Can New Law Enforcement Put a Dent in the DDoS Problem?

For many years now, law enforcement has been arresting individuals found responsible for specific DDoS attacks. Just recently, the man behind the 2013 Christmas DDoS attacks against Sony Playstation was sentenced to 27 months in prison and ordered to pay US$95,000 in damages to one of his victims.

Unfortunately, this approach has had no noticeable impact on either the growth rate of DDoS attacks overall or on the underground infrastructure that enables them.

The Mirai DDoS attacks of October 2016 were significant for several reasons, most notably, the sheer success of the attack. Targeting DNS provider Dyn, the Mirai botnet took many of the world’s leading brands offline for much of the day. This was a wake-up call about the fragility of the infrastructure underpinning the internet itself. It was also a realization about the widespread impact a single attack can have.

Innovation Goes Rogue

When the botnet source code was released, however, Mirai became much more than a hugely successful attack: it sparked a wave of innovation that allowed DDoS-for-hire services to quickly offer these new attack capabilities as part of their services.

In December 2017, the three men behind the Mirai botnet pleaded guilty, but avoided jail. At first blush, this seems rather incredible. After all, the amount of revenue and brand damage done to leading global businesses was significant. According to The Register, the reason became clear in the plea deal: the trio became cyber-crimefighters for the FBI and were helping the agency to take down other botnets.

To put it in Hollywood movie terms, law enforcement was less interested in the dealer on the corner than in the neighborhood supplier. Instead of arresting and prosecuting the attackers, the law was targeting the attacker’s enablers, the botmasters who run the DDoS-for-hire services. These are the people who have made launching a DDoS attack as easy as ordering at a fast-food kiosk. They brazenly advertise their services, offer specials, and feature try-before-you-buy packages. They’ve democratized DDoS attacks, making them available to anyone with internet access and a grievance.

Cheap, Easy, and Lucrative

How big of a problem have these booter/stresser services become? In NETSCOUT’s 14^th annual Worldwide Infrastructure Security Report, released in March 2019, the top motivation cited for DDoS attacks was criminals showcasing their capabilities to potential customers!

When you study the economics of the booter/stresser services, it is easy to understand why. They are extremely favorable—for the attacker and for the operator. 

• NETSCOUT research has shown that for just US$56, want-to-be attackers can rent a booter/stresser service for 24 hours.
• The botmasters, or operators, are leveraging PCs, servers, and IoT devices such as home broadband routers to set up a DDoS-as-a-service enterprise with zero infrastructure and bandwidth costs. They’re illegally leveraging infrastructure and connectivity that belongs to others.
• The booter/stresser operator doesn’t pay taxes on the illicit proceeds of the service.
• Hundreds or even thousands of attackers can simultaneously utilize the booter/stresser service to launch DDoS attacks, thus boosting the tax-free/cost-free revenues of the services as they grow.

One year after making a deal with the Mirai botnet creators, the United States Department of Justice (DOJ) announced it was going after 15 websites offering  DDoS-for-hire services.

“The sites, which offered what are often called ‘booter’ or ‘stresser’ services, allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet,” said the DOJ news release. “Booter services such as those named in this action allegedly cause attacks on a wide array of victims in the United States and abroad, including financial institutions, universities, internet service providers, government systems, and various gaming platforms.”

One month after that, Europol, the agency that supports law enforcement authorities throughout the European Union on crime-fighting activities, announced that it was targeting users of the biggest DDoS-for-hire websites. “The takedown by law enforcement in April 2018 of the illegal marketplace webstresser.org as part of Operation Power OFF has given authorities all over Europe and beyond a trove of information about the website’s 151 000 registered users,” said Europol’s news release. “Coordinated by Europol and the Joint Cybercrime Action Taskforce (J-CAT) with the support of the Dutch Police and the British National Crime Agency, actions are currently underway worldwide to track down the users of these . . . DDoS attacks.” Europol went on to say that webstresser.org was believed to have been the world’s biggest marketplace for hiring DDoS services, helping to launch more than 4 million attacks for as little as €15.00 (less than US$17) a month.

Law enforcement efforts to target booter/stresser services are certainly laudable. These illegal operations are causing widespread damage around the world. They’re agnostic, selling their services to anyone who will pay—more often than not, a gamer with a petty grievance. Sometimes, however, the DDoS-for-hire customer is a business competitor that inadvertently takes an entire country offline.

Earlier this year, for example, noted security journalist Brian Krebs reported a story about Daniel Kaye, an Israel-U.K. dual citizen who was hired in 2015 to attack Lonestar, Liberia’s top mobile phone and internet provider. According to Krebs’ report, an individual working for Cellcom, Lonestar’s competitor in the region, paid Kaye US$10,000 for the attack, which Kaye claimed was ordered by the CEO of Cellcom Liberia.

The focus by law enforcement on DDoS-for-hire services—the engine driving DDoS attacks—has been clear. Unfortunately, what is also clear is that this newfound focus is not yet having much of an impact on DDoS attack frequency or size. The setup--easy access to attack infrastructure and a seemingly limitless number of motivations to launch thesattacks makes it unlikely they will diminish any time soon. The best thing you can do to protect yourself is to follow best practices and deploy a multilayer defense.

Read NETSCOUT’s 14^th annual Worldwide Infrastructure Security Report