[HN Gopher] Six charged in mass takedown of DDoS-for-hire sites ___________________________________________________________________ Six charged in mass takedown of DDoS-for-hire sites Author : feross Score : 133 points Date : 2022-12-14 20:01 UTC (2 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | xmichael999111 wrote: | What kind of jail time these people looking at? | jacquesm wrote: | Not enough... | mikeyouse wrote: | Depends specifically what they're charged with and their role | in the org, but last summer, after a short trial a similar | operator was sentenced to 24 months. One of his coconspirators | pled guilty and received 5 years probation; | | https://www.justice.gov/usao-cdca/pr/illinois-man-sentenced-... | | Actually Krebs wrote about his sentence at the time: | https://krebsonsecurity.com/2022/06/downthem-ddos-for-hire-b... | xmichael999111 wrote: | That sounds unreasonably short, they've made a fair bit of | money and done a fair bit of damage. | joshmn wrote: | Reminder that in the federal system, the judge can ultimately | decide what happens. If you are charged by complaint and | plea, that'll play better than being indicted and losing at | trial. You generally don't get more favorable sentences when | you lose at trial, though. | tptacek wrote: | The sentence will scale with the money they made added to the | amount of damage attributed to the victims; they're in | essentially the same boat as SBF with respect to sentencing, | albeit with lower numbers. If they made + caused more than six | figures, they'll be looking at multiple years; over a million, | something in the vicinity of 5-6 years. | | (I'm not a lawyer, I've just got the sentencing guidelines | hotkeyed). | joshmn wrote: | They are not in the same boat in terms of sentencing | whatsoever. SBF's guidelines are going to be maxed because of | the loss amount. His criminal history score will be 0, yes, | but I imagine a few of these young men will have a criminal | history score of 0 as well. | | The scale for financial loss is really weird. $150k will get | you 10 points. $1.5MM will get you 16 points. $550MM will get | you 30 points. https://guidelines.ussc.gov/gl/%C2%A72B1.1 | tptacek wrote: | We are saying the same thing. I agree, of course, that | SBF's sentence will be much higher than these dipshits. But | the mechanism by which they're calculated is basically the | same --- SBF will have some level accelerators that the | DDoS'ers don't have, and the DDoS'ers will have some 18 USC | 1030 accelerators (circumvention devices, domain names, | maybe PII) that SBF doesn't. | | If you do the actual exercise of picking out a realistic | loss number and doing the calculation, you'll find that the | 2B1.1 loss table dominates the sentence. | joshmn wrote: | Circumvention is just 1 point, is it not? Domain names I | don't think count? But you could use that as total number | of victims (usually they just wing it -- the calculation, | the feds); PII I didn't see mentioned. | | I think SBF is in deep shit and I think the world is | better for it. These guys? I don't know, probably not as | deep as it looks; certainly not the 10 years that another | poster was saying, though. | tptacek wrote: | It's 2 points (pretty much everything is 2 or 4 points). | But it doesn't matter, really: the accelerators are | nothing compared to the loss table. Again, I think we're | saying the same thing! I deliberately tripped as many of | the 18 USC 1030 enhancements as I could just to | demonstrate to myself that it didn't much matter. | | SBF will serve something close to life if convicted | because the losses he incurred blow out the guidelines | table. | | The DDoS'ers will serve something scaled to the amount of | losses they actually caused. I think $1MM is a reasonable | ballpark, which gets you into the high single digit | years. | paulpauper wrote: | A long time potentially. 10-20 years likely. Computer crime | tends to be punished very severely, also includes wire fraud. | joshmn wrote: | Based on what? I can pull up a dozen computer crime acts | (that aren't targeted towards children) and find much less. | | They're probably going to plea, and their plea will probably | not be to wire fraud. They probably all have low criminal | history scores. | | Here's a similar situation where the guy lost at trial: | https://krebsonsecurity.com/2022/06/downthem-ddos-for- | hire-b... | | If these kids plea -- and they probably will -- they'll | probably get 1-2 years + 3 years probation if that. Their | lawyer will bring up the comparable at sentencing and the | judge will consider it. | paulpauper wrote: | _They probably all have low criminal history scores._ | | This obviously did not help Ross Ulbricht. | joshmn wrote: | He