Good news, but there is lots more work to be done here.
Botnets will keep growing/being regenerated (Thanks, pointless and insecure IoT crapware industry!!) and it will increasingly move out of the U.S. if the FBI keeps turning U.S. hackers.
The FBI's takedown of a group of prolific DDoS-for-hire websites has single-handedly helped to drop attack levels globally. This is according to a report (registration required) from distributed-denial-of-service (DDoS) mitigation provider NexusGuard, who say that both the overall number of attacks and the volume of duff data …
Exactly how many pathetic little morons are there to make this DDoS-for-hire stuff viable, and who exactly are they pointing their pathetic attention at ?
Does the FBI have the customer records as well ? I'd just love to see the face of one of those basement-dwellers when the FBI comes knocking at their door with a pair of handcuffs.
Is it against the law to rent a ddos service and point it at its own command and control servers?
The challenge is verifying is the legitimacy of the resources of a DDoS provider. If they generate that through their own resources you'd be OK, but DDoS waves are typically generated by co-opting other people's resources (websites, IoT, breached machines, routers - as long as it can talk online), and in that case you're funding a criminal enterprise.
Attacking yourself is perfectly OK, but you best accurately document the process of choosing your choice of provider so you can prove due diligence. A legit DDoS provider (if such beast exists) must be able to certify how it generates its traffic and how it ensures it remains focused on legitimate targets, and will also demand a permission form from you for the same reasons.
"Essentially, you launch a load of small requests at a bunch of devices on SSDP UDP port 1900, spoofing the source IP address as your victim's IP address." Network operators have switches and routers that allow a packet traversal of a packet from within the network but claiming to originate from outside of the network to anywhere within their network or the public internet? How embarrassing. They should get their act together and configure their network properly. It would make launching this sort of attack using their infrastructure impossible.