Slashdot Mirror
Prosecuting DDoS Attacks?
dptalia writes "We all have heard of major DDoS attacks taking down countries, companies, and organizations. But how many of them are ever prosecuted? And how many prosecutions are even successful? I've done some research and it appears the answer is very few (Well duh!). And those that are successfully prosecuted tend to have teenagers as the instigators. Does this mean DDoS is a fairly safe crime to conduct? Are the repercussions nonexistent? Does anyone have some knowledge an insight into this that I don't have? How would you go about prosecuting a DDoS attacker? What's your experience with getting the responsible parties to justice?"
No link tn the article. Smart move.
is that they have to get the MIT administration to cooperate.
Don't do if you don't want a other Terry Childs on your hands.
We get away with it daily here.
2 chanologists got a year in the slam each thanks to their DDOS of Scientology.
You will wire one million dollars into my Swiss bank account if you want to keep your precious site alive.
HahahahahahHAHAHAHAHAHAAAAAAA!
...DDoS goes unpunished because it usually originates through bot-nets and zombie computers. More so when trace-back leads to "masterminds" located in countries outside the country of targeted host.
If you get DDoS'ed by a teenager, maybe you deserve it. BTW, who the hell are you and your "research"?
One of those "the authorities won't become interested until you take matters into your own hands" situations. And the reason is that, as a law-abiding (ok, more or less) citizen, you're much easier to prosecute.
What's needed is for one of these new "cyber" security agencies (and I hope this isn't offensive, but they really need to be led by combat veterans with modern prostheses) to be tasked with hunting botnets and taking them over. Displaying a "this computer secured by the U.S. Gub'mint" message is probably the only guaranteed method of getting a user to wipe their machine.
Literalism isn't a form of humor, it's you being irritating.
...using William Gibson's "black ice" from Neuromancer.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The basic problem with DDoSes is that anyone who isn't a moron(ie. the teenage punks who get caught), is generally working from behind multiple layers of indirection and usually across a number of jurisdictions. What they are doing is probably illegal in all of them; but the degree to which the authorities care, or are on the ball enough to do anything about it can be pretty limited.
It doesn't help that a lot of the DDoS victims are either clueless and irrelevant(Yup, the feds don't really care about dialup users getting ping-flooded on IRC), widely considered to be a little shady themselves(*Call to the FBI* "Hi guys, I run this offshore gambling site in Antigua, and I've been having some problems with DDoS attacks that are really cutting in to my ability to serve American customers during peak sporting-event times...." *click*), or are parties in some sort of nationalist pissing match, of the sort where many "patriotic excesses" have a tendency to be overlooked(Yeah, I'm sure the Russian authorities are working night and day to bring to justice anybody involved in atttacks against Estonia...)
While, as a matter of law, DDoSing is hard to do legally, even in fairly shady areas(if nothing else, your botnet likely implies a fair number of computer-intrusion crimes in jurisdictions where that is an offense, and it is unlikely at best that you are properly reporting and paying taxes on the "protection" money that you are collecting). However, with the complexity of cross-jurisdiction investigation and prosecution, and without the massive public antipathy that something like kiddie porn has, the odds of actually getting brought to justice are fairly low, unless you are basically just a petty vandal, hitting some high-profile target in the same country as you.
My company, and our hosting clients, are victims of DDoS attack at a surprisingly high frequency. Although this has cost us thousands, and if you believe our angry customers it's cost them millions, we've never even attempted to prosecute a DDoS perpetrator for the following reasons:
1) The fact that a DDoS is distributed means we'll be left with a list, in the best case scenario, of hundreds or thousands of IP addresses, without the slightest clue which one might lead to the real troublemaker. In fact, for most types of DDoS, none of them lead to the perp in any special way. Often times DDoS attack machines are just zombied desktop computers, infected by a virus the genius user got from clicking on a porn ad.
