The FBI Is Arresting People Who Rent DDoS Botnets

This week the FBI arrested a 26-year-old southern California man for launching a DDoS attack against online chat service Chatango at the end of 2014 and in early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire" services. An anonymous reader writes: Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.
Most of the other suspects arrested were under the age of 20.

hey, how about you don't do that

[SirSlud]

A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

Re:hey, how about you don't do that

[Ol+Olsoc]

A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

A couple years is significant, although in the US it seems everyone wants everyone executed for anything. Of course we'd all be dead.

I wonder if we should start teaching civics again in schools. Seems a freaking CS graduate should know better, both socially and technically.

Re:hey, how about you don't do that

[ColdWetDog]

You only get justice if you can afford it.

It's the American way.

Re:hey, how about you don't do that

[Dutch+Gun]

Given that the estimated damage was $5000, I'd hope he just gets a rather stiff fine (maybe five to ten times the estimated damages). There's no need for him to be in prison, as he's not a danger to society, although he does need to be punished. The greater value is in letting people know they can't get away with hiring these services without consequences.

For people wishing for law enforcement to go after the botnets themselves, we just had a story from a week ago about international law enforcement removing a very large botnet. They seem to be attacking the problem from both ends, which seems like a reasonable approach.

Now we just need to figure out how to secure all these damned routers and IoT devices so they can't be used as botnets so easily. This wouldn't be nearly so much a problem if the fruit wasn't quite so low-hanging.

Re:hey, how about you don't do that

[Dahamma]

Jail is serious.

So it depriving a business of their livelihood. Someone walking into a store with a gun and robbing the cash register does a LOT less financial damage than these A-holes, but no one argues that armed robbers should be let off with a warning.

That said, I agree that no 18 year old should get multiple years in jail for a first time computer crime that didn't cause human harm. But there needs to be some SERIOUS repercussion, possibly including some (brief) jail time or everyone is going to think you get one get our of jail free card for white collar crimes...

(speaking of that, why not punish *all* white collar crimes by financial damage instead of the wealth of the criminal in that case... half of Wall Street would be in for 10 years after the last shitshow).

Re:hey, how about you don't do that

[Gojira+Shipi-Taro]

Then perhaps NOT DOING THAT would be a good decision.

"It was just a prank, bro" isn't a valid defense. Ever.

Re:hey, how about you don't do that

[Gojira+Shipi-Taro]

Good for you?

Actions, even mistakes, have consequences.

It affects other people, so it's not harmless.

He'll grow up, but he'll have to suffer the consequences of his own actions and decisions.

I personally managed to never do stupid shit that happened to be a felony. Because you know, I understand the whole consequences thing.

Congratulations for getting away with it, I guess.

Re:Grown Up Children

[93+Escort+Wagon]

The immaturity of some of these graduate students is astonishing, they're essentially grown up children.

Modern society is such that people aren't often forced to grow up until their 20s or 30s.

Re:How about targeting the source?

This might be an unpopular comment, but CloudFlare also hosts prominent private bittorrent sites, and I'm glad that they do. Piracy is a problem, but the dysfunction we've had in government (in the US) means that copyright isn't going to be meaningfully reformed anytime soon. Without piracy sites, I doubt that services like Netflix or Apple Music would exist -- they exist now because competition made the business model of the music and film labels / studios obsolete. I think this is a good thing. Piracy also makes content available to people who would not otherwise be able to afford it. Poor people aren't entitled to luxury cars, but I think they are entitled to western culture, whether they can afford it or not. Going after CloudFlare isn't the answer. Giving ISPs an incentive to kill connections that are obviously being abused for DDoS purposes is.

What?

[Gumbercules!!]

The FBI estimate his attacks cost Chatango about $5,000.... so bail is set at $100,000 and fines are around $250,000 with 10 years in prison? What?!? Surely a payment of say - $5,000 or maybe even $10,000 to the effected company would be a more suitable response?