[HN Gopher] Six charged in mass takedown of DDoS-for-hire sites
___________________________________________________________________
Six charged in mass takedown of DDoS-for-hire sites
Author : feross
Score : 133 points
Date : 2022-12-14 20:01 UTC (2 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| xmichael999111 wrote:
| What kind of jail time these people looking at?
| jacquesm wrote:
| Not enough...
| mikeyouse wrote:
| Depends specifically what they're charged with and their role
| in the org, but last summer, after a short trial a similar
| operator was sentenced to 24 months. One of his coconspirators
| pled guilty and received 5 years probation;
|
| https://www.justice.gov/usao-cdca/pr/illinois-man-sentenced-...
|
| Actually Krebs wrote about his sentence at the time:
| https://krebsonsecurity.com/2022/06/downthem-ddos-for-hire-b...
| xmichael999111 wrote:
| That sounds unreasonably short, they've made a fair bit of
| money and done a fair bit of damage.
| joshmn wrote:
| Reminder that in the federal system, the judge can ultimately
| decide what happens. If you are charged by complaint and
| plea, that'll play better than being indicted and losing at
| trial. You generally don't get more favorable sentences when
| you lose at trial, though.
| tptacek wrote:
| The sentence will scale with the money they made added to the
| amount of damage attributed to the victims; they're in
| essentially the same boat as SBF with respect to sentencing,
| albeit with lower numbers. If they made + caused more than six
| figures, they'll be looking at multiple years; over a million,
| something in the vicinity of 5-6 years.
|
| (I'm not a lawyer, I've just got the sentencing guidelines
| hotkeyed).
| joshmn wrote:
| They are not in the same boat in terms of sentencing
| whatsoever. SBF's guidelines are going to be maxed because of
| the loss amount. His criminal history score will be 0, yes,
| but I imagine a few of these young men will have a criminal
| history score of 0 as well.
|
| The scale for financial loss is really weird. $150k will get
| you 10 points. $1.5MM will get you 16 points. $550MM will get
| you 30 points. https://guidelines.ussc.gov/gl/%C2%A72B1.1
| tptacek wrote:
| We are saying the same thing. I agree, of course, that
| SBF's sentence will be much higher than these dipshits. But
| the mechanism by which they're calculated is basically the
| same --- SBF will have some level accelerators that the
| DDoS'ers don't have, and the DDoS'ers will have some 18 USC
| 1030 accelerators (circumvention devices, domain names,
| maybe PII) that SBF doesn't.
|
| If you do the actual exercise of picking out a realistic
| loss number and doing the calculation, you'll find that the
| 2B1.1 loss table dominates the sentence.
| joshmn wrote:
| Circumvention is just 1 point, is it not? Domain names I
| don't think count? But you could use that as total number
| of victims (usually they just wing it -- the calculation,
| the feds); PII I didn't see mentioned.
|
| I think SBF is in deep shit and I think the world is
| better for it. These guys? I don't know, probably not as
| deep as it looks; certainly not the 10 years that another
| poster was saying, though.
| tptacek wrote:
| It's 2 points (pretty much everything is 2 or 4 points).
| But it doesn't matter, really: the accelerators are
| nothing compared to the loss table. Again, I think we're
| saying the same thing! I deliberately tripped as many of
| the 18 USC 1030 enhancements as I could just to
| demonstrate to myself that it didn't much matter.
|
| SBF will serve something close to life if convicted
| because the losses he incurred blow out the guidelines
| table.
|
| The DDoS'ers will serve something scaled to the amount of
| losses they actually caused. I think $1MM is a reasonable
| ballpark, which gets you into the high single digit
| years.
| paulpauper wrote:
| A long time potentially. 10-20 years likely. Computer crime
| tends to be punished very severely, also includes wire fraud.
| joshmn wrote:
| Based on what? I can pull up a dozen computer crime acts
| (that aren't targeted towards children) and find much less.
|
| They're probably going to plea, and their plea will probably
| not be to wire fraud. They probably all have low criminal
| history scores.
|
| Here's a similar situation where the guy lost at trial:
| https://krebsonsecurity.com/2022/06/downthem-ddos-for-
| hire-b...
|
| If these kids plea -- and they probably will -- they'll
| probably get 1-2 years + 3 years probation if that. Their
| lawyer will bring up the comparable at sentencing and the
| judge will consider it.