2) In my experience, the vast majority of DDoS IPs are zoned to foreign countries. Mostly developing nations, or nations not particularly interested in Internet crimes against a US hosting company.
3) Even if the person or persons responsible for the attack were my next-door neighbors, we'd still need to track their actions through servers zoned in other countries. Try sending a subpoena to a (the?) Chinese ISP, asking for logs (if they even exist) from a server within their borders. Even if the log files showed activity from the perpetrator, it would still be somewhat circumstantial, and up for debate ("My computer has been hacked before / My wifi connection isn't secured / etc").
4) Even if you somehow managed, against all odds, to find the perpetrators, who were within a sane legal jurisdiction, and you won a contentious civil court case against them... Is a 17 year-old script kiddie really going to have any money?
It simply isn't worth the hundreds, if not thousands of man hours for us to jump down the rabbit hole for what's honestly not going to be much, if any, reward. I have never once in my life heard of a single successful DDoS prosecution that justified the cost in doing so.
its pretty pointless to prosecute botnet-nodes or try to find all people participating in a DDoS to sue them. But if you can find out, who called them to DDoS you, you can get him prosecuted for the calling.
My web host (MediaTemple) got hammered with a DDoS aimed at their DNS servers over the last few weeks. As a result, I've put my most critical domains using ZoneEdit's free-for-your-first-five DNS offer, with the web host playing backup, for my most critical domains. This plan successfully weathered a repeat attack.
To paraphrase Jim Cramer, redundancy must be the only free lunch in IT.
But the risk of being DDoS'ed due to what I might say is too great.
The 1st rule of defending yourself against DDoSers is not to talk about how to prosecute DDoSers, or DDoSers being brought to justice.
I, for one, can't imagine any ways in which mission-creep could cause such an organization to bite us in the ass...
Does this mean DDoS is a fairly safe crime to conduct?
Oh I see "someone" is very interested in DDoS attacks for "research" right? Dude, listen, just give the link here and your problems will be solved.
In California it is legal to throw eggs at a house. So all we need is names and addresses....
Presumably, you have the teenagers, the small time crooks and the foreign government hackers.
The small time crooks will go for smallish targets that have reasonable amounts of cash. They'll get noticed but aren't going to be a law enforcement priority. Even multi-million dollar companies don't have a lot of governmnet influence - you need to be valued in the billions for that.
The teenagers will go for the big corporations or the government because they can and they want to get noticed. Well, surprise surprise, they get noticed. The foreign governments will be noticed as well, but there's not a lot you can do. Other countries aren't going to hand their employees over to the US and the US isn't going to hand its employees over to other governments. So even if you're being DDOSed by teenagers you're not going to catch them. (sorry)
DOS attacks are mostly done by botnets consisting of compromised windows machines being controlled by someone behind a proxy of several hops. Catching them is almost impossible. There are always idiots who will have a go on their home dsl connection but its hardly worth going after them. The only way I can see of going after the real DDoS engines (botnets) is breaking down the botnet itself and figuring out whos controlling them. You cant just go banning windows machines. Smarter internet network management maybe?
If you are a rich company that is well connected politically you can get away practically anything, this also goes for DDOS attacks.
"Any properly configured web-server can easily handle the slashdot effect."
Obviously your definition of "properly configured" excludes servers designed to handle less than n different machines connecting to it per second, where
n = the number generated by a typical linking from Slashdot.
The guy stuck in the last decade running a web server on an old Pentium machine serving up a streaming video of his latest stupid pet trick comes to mind. Sure, he may be able to serve up a few hundred, maybe thousands, of unique visitors per second, but at some point he's going to fall over and die when the load gets too high, and there's nothing he can do about it short of getting new hardware.