lost at trial on all counts. | sjapps wrote: | ericpauley wrote: | It's funny (kind of cute, honestly) that these site operators | pretended that the outbound (booting) side of the service was the | only legal risk, and that they could address this with click- | through terms. Clearly, compromising third-party devices and | services, or misusing services for amplification, is just as | legally fraught as the attack itself. | | That being said, I wonder if these services are actually the | limiting factor here. There is probably some zero-sum game here, | with a fixed quantity of exploitable booter hosts available and | all the providers vying for control of these. Shutting down a set | of providers would then just make others more powerful. | duskwuff wrote: | > ... and that they could address this with click-through terms | | Honestly, this part is pretty funny on its own. Approximately | nobody actually uses these services to test their own networks, | and I'm sure the site operators are perfectly aware of that. | RVRX wrote: | TBF these sites have been up for years, I recognize some from | >decade ago, so it took quite some time for the law to catch up | to them. They've probably taken in quite a bit of cash since | their inception. | linuxftw wrote: | ISPs are really at fault here. They've done practically nothing | to prevent botnets and DDoS from continuing to exist. | | But man, the defendants, how can you be dumb enough to run | something like this from US soil, like you're not going to end up | in a cage? | RVRX wrote: | Back when I was a teenager I used to come across these sites all | the time when playing with Skype-to-IP revolvers. I just checked, | and I'm surprised Google actually still shows these sites when | you search for them. Most of them have partner links to these | DDoS sites, many of which are on this list of takedowns. | joshmn wrote: | This is cool and all, but I'm still waiting for the FBI to pivot | from investing time into piracy and DDoS-for-hire to website | operators who run sites that distribute truly awful media. | | I get that there are anti-piracy lobbies. I get that if you piss | off enough companies they're going to put heat on you (see: | this). But there are dozens of copycats of Ruben Rosales | (https://www.justice.gov/usao-az/pr/mexican-national-sentence...) | and they are truly awful people. | jrm4 wrote: | Follow the money, sadly. | | Honestly, one weird/humorous/sad thing I've noticed is that -- | for purposes of "what is actually censored," messing around | with celebrity images is often _literally the worst thing you | can do,_ ostensibly worse than violence, racism, etc. | from wrote: | > The charges unsealed today stemmed from investigations launched | by the FBI's field offices in Los Angeles and Alaska, which spent | months purchasing and testing attack services offered by the | booter sites. | | Anyone know why so many cybercrime prosecutions happen out of | Alaska? I know at least Mirai, Kelihos, and some Mirai clones | were all charged in District of Alaska. | greggarious wrote: | Why would anyone pay for a denial of service attack when DOS bugs | are so ubiquitous that you can often not even get paid for | finding one? Folks seem to only want remote code execution... so | damn nebby. | | (That type of bug bounty policy is how you get folks hording them | for a cold winter rather than disclosing them to vendors.) | cft wrote: | From the FBI affidavit: 42. Finally, many of the | booter services also use DDoSprotection services,3 such as those | provided by the company Cloudflare (a company headquartered in | the United States). While Cloudflare offers both paid and free | services, the operator of one of the SUBJECT DOMAINS, bootyou.net | paid Cloudflare for services relating to the operation of their | website. | jacquesm wrote: | I hope they will go after the customers as well, just like they | did here in Europe. | CircleSpokes wrote: | Hopefully they will. My whole apartment complex was under ddos | attacks for 6 months early during covid. Hundreds of people | without a stable connection because someone had a grudge and an | account on one of these ddos services. | jacquesm wrote: | Hospitals, power infrastructure, nothing is sacred. | luckyshot wrote: | I would be very grateful if you could share any info about | this. | | Our small company's site got DDoSed a month ago and we just let | it pass since we're not too convinced that the authorities will | take us seriously. We don't even know where to start, just | saved the logs with a few hundred random IPs from different | countries hoping some day we can do something about it... | creeble wrote: | You might want to look into using Cloudflare for your | infrastructure - the same folks