| paulpauper wrote:
| _They probably all have low criminal history scores._
|
| This obviously did not help Ross Ulbricht.
| joshmn wrote:
| He lost at trial on all counts.
| sjapps wrote:
| ericpauley wrote:
| It's funny (kind of cute, honestly) that these site operators
| pretended that the outbound (booting) side of the service was the
| only legal risk, and that they could address this with click-
| through terms. Clearly, compromising third-party devices and
| services, or misusing services for amplification, is just as
| legally fraught as the attack itself.
|
| That being said, I wonder if these services are actually the
| limiting factor here. There is probably some zero-sum game here,
| with a fixed quantity of exploitable booter hosts available and
| all the providers vying for control of these. Shutting down a set
| of providers would then just make others more powerful.
| duskwuff wrote:
| > ... and that they could address this with click-through terms
|
| Honestly, this part is pretty funny on its own. Approximately
| nobody actually uses these services to test their own networks,
| and I'm sure the site operators are perfectly aware of that.
| RVRX wrote:
| TBF these sites have been up for years, I recognize some from
| >decade ago, so it took quite some time for the law to catch up
| to them. They've probably taken in quite a bit of cash since
| their inception.
| linuxftw wrote:
| ISPs are really at fault here. They've done practically nothing
| to prevent botnets and DDoS from continuing to exist.
|
| But man, the defendants, how can you be dumb enough to run
| something like this from US soil, like you're not going to end up
| in a cage?
| RVRX wrote:
| Back when I was a teenager I used to come across these sites all
| the time when playing with Skype-to-IP revolvers. I just checked,
| and I'm surprised Google actually still shows these sites when
| you search for them. Most of them have partner links to these
| DDoS sites, many of which are on this list of takedowns.
| joshmn wrote:
| This is cool and all, but I'm still waiting for the FBI to pivot
| from investing time into piracy and DDoS-for-hire to website
| operators who run sites that distribute truly awful media.
|
| I get that there are anti-piracy lobbies. I get that if you piss
| off enough companies they're going to put heat on you (see:
| this). But there are dozens of copycats of Ruben Rosales
| (https://www.justice.gov/usao-az/pr/mexican-national-sentence...)
| and they are truly awful people.
| jrm4 wrote:
| Follow the money, sadly.
|
| Honestly, one weird/humorous/sad thing I've noticed is that --
| for purposes of "what is actually censored," messing around
| with celebrity images is often _literally the worst thing you
| can do,_ ostensibly worse than violence, racism, etc.
| from wrote:
| > The charges unsealed today stemmed from investigations launched
| by the FBI's field offices in Los Angeles and Alaska, which spent
| months purchasing and testing attack services offered by the
| booter sites.
|
| Anyone know why so many cybercrime prosecutions happen out of
| Alaska? I know at least Mirai, Kelihos, and some Mirai clones
| were all charged in District of Alaska.
| greggarious wrote:
| Why would anyone pay for a denial of service attack when DOS bugs
| are so ubiquitous that you can often not even get paid for
| finding one? Folks seem to only want remote code execution... so
| damn nebby.
|
| (That type of bug bounty policy is how you get folks hording them
| for a cold winter rather than disclosing them to vendors.)
| cft wrote:
| From the FBI affidavit: 42. Finally, many of the
| booter services also use DDoSprotection services,3 such as those
| provided by the company Cloudflare (a company headquartered in
| the United States). While Cloudflare offers both paid and free
| services, the operator of one of the SUBJECT DOMAINS, bootyou.net
| paid Cloudflare for services relating to the operation of their
| website.
| jacquesm wrote:
| I hope they will go after the customers as well, just like they
| did here in Europe.
| CircleSpokes wrote:
| Hopefully they will. My whole apartment complex was under ddos
| attacks for 6 months early during covid. Hundreds of people
| without a stable connection because someone had a grudge and an
| account on one of these ddos services.
| jacquesm wrote:
| Hospitals, power infrastructure, nothing is sacred.
| luckyshot wrote:
| I would be very grateful if you could share any info about
| this.
|
| Our small company's site got DDoSed a month ago and we just let
| it pass since we're not too convinced that the authorities will
| take us seriously. We don't even know where to start, just
| saved the logs with a few hundred random IPs from different
| countries hoping some day we can do something about it...