Yes, your point is taken, web sites can be designed so a click on a link here is handled with a minimum of resource utilization while still serving up useful content. But my point is if you are getting burst traffic of BIGGISHNUM unique visitors per second because of the /. effect, your web server and Internet connection better be up to handling those visitors in a graceful manner, preferably one more useful than "server busy, try again later."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This could easily go wrong. There are real organised-crime DDoS attacks, which most will agree should be prosecuted. But what about the DDoS as an emerging tool for political activism, as seen in the incidents with the Church of Scientology? When your typical attacker is a teenager using only his own computer and some script-kiddy software, then prosecuting to the full extent of the law seems to be rather excessive. It could mean a multi-year prison sentence for the online equivilent of a protest group holding a rally outside a company building and blocking the enterance.
There is a definate possibility of overreaction here. Political DDoSers are basically just petty vandals trying to make a point, and incapable of doing much as individuals. I'd have thought community service an appropriate punishment, but I can easily imagine companies treating these like Evil Super-Hackers to get them locked up for a decade as a deterrent against future protests.
That's ridiculous. First, every nerd knows they don't have a host named www here, it always redirects. Besides, this script is more effective:
#!/bin/bash
while true
do wget -m -p slashdot.org &
done
Second, the easier way is just to submit a popular story that has a link back to slashdot, thus everyone reading will click on the link, and wallah! They /. themselves and self destruct.
Tequila: It's not just for breakfast anymore!
I expect that the people behind the DOS Attacks break other crimes where there is already a lot of case law supporting it.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
I thought the left-coasters, er, I mean liberals, extended animal welfare laws to fetuses and embryos. Think of the poor pre-baby chickens!
Oh wait, you must mean non-fertile eggs, my bad.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The problem with DDOS Is the same as crimes committed by multi-nationals no one has the authority crime committed in country X Data center in country Y business registered in country Z, there will never be a way to deal with these things since if you had a process to deal with them it would apply equally to crimes committed by large corporations and this is the last sort of law that will ever be instituted by any state corporation , it is simply not in there interest.
Forget legal routes they will never exist, build your own botnet employ your own people carry out your own operations.
You cant just go banning windows machines.
Hmm, maybe that should be part of every ISP's terms of service: "No windows machines." Yeah, that's the ticket....
Seriously though, ISPs should offer their consumer-grade customers a choice:
*Let us actively monitor your traffic for signs of known active virus- or botnet activity and when we spot it, block it, shutting down your service entirely if necessary, even though there will be false positives and even though this may have privacy implications for you, or
*provide us proof of liability insurance for damage caused by your computers and home network if they get hijacked and proof that you have the technical knowledge to prevent and mitigate such problems or access to someone who does.
Then for the vast majority of customers who take the first option, enforce it.
Business-grade consumers would be required to do something like, but the ISP can make some money by offering for-fee technical assistance for those business customers who prefer "one stop shopping."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
And if you're a rich company that can pay for more bandwidth and processing than the other guy, you're virtually immune to DDoS problems.
I think you mean....
... if you're a rich company that can pay for more bandwidth than that used by a huge botnet or group of botnets attacking you, you're virtually immune to DDoS problems.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
(In a french accent) I fart in your general direction, now go away or I will ping you a second time!
How would you go about prosecuting a DDoS attacker?
Nuke them from orbit, it's the only way to be sure.
Public Security Section 9, anyone?
Such "criminals" should be prosecuted like other protesters who violate the law:
With reasoned restraint.
In the '60s it wasn't uncommon to arrest people then "allow" them to bond out, forfeit bail, and dismiss the charges.
This is where prosecutorial discretion comes in. Rather than cracking down "with the full force of the law" you ask for a fine, no jail time, and possibly forfeiture of their computer hardware (but not the hard drive or other media).
Other "creative sentencing" might be a few months of living under restrictions on internet use on personally-owned equipment, such as mandatory throttling, mandatory blocking of traffic other than what is "normal use by normal human beings," and in extreme cases, mandatory logging and recording of all traffic except certain privileged traffic such as traffic that might be communications with an attorney. To work this would also entail a near-ban on non-pre-approved Internet use from other computers (e.g. work use would be pre-approved, going to your friend's house to evade the restrictions would not, but "trivial/de minimus" use to look up a restaurant's address from a friend's house would be okay).