that provided DDoS protection | for most of the now-busted Ddos-for-hire sites! | slothsarecool wrote: | We report each DDoS attack our company receives to a special | department our police has, your country likely has something | similar and I guess it doesn't hurt reaching out to them. | | From my experience they will get back to you quickly (usually | in <1-2 hour) and they can try helping out if you are still | under attack / need some consultation. | | Will we ever get compensated for the wasted engineering time | to stop these attacks? probably not, but if the police ever | finds them and they have extra logs of companies that | reported issues, its likely an aggravation of the case. | luckyshot wrote: | You're right, I guess I'm still thinking on a few | experiences I had way in the past when the Internet was | still early and contacting them was a waste of time: they | couldn't understand you nor had the time to do so. It's | true they now have many more resources and experts in their | departments and, as you say, may at least give some good | advice on what to do during the panic stage to try and at | least mitigate it. Providing them with logs and proof would | have been a good idea too. | | Oh my, the attack caused so much wasted time and stress | that it's still haunting me and the team, specially when | thinking that it may not stop there and the attacker/s is | just waiting for the next chance to hit us. The days after | the attack the first thing I did after waking up was check | the servers to see everything was safe. And our roadmap was | severely affected too, prioritizing many security features | we had in the backlog. | | Thank you so much. | bornfreddy wrote: | We were under a DDoS attack about a month ago too, but | were lucky that it didn't manage to affect our business. | With that in mind, we took it as a (precious) learning | experience - how often do you get the chance to learn | about DDoS defence 1st hand? | | I realize we were lucky that the attacker didn't find any | of the soft spots (or at least none that hurt us). We do | prioritize security though, always. | | I hope all goes well for you and that in time this is | just another learning experience. Maybe next time you'll | smile when an attack is thwarted because of what you've | all learned. | jacquesm wrote: | Link from the article: | https://krebsonsecurity.com/2019/02/250-webstresser-users- | to... | | It helps if you have a suspect, typically your local LE will | have a cyber division that will know what the next steps are. | luckyshot wrote: | Glad to hear there's hefty sentences, many attackers don't | realize how much damage they're doing and all the stress | and effort that goes into trying to mitigate such attacks. | | Thank you! | jacquesm wrote: | You're welcome. Good luck with your problems! | RVRX wrote: | IMO most of their customer demographic is the edgy online | teenager who wants to mess with someone on the internet, not | adults or companies going after any businesses or the like. | | Just look at the ADs to these sites that are super flashy and | cool to cater to these teens | | Edit: Example ADs: https://i.imgur.com/PjqG7dC.gif | https://i.imgur.com/ebp4ERm.gif https://i.imgur.com/kTM3fAA.gif | aleksiy123 wrote: | I remember people used them for DDoSing in high rated WoW | Arena matches through IPs leaked through Skype. | CircleSpokes wrote: | Yeah ddosing and gaming have a long history. Over a decade | ago these type of services were very popular on other games | like Halo, CSGO, & runescape. I was pretty active in the | runescape PVP community and around ~2010 onwards tons of | people were using these types of services to ddos other | players/rival teams & even the game servers themselves. It | was especially bad on runescape because ddosing had a | financial motive (killing someone for their gear that is | worth real money is earlier when they lose connection). At | the time hiding your IP wasn't as easy as it is now (Skype | was super popular like you pointed out, but so were things | like teamspeak & 3rd party forums). | bolangi wrote: | Does anyone have trouble parsing this headline? To me it reads | like the charges are against people attacking DDoS-for-hire | sites. | Baeocystin wrote: | I was prepared for a this-is-why-we-can't-have-nice-things | story on how people doing good work got screwed over in some | way. Glad to be wrong! | jwagenet wrote: | I initially had the same thought. A helpful insertion: "Six | charged in [DOJ] mass takedown of DDoS-for-hire sites" | ArmandTanzarian wrote: | My thought was something similar: "Six charged after mass | takedown of DDoS for hire sites" | jwagenet wrote: | > "None of these sites ever required the FBI to confirm that it | owned, operated, or had any property right to the computer that | the FBI attacked during its testing (as would be appropriate if | the attacks were for a legitimate or authorized purpose)," reads | an affidavit (PDF) filed by Elliott Peterson, a special agent in | the FBI's Anchorage field office. | | So perhaps the next wave of booter sites can avoid scrutiny by | adding a dialog asking the customer if they own the target or are | authorized to attack it (in addition to not publishing ads | advertising targets like websites and game servers) ? | scandinavian wrote: | Sure, if they implement verification steps to ensure that the | site is owned by the person attacking it. The verification | steps could be similar to the ACME challenges: | | https://letsencrypt.org/docs/challenge-types/ | hannob wrote: | That would still be a terrible idea. If you do it domain- | based it's obviously insecure (validate -> change a-record -> | attack), if you do it IP based you basically allow attacks on | cloud services that rent cheap virtual servers. | | Also keep in mind that a DDoS affects infrastructure on the | way whose operators have not consented. | | I don't really think there's an ethical way to run a DDoS | "stresser" service on the public Internet. | MajimasEyepatch wrote: | How is domain-based insecure? There are tons of services | that use DNS records to validate ownership of a domain. If | someone has managed to get control of a domain and modify | its DNS records, they can do a lot more damage than a DDOS. | tedunangst wrote: | How do you stop me from pointing my DNS record at your | server? | kkielhofner wrote: | That's not how domain verification works. | | Typically a service using domain verification will ask | you to create a specific, randomly generated TXT or | similar record on your domain. After you've created the | record you click a button or something and they do a | query for it. | | Only someone with access to DNS for the domain can create | such a record. | kxrm wrote: | Agreed, when I read this my first thought was it'd have | to be some sort of IP based authentication, so you'd have | to have a way to prove ownership of the target IP itself, | however this doesn't really solve the problem of upstream | impacts. Your ISP, colo facility or dedicated service | provider probably won't be ok with you running these | kinds of tests on their network. | toast0 wrote: | Would be nice for ISPs if they could get something from | the DDoS site that their customer authorized it, then | they could drop the account and not feel bad about it. | MajimasEyepatch wrote: | Because you don't control my domain. Suppose I own | joespizza.com and you want to attack it using a | supposedly legit load-testing service. You would go to | the service, sign up, enter joespizza.com/order as the | page you want to test, and then be given a random string | to add to a TXT record on joespizza.com. You don't own | joespizza.com, and you haven't compromised my hosting | service account, so you can't create a legit DNS record. | The service refuses to stress test my site, and you move | on to the next thing. | | How else do you imagine this working? | tedunangst wrote: | I imagine that I would register tedspizza.com, create a | TXT record that says blast away, and set the A record to | point to the same IP as joespizza.com. | aqeelat wrote: | Yeah but service providers can require than you upload a | specific file at a specific location. This way, point | your dns all you want. | wlesieutre wrote: | But the DDOS attack isn't against the domain, it's | against whatever server the domain points at. | | Requiring the owner to post a file at a specific URL | would prove actual control of the server in a way that | domain records don't. I can point a domain at whatever | server I want, no need for it to be my own. | kxrm wrote: | Domain verification doesn't do anything to prove that the | target is a willing participant. A DNS record doesn't | indicate that you own the underlying IP or CNAME target. | At best DNS based verification are only good at verifying | things that specifically relate to the domain (SSL for | example). | KerrAvon wrote: | So we should probably talk about CloudFlare as an accessory. Are | they protected under Section 230? This appears to be illegal | behavior and it was brought to their attention and they failed to | take action. | creeble wrote: | Ha, they'll probably get credited by the FBI for assisting in | the investigation, as they did last time. | | Cloudflare gets the low-integrity prize. | paulpauper wrote: | Fed-level computer crime is one of those things that has huuuge | sentences. ___________________________________________________________________ (page generated 2022-12-14 23:00 UTC)