launched by the FBI’s field offices in Los Angeles and Alaska, which spent months purchasing and testing attack services offered by the booter sites.
Anyone know why so many cybercrime prosecutions happen out of Alaska? I know at least Mirai, Kelihos, and some Mirai clones were all charged in District of Alaska.
It happens even when the case does not involve Alaska residents like the Mirai people were from New Jersey or the Kelihos botnet guy who was Russian. It's probably just they have a prosecutor who's more versed in computer stuff than in other states but I was hoping there'd be a more interesting reason.
I was making a point that they don’t have to choose an illegal online activity only because there are no local jobs. Making money legally remotely is way easier.
Back when I was a teenager I used to come across these sites all the time when playing with Skype-to-IP revolvers. I just checked, and I'm surprised Google actually still shows these sites when you search for them. Most of them have partner links to these DDoS sites, many of which are on this list of takedowns.
So we should probably talk about CloudFlare as an accessory. Are they protected under Section 230? This appears to be illegal behavior and it was brought to their attention and they failed to take action.
Cloudflare responds to subpoenas and is probably very useful from an intelligence perspective. 99% of Cloudflare criticism boils down to media companies being mad that they have to ask Cloudflare for the origin IP address and then complain to the hoster instead of just complaining directly.
Cloudflare won't tell you the abuse contact or the origin IP, they'll just forward your entire abuse report verbatim to the hosting provider of the booter, who will either ignore it or forward it (also verbatim and unredacted) to the operator of the booter. So nothing happens from the abuse report except that you tell the booter operator exactly who you are.
How many "stressers" do you think the feds don't have time or motivation to care about getting subpoenas for? Because I can guarantee you there are more than the "four dozen" taken down here, and the vast majority have their identities and infrastructure protected by Cloudflare -- who also profits from their existence.
Why would anyone pay for a denial of service attack when DOS bugs are so ubiquitous that you can often not even get paid for finding one? Folks seem to only want remote code execution... so damn nebby.
(That type of bug bounty policy is how you get folks hording them for a cold winter rather than disclosing them to vendors.)
I don't think you understand the article. This is regular people who are paying for access to these services. None of these people have any interest in launching their own attacks, they want to input an IP on a webpage and click "go".
Is there a particular reason these hackers/businesses can't just go legit for a great deal of money without the worries of long-term prison time? A legal bird in hand is worth so much more than the illegal three in a treacherous forest
Depends specifically what they're charged with and their role in the org, but last summer, after a short trial a similar operator was sentenced to 24 months. One of his coconspirators pled guilty and received 5 years probation;
Reminder that in the federal system, the judge can ultimately decide what happens. If you are charged by complaint and plea, that'll play better than being indicted and losing at trial. You generally don't get more favorable sentences when you lose at trial, though.
The sentence will scale with the money they made added to the amount of damage attributed to the victims; they're in essentially the same boat as SBF with respect to sentencing, albeit with lower numbers. If they made + caused more than six figures, they'll be looking at multiple years; over a million, something in the vicinity of 5-6 years.
(I'm not a lawyer, I've just got the sentencing guidelines hotkeyed).
They are not in the same boat in terms of sentencing whatsoever. SBF's guidelines are going to be maxed because of the loss amount. His criminal history score will be 0, yes, but I imagine a few of these young men will have a criminal history score of 0 as well.
The scale for financial loss is really weird. $150k will get you 10 points. $1.5MM will get you 16 points. $550MM will get you 30 points. https://guidelines.ussc.gov/gl/%C2%A72B1.1
We are saying the same thing. I agree, of course, that SBF's sentence will be much higher than these dipshits. But the mechanism by which they're calculated is basically the same --- SBF will have some level accelerators that the DDoS'ers don't have, and the DDoS'ers will have some 18 USC 1030 accelerators (circumvention devices, domain names, maybe PII) that SBF doesn't.
If you do the actual exercise of picking out a realistic loss number and doing the calculation, you'll find that the 2B1.1 loss table dominates the sentence.
Circumvention is just 1 point, is it not? Domain names I don't think count? But you could use that as total number of victims (usually they just wing it — the calculation, the feds); PII I didn't see mentioned.
I think SBF is in deep shit and I think the world is better for it. These guys? I don't know, probably not as deep as it looks; certainly not the 10 years that another poster was saying, though.
It's 2 points (pretty much everything is 2 or 4 points). But it doesn't matter, really: the accelerators are nothing compared to the loss table. Again, I think we're saying the same thing! I deliberately tripped as many of the 18 USC 1030 enhancements as I could just to demonstrate to myself that it didn't much matter.
SBF will serve something close to life if convicted because the losses he incurred blow out the guidelines table.
The DDoS'ers will serve something scaled to the amount of losses they actually caused. I think $1MM is a reasonable ballpark, which gets you into the high single digit years.
If these kids plea — and they probably will — they'll probably get 1-2 years + 3 years probation if that. Their lawyer will bring up the comparable at sentencing and the judge will consider it.
A brief survey of courtlistener.com shows they are not that high at least not compared to usual white collar stuff like PPP or Medicare fraud. The cases that aren't connected to banking fraud usually result in < 3 year sentences. Here are some I found:
Mirai authors - Home confinement
Peter Levashov - Time served (33 months)
Fabio Gasperini - 1 year
Maxim Senakh - 4 years
Marcus Hutchins - No prison
Sergey Vovnenko - 41 months
Aleksei Burkov - 9 years, released after 3.5 due to some sort of diplomatic intervention
Andrii Kolpakov - 7 years
Nikita Kuzmin - Time served
Karim Baratov - 5 years
Ruslan Bondars - 14 years but he went to trial, lost, and had a loss amount of $20 billion attributed to him
this headline is confusing...are six people charged for doing a mass takedown of DDos-for-hire sites? or were the six people charged involved with the DDoS-for-hire sites?
In some other countries these guys would simply be told to not target domestic infrastructure and then the feds would look the other way, in exchange for "borrowing" access from time to time.
Not really. While Russia is often very lax with punishing cybercrime that doesn't affect its sphere of influence, it doesn't look into or hire these criminals since, like any other powerful state, it has its own better hackers. I cannot vouch for China but I'm pretty sure they act the same in this regard.
But looking at the FBIs sophisticated analysis… it looks like the went to a clear web domain name, put in their credit card number, asked them to do an illegal thing, they did the illegal thing, and then they charged the owners of the domain. From my outside view, it looks like the FBI allowed DDoS as a Service providers to operate in public for at least a decade. Talking this up like it was hard work isn’t landing like they think it is.