Want to make a teenager cry? Take away his super-gaming-machine he bought with his lawnmowing money. Want to make a protester cry? Tell him he can choose between jail for a few months or having his electronic communications monitored for a few months.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
First you need to catch the actual attacker. Not just the botnet zombies. That pretty much isnt going to happen.
Next problem... you need to prove it was them... and the attacker wasnt just a zombie manager. That pretty much isnt going to happen.
Next issue is the non-technological ddos. The methodology of ddos to simply hammer the frontpage by requesting it often as possible. How do you differentiate ddos from legitimate traffic?
Ex. I want to take down scientology.com I tell all kinds of people to goto their website and refresh. CNN picks up the news article and people reading the news article goes to scientology.com to see if it's taken down. Who also contribute to the ddos. They keep refreshing to see if the ddos is still going on.
Now hypothetically lets say before CNN ever picked it up... the ddos wasnt even working. CNN is the ones who successfully ddosed scientology at this point. Should CNN article writer then be charged for the ddos? Should the newsreaders who went to the website just to see if it's up or down be charged? Hopefully not.
thus everyone reading will click on the link
HAH! A common error!
DDoS is very dangerous because it impacts alot more than just your target. DDoS people probably dont get prosecuted often, because someone else gets to them first. If you bot a bunch of boxes, chances are you might bot the wrong boxes. If you DDoS a site, chances are you will impact someone else's traffic. Interefere with the wrong people, and they aren't going to call a DA. So beware...out there on the information highway, there is alot more to worry about than the police.
DDoS attacks and most of spam originate from botnets. The only way to stop them is to improve security of end-user systems: educate users not to work with admin privileges, to install software only from trusted sources, not to rely on antivirus software as it only creates false sense of security.
What makes you think the FBI has the slightest interest in DDoS period?
They don't. Forget it.
It wouldn't be a matter of if this blew up in our faces, but when. It's still the only workable method.
Fortunately, since this would be run by the US, oversight would be provided by diligent public servants backed by an informed electorate.
Literalism isn't a form of humor, it's you being irritating.
you mean voila, not wallah
... still waiting for this free-as-in-beer free beer I keep hearing about.
Obviously you're going to have several IP's in this DDoS attack (If it's successful and you don't just have a shitty uplink) Filter those to Ip's in the US, then from that filter to only show residential locations.
From there I'd send subpeona notices to the ISP's for access to traffic to/from said IP; from that we would most likely grab an IRC server by monitoring said IRC server we would eventually be led to the bot master and as such..an arrest.
rather than throw lawyers at the problem (when has that ever truly fixed a problem) why isnt there some AI DOS attack management system, even more curious why does the internet allow DOS attacks in this age of multi core 64 bit cpu's (even get multi core arm or atom cpu's). You would think after 40 odd years someone would have said "you know we better fix this problem". The internet has reached a stage were it is just as important a service as power and water thus it should not be able to be pulled down by some 12 year old pissed off with the world (haven't we all been there).
IIRC, California passed an anti-animal-cruelty referendum, but it's got a couple of years to phase in.
Most eggs are non-fertile; the main people selling fertile eggs are selling them to random health-fooders, or else they're selling them because it's easier not to check whether your free-range hens have had access to a rooster.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There's a lot of Ping and SYN flooding going on against P2P participants. Now I wonder who might be interested in doing such a thing.
Not if you labeled it "Natalie Portman and Olivia Munn rubbing suntan lotion on each other at the beach" or something similar.
Dozens of comments despite the lack of article. I vote slashdot does away with links to the articles and just posts speculation from now on.