| creeble wrote:
| You might want to look into using Cloudflare for your
| infrastructure - the same folks that provided DDoS protection
| for most of the now-busted Ddos-for-hire sites!
| slothsarecool wrote:
| We report each DDoS attack our company receives to a special
| department our police has, your country likely has something
| similar and I guess it doesn't hurt reaching out to them.
|
| From my experience they will get back to you quickly (usually
| in <1-2 hour) and they can try helping out if you are still
| under attack / need some consultation.
|
| Will we ever get compensated for the wasted engineering time
| to stop these attacks? probably not, but if the police ever
| finds them and they have extra logs of companies that
| reported issues, its likely an aggravation of the case.
| luckyshot wrote:
| You're right, I guess I'm still thinking on a few
| experiences I had way in the past when the Internet was
| still early and contacting them was a waste of time: they
| couldn't understand you nor had the time to do so. It's
| true they now have many more resources and experts in their
| departments and, as you say, may at least give some good
| advice on what to do during the panic stage to try and at
| least mitigate it. Providing them with logs and proof would
| have been a good idea too.
|
| Oh my, the attack caused so much wasted time and stress
| that it's still haunting me and the team, specially when
| thinking that it may not stop there and the attacker/s is
| just waiting for the next chance to hit us. The days after
| the attack the first thing I did after waking up was check
| the servers to see everything was safe. And our roadmap was
| severely affected too, prioritizing many security features
| we had in the backlog.
|
| Thank you so much.
| bornfreddy wrote:
| We were under a DDoS attack about a month ago too, but
| were lucky that it didn't manage to affect our business.
| With that in mind, we took it as a (precious) learning
| experience - how often do you get the chance to learn
| about DDoS defence 1st hand?
|
| I realize we were lucky that the attacker didn't find any
| of the soft spots (or at least none that hurt us). We do
| prioritize security though, always.
|
| I hope all goes well for you and that in time this is
| just another learning experience. Maybe next time you'll
| smile when an attack is thwarted because of what you've
| all learned.
| jacquesm wrote:
| Link from the article:
| https://krebsonsecurity.com/2019/02/250-webstresser-users-
| to...
|
| It helps if you have a suspect, typically your local LE will
| have a cyber division that will know what the next steps are.
| luckyshot wrote:
| Glad to hear there's hefty sentences, many attackers don't
| realize how much damage they're doing and all the stress
| and effort that goes into trying to mitigate such attacks.
|
| Thank you!
| jacquesm wrote:
| You're welcome. Good luck with your problems!
| RVRX wrote:
| IMO most of their customer demographic is the edgy online
| teenager who wants to mess with someone on the internet, not
| adults or companies going after any businesses or the like.
|
| Just look at the ADs to these sites that are super flashy and
| cool to cater to these teens
|
| Edit: Example ADs: https://i.imgur.com/PjqG7dC.gif
| https://i.imgur.com/ebp4ERm.gif https://i.imgur.com/kTM3fAA.gif
| aleksiy123 wrote:
| I remember people used them for DDoSing in high rated WoW
| Arena matches through IPs leaked through Skype.
| CircleSpokes wrote:
| Yeah ddosing and gaming have a long history. Over a decade
| ago these type of services were very popular on other games
| like Halo, CSGO, & runescape. I was pretty active in the
| runescape PVP community and around ~2010 onwards tons of
| people were using these types of services to ddos other
| players/rival teams & even the game servers themselves. It
| was especially bad on runescape because ddosing had a
| financial motive (killing someone for their gear that is
| worth real money is earlier when they lose connection). At
| the time hiding your IP wasn't as easy as it is now (Skype
| was super popular like you pointed out, but so were things
| like teamspeak & 3rd party forums).
| bolangi wrote:
| Does anyone have trouble parsing this headline? To me it reads
| like the charges are against people attacking DDoS-for-hire
| sites.
| Baeocystin wrote:
| I was prepared for a this-is-why-we-can't-have-nice-things
| story on how people doing good work got screwed over in some
| way. Glad to be wrong!
