Slashdot Mirror

← Back to Stories (view on slashdot.org)

The FBI Is Arresting People Who Rent DDoS Botnets (bleepingcomputer.com)

Posted by EditorDavid on from the denial-of-liberty-counterattack dept.

This week the FBI arrested a 26-year-old southern California man for launching a DDoS attack against online chat service Chatango at the end of 2014 and in early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire" services. An anonymous reader writes: Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.
Most of the other suspects arrested were under the age of 20.

22 of 212 comments (clear)

  1. hey, how about you don't do that by SirSlud · · Score: 4, Insightful

    A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

    --
    "Old man yells at systemd"
    1. Re:hey, how about you don't do that by Ol+Olsoc · · Score: 5, Insightful

      A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

      A couple years is significant, although in the US it seems everyone wants everyone executed for anything. Of course we'd all be dead.

      I wonder if we should start teaching civics again in schools. Seems a freaking CS graduate should know better, both socially and technically.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:hey, how about you don't do that by wonkey_monkey · · Score: 4, Informative

      now facing up to 10 years in prison and/or a fine of up to $250,000.

      Doesn't mean he's going to get exactly that.

      --
      systemd is Roko's Basilisk.
    3. Re:hey, how about you don't do that by ColdWetDog · · Score: 5, Insightful

      You only get justice if you can afford it.

      It's the American way.

      --
      Faster! Faster! Faster would be better!
    4. Re:hey, how about you don't do that by CaptainDork · · Score: 2

      Those don't matter as much as the long term effects for a young CS graduate.

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re:hey, how about you don't do that by Dutch+Gun · · Score: 4, Insightful

      Given that the estimated damage was $5000, I'd hope he just gets a rather stiff fine (maybe five to ten times the estimated damages). There's no need for him to be in prison, as he's not a danger to society, although he does need to be punished. The greater value is in letting people know they can't get away with hiring these services without consequences.

      For people wishing for law enforcement to go after the botnets themselves, we just had a story from a week ago about international law enforcement removing a very large botnet. They seem to be attacking the problem from both ends, which seems like a reasonable approach.

      Now we just need to figure out how to secure all these damned routers and IoT devices so they can't be used as botnets so easily. This wouldn't be nearly so much a problem if the fruit wasn't quite so low-hanging.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    6. Re:hey, how about you don't do that by Dahamma · · Score: 2, Insightful

      Jail is serious.

      So it depriving a business of their livelihood. Someone walking into a store with a gun and robbing the cash register does a LOT less financial damage than these A-holes, but no one argues that armed robbers should be let off with a warning.

      That said, I agree that no 18 year old should get multiple years in jail for a first time computer crime that didn't cause human harm. But there needs to be some SERIOUS repercussion, possibly including some (brief) jail time or everyone is going to think you get one get our of jail free card for white collar crimes...

      (speaking of that, why not punish *all* white collar crimes by financial damage instead of the wealth of the criminal in that case... half of Wall Street would be in for 10 years after the last shitshow).

    7. Re:hey, how about you don't do that by Dutch+Gun · · Score: 2

      I'd say a better analogy would be burglary instead of armed robbery, as threatening someone with a gun is serious because of the implied threat to human life. Also, it's a bit strange that he supposedly brought down this chat site for two months, yet damages are valued at $5000. One can only draw the conclusion that this was not a large, money-making operation.

      I'm not making light of this, but this was the equivalent of some small time burglary or shoplifting, not some masterful hack bringing down million-dollar businesses. He may have spent more renting the botnet than the site lost because of his attacks. I'd be up for fining him a decent amount, but jail time punishes the taxpayer as well as the criminal, so should be reserved for serious or violent offenders.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    8. Re:hey, how about you don't do that by Gojira+Shipi-Taro · · Score: 4, Insightful

      Then perhaps NOT DOING THAT would be a good decision.

      "It was just a prank, bro" isn't a valid defense. Ever.

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
    9. Re:hey, how about you don't do that by CaptainDork · · Score: 2

      Fuck valid defense.

      I was 26, 45 years ago.

      I'm an expert at doing stupid shit.

      I just never got caught.

      He'll grow up.

      --
      It little behooves the best of us to comment on the rest of us.
    10. Re: hey, how about you don't do that by Anonymous Coward · · Score: 2

      You didn't get caught that's the problem.... it's not an excuse.

      I for one would like to see you discovered and punished appropriately (ok maybe a bit more than appropriate would be nice)

      The world would have 1 less asshole and be less full of shit.

    11. Re:hey, how about you don't do that by Dahamma · · Score: 3, Interesting

      Sure depends on the amount of each. I'd sure prefer a threat of physical violence over some douche bag stealing my life savings from an investment account, and would gladly argue the latter should pay more.

    12. Re:hey, how about you don't do that by Gojira+Shipi-Taro · · Score: 4, Insightful

      Good for you?

      Actions, even mistakes, have consequences.

      It affects other people, so it's not harmless.

      He'll grow up, but he'll have to suffer the consequences of his own actions and decisions.

      I personally managed to never do stupid shit that happened to be a felony. Because you know, I understand the whole consequences thing.

      Congratulations for getting away with it, I guess.

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  2. For Rent? by freeze128 · · Score: 2

    If you can rent botnets, then maybe that would be useful to large corporations who do not want to be DDOSed. They rent the botnet, then don't use it. That way, those millions of bots aren't being used to attack their site.

    1. Re:For Rent? by Dahamma · · Score: 2

      Sounds like extortion to me. The mob uses the same strategy - "hey, pay us to protect you and we don't destroy your business".