These posts express my own personal views, not those of my employer
I found an interesting article on someone tracking down some botnet masters by contacting a few of the infected users, getting a copy of the trojan and running it in a sandbox.
http://www.bellua.com/bcs/asia07.materials/fredrik_soderblom.pdf (PDF)
I've had to deal with clients insisting I install and run buggy, insecure antivirus software on their linux servers. putting forward antivirus as the solution is going to lead to more of that stupidity.
I'm not the brightest knife in the drawer, and even I know it's voila.
i have a button to push on facebook then a 1030 DDoS attack via proxies to launch
Filibuster is a DoS attack.
yup totally configured on a 2megabyte/sec line RUNNING 90% full speed round the clock , in the year 1998 256 mega ram running freebsd. Sounds like someone is getting hosed .....
and i\\when server went down it cost me 150$ i contacted the isp ISP said to email UUNET UUNET told me to CONTACT the iSP after 3 more times at his shit i sent an email to all involved and said "OK if your not willing or able to stop this i will and do not give me any legal repercussion on how i permanently end the problem" I then made apiece a software that targeted the PERSON in Argentina doing it and 75% of the isps in that country. then handed this software to 150 other hackers i knew around the world a week later i asked all to stop i got email from the arse doing this whom apologized that was the last dos i ever had to deal with and its why you never fuck with a hacker site P.S. i never caved and ever started doing what many did post 9/11 and called themselves "security sites either" most of those were shit heads anyhow. BTW before i did it i informed all the top pirates and said your email host thinks its a joke to attack my site , they weren't happy but i said he needs to learn something. its one reason its kinda good to gt in with hackers at least even if your not to serious , just be nice to them and they'll be nice to you. i used ot have some good chats with some pretty high up webmasters of yahoo and other major sites. AND no i've never used this power to extort or force any actions to anyone.Might be one reason ive been running this org for 16 years with no IT arrests in the membership
I clicked on it just in case.
Years ago, a webserver that I was admin for was hacked. It was a multi-homed machine with perhaps 300 websites on it, and permissions were all over the map. I did numerous permissions scans and found a nasty dog's breakfast of 777 directories, this works, but I never got approval to do the work to clean it up because of potential customer upset.
So in this case, somebody used a flaw in a vulnerable formmail.cgi (remember that one?) uploaded a perl script in a hidden "dot" directory in a 777 images folder that, when run, masqueraded as a legit process. I never quite figured out how they made the script look like a legit log process, but I did kill the perl script, because it was taking part in a DDOS attack of some servers that were apparently located in the South San Francisco area.
After a bit of reading of the script, I found that it was the classic IRC bot network, and I simply gave myself an appropriate user name and logged in. At the time, the DDOS was going on. There were maybe 200 other machines in the botnet. Orders would come out, like "pf: 192.168.0.1" where the IP address was the target machine.
I watched for a while, then reported everything, including IP address, screen shots, etc. to the FBI. Nothing happened, not even an email back. Part of me died that day.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
That was hot!
Natalie Portman /. Olivia Munn slash fiction!
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Well actually, it is voilà, which means see there.
people use bots to "host boot" people from their Halo 3 session and get level up fast. There is even websites to sell these bots for couple dollars each.
New Economic Perspectives
What makes you think they don't?
You know, that reads a lot better if you leave out the words "suntan lotion"...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
voilà
I don't know what's worse..
the fact that would be viable for downing low-volume sites or that I'll never see that video. *sheds single tear*
I tried your link but I couldn't find any images of Natalie Portman or Olivia Munn on that page. What gives?
I'm Rocco. I'm the +5 Funny man.
Oh man, if that appeared on my machine I would immediately start logging and saving all traffic in/out of it to a non-erasable external storage. After all, we all know how good the government is at encrypting everything, right...?
ISPs spend more money and more R&D finding new ways to detect file sharing than on finding and stopping DDOS attacks, Malware or Spyware.
It has been proven that the losses which the RIAA quote are fanciful at best and totally false at worst.Yet no one mentions the very real and measurable losses that Spyware, malware, and DDOS attacks cause businesses and home users worldwide.
