back to article Israeli Pentagon DDoSers explain their work, get busted by FBI

Two Israeli men have been arrested for running a distributed-denial-of service-as-a-service site, after one seemingly claimed to attack the Pentagon. Itay Huri and Yarden Bidani, released on US$10,000 bonds, were arrested following a tip off from the FBI, local news site TheMarker reports. A Twitter account using Bidani's …

  1. RIBrsiq
    Coat

    "There's not much more than fine print between stress testing and DDoS-as-a-service".

    The main difference, I believe, is who is ordering the service for whom.

    1. Anonymous Coward
      Anonymous Coward

      But if you're ordering it for someone else, you just tick the box which says "This service is a gift".

      1. Ken 16 Silver badge
        Trollface

        and it's one that keeps on giving...

        not a good thing in this case.

      2. allthecoolshortnamesweretaken

        Do they do gift vouchers?

  2. Pascal Monett Silver badge

    "prohibited from stressing internet connections [that they] do not have [..] authorisation to test"

    If that is true, then their DDoS of the FBI site is justified by invoice and they can easily name the contact and get their name cleared.

    Unfortunately for them, if the FBI arrested them it would seem that they have a bit more explaining to do than that.

    1. adfh

      A legitimate security company would practice due diligence

      It could be argued that they, as an alleged "security service" company, should practice due diligence on the requests they receive.

      Eg. Receiving a validated response from the listed WHOIS contact for the IP range

      ... or verifying the presence of a special text string on the website or in DNS supplied to the person requesting testing

      If you saw that the WHOIS was a large corporation, if you were a real, legitimate security company, you'd be seeking legally binding and witnessed authorisation.

  3. David Pollard

    10-50Gbps of UDP traffic

    Whose bandwidth was being used for this?

    1. Anonymous Coward
      Anonymous Coward

      Re: 10-50Gbps of UDP traffic

      Indeed. Kind of like when a major, legitimate, ticketed event like a festival causes traffic chaos for those with no interest. Only it's less easy to reroute but hey, isn't the internet supposed to be resilient 'n all that? I suppose we'll need to stick to using those super expensive traffic generating systems on the edge but then who wants kit when you can have it as a service yesterday.

      1. David Pollard

        Re: 10-50Gbps of UDP traffic

        kind of like ... a major legitimate ticketed event?

        Brian Krebs suggests that <i<"they were supplementing some attacks with botnets."</i>

        https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/

    2. NonSSL-Login

      Re: 10-50Gbps of UDP traffic

      Their provider (who I will not name here) had servers with 1gbit and 10gbit connections and does not block spoofed IP packets coming from their network. So simple floods could be done using just the bandwidth of that server but making it look like it was a distributed attack by faking the IP in every packet.

      The other attacks were amplification attacks, which sent out packets to public NTP, Chargen, DNS etc servers with a spoofed IP address of the victim, so they replied to the victim instead of the vdos server. A 10gbit server could potentially create 50gbit (much more given the right public servers) of traffic due to the replies and bandwidth of the public servers replying with more data than the initial request.

      The method I believe was used to uncover this operation is pretty naughty too. The ISP/Hosting provider this site worked from had it's BGP routes hijacked by a DDoS protection and security company. BGP hijacking is a pretty scummy thing to do, even if it is easy to do.

  4. Anonymous Coward
    Anonymous Coward

    'Oy Vey'

    If it does go to court at least they'll have plenty of lawyers in their families to help them out:)

  5. ritey

    Does "i pwn u" count...

    ...as legitimate verification of ownership of a "target".

  6. Anonymous South African Coward Bronze badge

    Legitimate stress-testing my behind.

    Pulle the other onne, it has belles onne.

  7. Anonymous Coward
    FAIL

    very vague

    "claimed to have attacked the Pentagon".

    If you are in this business you should be sure of your targets. If you get any hint of government, then whatever you do next, you best be prepared for it.

  8. ma1010
    Alert

    It's a tried and true business model

    Hi! Someone who wishes to remain anonymous hired me to stress test your head. With this cosh.

    I hope these clowns get some serious jail time. Perhaps they'll get a bit of "stress testing" from their fellow inmates. All for their own good, of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's a tried and true business model

      Wonder if they could handle the bandwidth...

      http://m.qdb.us/262095

  9. lukewarmdog

    I love that they are identified as "masterminds" at the start of Kreb's article.

    Clearly anything but..

  10. Anonymous Coward
    Anonymous Coward

    Their only mistake..

    was not running for US President, at which point the FBI would have closed the case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like