A US court has sentenced the operator of a massive DDoS service to 13 months in prison. Sergiy Usatyuk, 21, from Orland Park, IL was handed the term - along with a $542,925 forfeiture order - after pleading guilty earlier this year to one count of conspiracy to cause damage to internet-connected computers. He will also have to …
As well as those kind of amplified reflective attacks, they can also just send packets straight at the target spoofing the source IP. Be it sheer volume of packets, syn or whatever.
That gives them 1 or 10gbit of shared bandwidth on each paid server hosted in each data centre that doesnt block spoofed packets. These servers shouldn't be underestimated despite what we hear about the size of DNS/NTP/etc reflective attacks as they alone can be damaging enough if incoming from a few different peering links.
" Anyone who weaponizes web traffic in this manner will be vigorously pursued and prosecuted by my office"
Except when government departments do it, along with creating and distributing malware and hacking people. Just not the little people!
DDoS is annoying but akin to sit-in at a shop, which would deny it business sales while it occurred. To that extent I think people should be able to protest via DDoS but start using it for blackmail and crime you get arrested like you would if a sit-in got violent or other crimes got committed.
It's a very fine line though
DDoS is practically only used by pathetic losers who, not being able to handle real life, use that to "get back" at someone or something for a trivial issue they deem way too important to let pass.
Curiously enough, there was a time when we heard about DDoS blackmail, as in pay up or I take your site down, but it's been a while since I've heard that being used. Has it fallen out of fashion, or have encryption blackmail schemes taken over as goût-du-jour for the miscreants ?
But DDoS as a form of civil protest will never fly. If you want to protest against a governmental organization, you will have to DDoS a government web site and I think that is already a federal crime.
In general you may be right but it's not that black and white.
When Paypal, VISA and other similar companies stops allowing their services to be used by a company or organisation for political reasons, it can end a company or organisation as it struggles to find other ways of payment. This has happened with some VPN companies, Wikileaks and even some hosting companies because of political pressure.
The little guy has no way to really voice their opinion on that with it being noticed or heard but taking VISA and Paypal offline via DDoS made enough attention to get that fact on the main news channels. Operation Payback got coverage like those gluing themselves to floors in London recently. Both inconvenienced people but the London protests were legal to organise and participate in, if you kept to the law. DDoS'ing a site is not.
That did not stop media companies hiring Aieplex to DDoS torrent sites though which is well documented. Pretty sure no one in Bollywood or Aieplex went to jail though. The same with the anti-piracy companies that cause denial of service on perfectly legal trackers by faking clients that don't exist and other tricks to cause issues. Which goes back to my original point of it seems to be ok for governments, companies and the rich to do all these things which anyone else would go to jail for.
One set of rules for the commoners, one set for the government and their agents.
You get in a tussle with a friend and punch him in the ribs with a stick, you get felony charges and a long stint in jail. Police officer does the same, its "pain compliance technique" and considered perfectly okay. You make people buy your product or suffer losses (material or financial) that extortion. Felony, jail time. Government does it, its "vehicle registration". Go on about public good all you like, but the end is the same - two sets of rules, and only one group is making those rules.
"DDoS is practically only used by pathetic losers who, not being able to handle real life....."
We can demean all we want. But in this case, they raked in £426k in a couple of years. Divide by two, and again, that's a tax-free income of £105k-ish a year. That's getting on for what I make in 3 years, so it'd be difficult for me at least to label them "pathetic losers". To suggest only misfits would go after a £100k a year prize isn't accurate - there'll be a good few willing to give it a go, just hoping the bit they do differently is enough to escape the law.
According to the prosecutor's report, they ran a DDoSaaS platform (aka "booter services"), so they didn't actually run the attacks themselves, and the count of 1.3M attacks is a bit irrelevant. It's also not specified how many targets these attacks actually represented.
Let's get some figures: according to various sources, DDoS attacks around 2016 were 20-30k per day, that's at most 11M per year, or 27M for the 2.5 years during which they operated. 1.3M attacks would represent 5% of this. I doubt these 2 guys would have been responsible for 5% of global DDoS attacks.
"They earned less than 50p an attack?"
True, but Visa/Mastercard earn less on some card transactions and they seem to do okay. Earnings per attack aren't relevant, nor is someone's salary for 1 minute. It's what you walk away with at the end. And if that sort of wonga is there for the taking, it'll get a lot of folk interested.
I see what you did there...
But they were probably all hosted in the same local data centre, or even VMs or virtual websites on a shared host with the same IP-address.
Remember when the UK tried to take down some pr0n sites, they blocked the IP-address, instead of the DNS name and thousands of websites, including schools, councils, self-help groups and businesses suddenly went offline, because the dozen or so IP addresses that were blocked were shared by thousands of sites using virtual sites on the same IP.
Biting the hand that feeds IT © 1998–2019