There was a time when the hardware and software to do inspections of networks to determine if file sharing protocols were used, what was being shared across torrent networks, to identify music in videos for copyright infringement and a host of other methods did not exist. R&D was done, probably hundreds of millions were spent, and now these technologies exist and are in use today (and much to the dismay of toddlers and grandmothers sued out of house and home they work). So the argument that 'It's too hard...' or 'We can't easily find them' isn't valid.
Websites distributing Viruses, Spyware and Malware can stay up for a decade with no media attention, and no law enforcement attention. But try posting a site that offers a few albums for download and the cease and desist notices fly fast and furious.
The issue of DDOS, Spyware, Malware and Viruses transmitted over the internet is a far more immediate issue facing internet users internationally, and yet it receives almost no attention by the government.
Why is that?
-Gel214th
I voi what you did là.
Finally had enough. Come see us over at https://soylentnews.org/
A DDOS has taken down a country? Really?
Might be more appropriate to say that a DDOS has taken down a country's website, or a country's network, but I don't believe any countries have been taken down by a DDOS attack yet.
Until a good solution is found can we really being to think about prosecuting?
To prosecute means to institute and follow through on an action, especially to carry it out with vigor. (Examples: To prosecute a war. To prosecute a claim. To prosecute a lawsuit.) Thus, the prosecute a DDOS attack would mean to carry one out.
I think the person who wrote the summary mean to ask if the perpetrators of DDOS attacks have ever been prosecuted. This a shorthand way if asking whether legal cases ever been prosecuted against them.
Mafiaboy (Michael Calce) is the highschool kid from Montreal Canada who took down Yahoo, Amazon, Dell, Etrade, Ebay and CNN in 2000. He was arrested by the RCMP and prosecuted. In 2001, he was sentenced to eight months of "open custody", a year's probation, a fine, and restrictions to his use of the internet. Reader's Digest did an interview with him recently (Last year or two)
I’m at work right now, but I dragged that link to my flash drive to check it later.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
DDoS is a free speech issue because it allows the criminal to silence the victim, and that's usually how it's used: to chill speech on irc and enforce this abusive fascist atmosphere of brotherhood, loyalty, and lolz. to take down competitor's businesses. to silence government or NGO sites for political reasons.
It's a second level of free speech issue because the threat of DDoS makes self-hosting and small-scale hosting much less practical. You cannot host a complicated web site on a Sheevaplug inside your house any more because of the threat of DDoS, while in 1997 this would be totally practical if you could afford the speeds of DSL available to almost everyone today. Everyone is forced to these web-scale platform sites owned by google, yahoo, and facebook, and supported by ads and spying, which give the speaker a lot less control of his and his visitors' privacy, and less protection if his speech is unpopular.
There has been no stewardship among ISP's to mitigate the DDoS problem in a way that's financially fair to the victims the way there has been for the spam problem. This disappoints me and makes me feel like the supportive atmosphere of possibility in the old academic Internet is being replaced by aggressive hypercapitalism, and this twitchy bros hos and lulz attitude.
Don't be so "Kayu" La.
You can't really prosecute the person responsible for the DDoS attack, for obvious reasons, without spending way more time and resources than it is actually worth. I think that is something we can all agree on. But instead of attempting to receive some form of justice from the incidence, why not take measures from being DDoSed by the same computers. For instance, blocking the mac addresses suspected to be involved in the DDoS which you can acquire from a simple connection log could help prevent. You would have to of course have some way of helping legitimate users regain access to your site but that shouldn't be that big of a hassle. Or you could try to alert the owners of the MAC addresses and tell them that there is reason to believe their system in infected etc.
Would you hug a bear?
My company was DDoSed for several days last year and we are a law firm. We used every resource possible to try and crack down on this attack, but there were no leads or links back to the attacker as all the IP's were zombies. It's virtually impossible to find out who is behind the attack, as the attacker never sends any packets from his IP.