  3. How about targeting the source? by Anonymous Coward · · Score: 5, Informative

    Busting a few users sounds like the same failure that is the War On Drugs. They should go after the purveyors of these DDoS/stresser/booter services. Check out this recent list of them, all serviced by CloudFlare in the last year. This is who they need to arrest.

    alphastress.com, anonymous-stresser.net, aurastresser.com, beststresser.com, boot4free.com, booter.eu, booter.org, booter.xyz, bullstresser.com, buybooters.com, cnstresser.com, connectionstresser.com, crazyamp.me, critical-boot.com, cstress.net, cyberstresser.org, darkstresser.info, darkstresser.net, databooter.com, ddos-fighter.com, ddos-him.com, ddos.city, ddosbreak.com, ddosclub.com, ddostheworld.com, defcon.pro, destressbooter.com, destressnetworks.com, diamond-stresser.net, diebooter.com, diebooter.net, down-stresser.com, downthem.org, exitus.to, exostress.in, free-boot.xyz, freebooter4.me, freestresser.xyz, grimbooter.com, heavystresser.com, hornystress.me, iddos.net, inboot.me, instabooter.com, ipstresser.co, ipstresser.com, jitterstresser.com, k-stress.pw, layer-4.com, layer7.pw, legionboot.com, logicstresser.net, mercilesstresser.com, mystresser.com, netbreak.ec, netspoof.net, networkstresser.com, neverddos.com, nismitstresser.net, onestress.com, onestresser.net, parabooter.com, phoenixstresser.com, pineapple-stresser.com, powerstresser.com, privateroot.fr, purestress.net, quantumbooter.net, quezstresser.com, ragebooter.net, rawlayer.com, reafstresser.ga, restricted-stresser.info, routerslap.com, sharkstresser.com, signalstresser.com, silence-stresser.com, skidbooter.info, spboot.net, stormstresser.net, str3ssed.me, stressboss.net, stresser.club, stresser.in, stresser.network, stresser.ru, stresserit.com, synstress.net, titaniumbooter.net, titaniumstresser.net, topstressers.com, ts3booter.net, unseenbooter.com, vbooter.org, vdos-s.com, webbooter.com, webstresser.co, wifistruggles.com, xboot.net, xr8edstresser.com, xtreme.cc, youboot.net

    If CloudFlare would stop providing bulletproof hosting for criminals and spammers, the internet would be a better place. But CloudFlare apparently loves its criminal customers and the FBI loves CloudFlare. DDoS purveyors, terrorist websites, malware distributors, CloudFlare seems to welcome them all to its hive of scum and villainy. Maybe it's time to revive the concept of the Usenet Death Penalty and apply it to all traffic to and from CloudFlare. They're the sewer of the internet and should be null routed and de-peered.

    1. Re:How about targeting the source? by Anonymous Coward · · Score: 2, Insightful

      This might be an unpopular comment, but CloudFlare also hosts prominent private bittorrent sites, and I'm glad that they do. Piracy is a problem, but the dysfunction we've had in government (in the US) means that copyright isn't going to be meaningfully reformed anytime soon. Without piracy sites, I doubt that services like Netflix or Apple Music would exist -- they exist now because competition made the business model of the music and film labels / studios obsolete. I think this is a good thing. Piracy also makes content available to people who would not otherwise be able to afford it. Poor people aren't entitled to luxury cars, but I think they are entitled to western culture, whether they can afford it or not. Going after CloudFlare isn't the answer. Giving ISPs an incentive to kill connections that are obviously being abused for DDoS purposes is.

    2. Re:How about targeting the source? by ChoGGi · · Score: 2

      Free speech means taking the good with the bad.

  4. Re:Grown Up Children by 93+Escort+Wagon · · Score: 4, Insightful

    The immaturity of some of these graduate students is astonishing, they're essentially grown up children.

    Modern society is such that people aren't often forced to grow up until their 20s or 30s.

    --
    #DeleteChrome
  5. What? by Gumbercules!! · · Score: 3, Insightful

    The FBI estimate his attacks cost Chatango about $5,000.... so bail is set at $100,000 and fines are around $250,000 with 10 years in prison? What?!? Surely a payment of say - $5,000 or maybe even $10,000 to the effected company would be a more suitable response?

  6. OMG, Arresting people that break the law... by melting_clock · · Score: 2

    There are very few applications for a DDoS attack that could be considered legal. The FBI, and other law enforcement agencies, should be arresting those that break the law. Maybe that will leave them less time to spy on the rest of us...

    There are more victims in a DDoS attack than the target. They can include:
    * The people or organisations with infected devices that launch the attack that can have actual costs due to the use of their connections.
    * Internet service providers.
    * The rest of us that just want to be able to surf the net without reduced performance.
    * Those that have a legitimate reason and right to access the target of the attack.

    I can't see any reason to feel sympathetic towards the customers of DDoS for hire that get caught. Lock them up like any other criminal.

  7. Hey how about by siamesevodka · · Score: 2

    DON'T DO THE CRIME IF YOU CAN'T DO THE TIME. I don't feel sorry for this guy.He is twenty five years old. What do you want him to have? A participation certificate instead. The reason I shell out good money for malware and anti-virus every year, is to keep assholes like this from messing up my computer. Put him in jail with Rachel from cardholder services. I used to think used car salesman were the bottom feeders, but telemarketers and people that just want to ruin things like this guy are the new bottom feeders. The benefit of a good education isn't worth much if you make poor decisions like this. 10 years will give him time to learn how to be a janitor or fast food worker, because nobody is going to hire him for what education says he is. What a waste.