Distributed denial of service, commonly referred to by the acronym DDoS, represents a serious threat to enterprises of all sizes. In a DDoS attack, a large volume of traffic is directed against a target, overwhelming system resources and in effect denying anyone else access or service to the system.
While organizations can and should take steps to mitigate the risk of DDoS attacks with different types of technology and services, law enforcement needs to play a very strong role. On Dec. 20, the U.S Justice Department announced that it had seized 15 internet domains associated with DDoS-for-hire services and filed criminal charges against those involved.
"DDoS attacks are serious crimes that can cause real harm, as shown by the wide range of sectors allegedly victimized in this case," Assistant Attorney General Benczkowski wrote in a media advisory. "The operators and the customers of DDoS-for-hire services should be on notice that the Department of Justice will aggressively prosecute those who perpetrate malicious cyber attacks."
DDoS sites for hire are also sometimes referred to as booter or stresser services, as they boot users from sites or overly stress web services. The sites seized by the DoJ are anonsecurityteam.com, critical-boot.com, defianceprotocol.com, ragebooter.com, str3ssed.me, bullstresser.net, quantumstress.net, booter.ninja, downthem.org, netstress.org, torsecurityteam.org, vbooter.org, defcon.pro, request.rip and layer7-stresser.xyz
In conjunction with the site seizure, the DoJ filed multiple criminal charges against those alleged to be operating the DDoS-for-hire sites. The U.S. Attorney’s Office for the Central District of California charged Matthew Gatrel, 30, of St. Charles, Ill., and Juan Martinez, 25, of Pasadena, Calif., for their alleged activities conducted via the Downthem service. According to the affidavit, between October 2014 and November 2018, Downthem was associated with more than 200,00 DDoS attack attempts.
The U.S. Attorney’s Office for the District of Alaska charged David Bukoski, 23, of Hanover Township, Pa., in conjunction with Bukoski's alleged operation of the Quantum Stresser DDoS service. According to the DoJ complaint, Quantum Stresser is associated with over 50,000 DDoS attacks in 2018 alone.
How DDoS-for-Hire Sites Work
The FBI conducted an extensive investigation into the services that were seized to determine how they work. According to the affidavit, the rates charged varied across the different services. A premium account could cost $100 a month and enable up to 10 attacks a month, with peak attack bandwidth of 30G bps. Cheaper services were available for only $25 a month and, according to the FBI, could still be highly effective.
"Even at the lower volumes verified, the simultaneous use of two such services, at a combined cost of under $50 month, could result in an Internet outage for up to 10,000 ISP customers, for as long as the attacker wanted to implement the attack," the affidavit stated.
The DDoS-for-hire sites use multiple techniques to generate the bandwidth required to overwhelm victims. Among the most common identified by the FBI is the use of a Reflective Amplification Attack (RAA). In such an attack, misconfigured services on various sites are used to amplify or reflect traffic, providing an order of magnitude more bandwidth that what the attacker has from compromised systems.
There are multiple vendor technologies and services for helping organizations mitigate the risk of DDoS attacks.
With amplification attacks, the volume of traffic that comes inbound to a target organization will typically easily overwhelm the traffic bandwidth that most organizations get from an ISP. As such, one of the best ways to limit risk is to have a DDoS protection service in the cloud, such as Imperva, CloudFlare, NeuStar or Akamai, which help to identify, filter and block DDoS attacks before they flood an organization's inbound network router.
The DoJ along with the FBI and its law enforcement partners also worked with cyber-security vendors, including Flashpoint. Allison Nixon, director of security research at Flashpoint, told eWEEK that Flashpoint provides threat intelligence derived from extensive visibility into deep and dark web actors and communities. She noted that Flashpoint's input was combined with a wealth of intelligence from a range of industry partners and that combined threat intelligence and attribution is strong enough to stand up in a court of law.
An important point in the DDoS-for-hire domain seizures noted by Nixon is that the U.S. government just made the argument that running a booter service itself is inherently illegal. Properly identifying DDoS services as criminal is a major step forward and Nixon is hopeful it will deter other would-be DDoS-for-hire service operators.
"The FBI, in executing these actions, has stated clearly and unequivocally that the act of running a service that attacks any website in exchange for anonymous money is not just reckless, but patently illegal—and will be prosecuted," she said. "This is significant because many cyber-criminals have convinced themselves they have found a legal loophole to hurt people."
While DDoS is not a new threat, the practical reality is that these attacks continue to persist and have been fueled in part by the actions of the DDoS-for-hire sites. Not every organization has DDoS protection services in place, and even if they do, DDoS attacks are still impactful. While organizations should do what they can to help mitigate risk, it's great to see that law enforcement is also playing a role to stop DDoS, and the takedown of the 15 sites will hopefully have some impact on reducing DDoS attacks in 2019.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.