| jwagenet wrote:
| I initially had the same thought. A helpful insertion: "Six
| charged in [DOJ] mass takedown of DDoS-for-hire sites"
| ArmandTanzarian wrote:
| My thought was something similar: "Six charged after mass
| takedown of DDoS for hire sites"
| jwagenet wrote:
| > "None of these sites ever required the FBI to confirm that it
| owned, operated, or had any property right to the computer that
| the FBI attacked during its testing (as would be appropriate if
| the attacks were for a legitimate or authorized purpose)," reads
| an affidavit (PDF) filed by Elliott Peterson, a special agent in
| the FBI's Anchorage field office.
|
| So perhaps the next wave of booter sites can avoid scrutiny by
| adding a dialog asking the customer if they own the target or are
| authorized to attack it (in addition to not publishing ads
| advertising targets like websites and game servers) ?
| scandinavian wrote:
| Sure, if they implement verification steps to ensure that the
| site is owned by the person attacking it. The verification
| steps could be similar to the ACME challenges:
|
| https://letsencrypt.org/docs/challenge-types/
| hannob wrote:
| That would still be a terrible idea. If you do it domain-
| based it's obviously insecure (validate -> change a-record ->
| attack), if you do it IP based you basically allow attacks on
| cloud services that rent cheap virtual servers.
|
| Also keep in mind that a DDoS affects infrastructure on the
| way whose operators have not consented.
|
| I don't really think there's an ethical way to run a DDoS
| "stresser" service on the public Internet.
| MajimasEyepatch wrote:
| How is domain-based insecure? There are tons of services
| that use DNS records to validate ownership of a domain. If
| someone has managed to get control of a domain and modify
| its DNS records, they can do a lot more damage than a DDOS.
| tedunangst wrote:
| How do you stop me from pointing my DNS record at your
| server?
| kkielhofner wrote:
| That's not how domain verification works.
|
| Typically a service using domain verification will ask
| you to create a specific, randomly generated TXT or
| similar record on your domain. After you've created the
| record you click a button or something and they do a
| query for it.
|
| Only someone with access to DNS for the domain can create
| such a record.
| kxrm wrote:
| Agreed, when I read this my first thought was it'd have
| to be some sort of IP based authentication, so you'd have
| to have a way to prove ownership of the target IP itself,
| however this doesn't really solve the problem of upstream
| impacts. Your ISP, colo facility or dedicated service
| provider probably won't be ok with you running these
| kinds of tests on their network.
| toast0 wrote:
| Would be nice for ISPs if they could get something from
| the DDoS site that their customer authorized it, then
| they could drop the account and not feel bad about it.
| MajimasEyepatch wrote:
| Because you don't control my domain. Suppose I own
| joespizza.com and you want to attack it using a
| supposedly legit load-testing service. You would go to
| the service, sign up, enter joespizza.com/order as the
| page you want to test, and then be given a random string
| to add to a TXT record on joespizza.com. You don't own
| joespizza.com, and you haven't compromised my hosting
| service account, so you can't create a legit DNS record.
| The service refuses to stress test my site, and you move
| on to the next thing.
|
| How else do you imagine this working?
| tedunangst wrote:
| I imagine that I would register tedspizza.com, create a
| TXT record that says blast away, and set the A record to
| point to the same IP as joespizza.com.
| aqeelat wrote:
| Yeah but service providers can require than you upload a
| specific file at a specific location. This way, point
| your dns all you want.
| wlesieutre wrote:
| But the DDOS attack isn't against the domain, it's
| against whatever server the domain points at.
|
| Requiring the owner to post a file at a specific URL
| would prove actual control of the server in a way that
| domain records don't. I can point a domain at whatever
| server I want, no need for it to be my own.
| kxrm wrote:
| Domain verification doesn't do anything to prove that the
| target is a willing participant. A DNS record doesn't
| indicate that you own the underlying IP or CNAME target.
| At best DNS based verification are only good at verifying
| things that specifically relate to the domain (SSL for
| example).
| KerrAvon wrote:
| So we should probably talk about CloudFlare as an accessory. Are
| they protected under Section 230? This appears to be illegal
| behavior and it was brought to their attention and they failed to
| take action.
| creeble wrote:
| Ha, they'll probably get credited by the FBI for assisting in
| the investigation, as they did last time.
|
| Cloudflare gets the low-integrity prize.
| paulpauper wrote:
| Fed-level computer crime is one of those things that has huuuge
| sentences.
___________________________________________________________________
(page generated 2022-12-14 23:00 UTC)