The FBI Is Arresting People Who Rent DDoS Botnets

This week the FBI arrested a 26-year-old southern California man for launching a DDoS attack against online chat service Chatango at the end of 2014 and in early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire" services. An anonymous reader writes: Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.
Most of the other suspects arrested were under the age of 20.

hey, how about you don't do that

[SirSlud]

A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

Re:hey, how about you don't do that

[Ol+Olsoc]

A couple of years sounds good to me. Reform, know that it's serious, and don't any of your freedom for granted. I think we're still decades away from the law and society catching up to finding the balance.

A couple years is significant, although in the US it seems everyone wants everyone executed for anything. Of course we'd all be dead.

I wonder if we should start teaching civics again in schools. Seems a freaking CS graduate should know better, both socially and technically.

Re:hey, how about you don't do that

[wonkey_monkey]

now facing up to 10 years in prison and/or a fine of up to $250,000.

Doesn't mean he's going to get exactly that.

Re:hey, how about you don't do that

[ColdWetDog]

You only get justice if you can afford it.

It's the American way.

Re:hey, how about you don't do that

[Dutch+Gun]

Given that the estimated damage was $5000, I'd hope he just gets a rather stiff fine (maybe five to ten times the estimated damages). There's no need for him to be in prison, as he's not a danger to society, although he does need to be punished. The greater value is in letting people know they can't get away with hiring these services without consequences.

For people wishing for law enforcement to go after the botnets themselves, we just had a story from a week ago about international law enforcement removing a very large botnet. They seem to be attacking the problem from both ends, which seems like a reasonable approach.

Now we just need to figure out how to secure all these damned routers and IoT devices so they can't be used as botnets so easily. This wouldn't be nearly so much a problem if the fruit wasn't quite so low-hanging.

Re:hey, how about you don't do that

[Gojira+Shipi-Taro]

Then perhaps NOT DOING THAT would be a good decision.

"It was just a prank, bro" isn't a valid defense. Ever.

Re:hey, how about you don't do that

[Dahamma]

Sure depends on the amount of each. I'd sure prefer a threat of physical violence over some douche bag stealing my life savings from an investment account, and would gladly argue the latter should pay more.

Re:hey, how about you don't do that

[Gojira+Shipi-Taro]

Good for you?

Actions, even mistakes, have consequences.

It affects other people, so it's not harmless.

He'll grow up, but he'll have to suffer the consequences of his own actions and decisions.

I personally managed to never do stupid shit that happened to be a felony. Because you know, I understand the whole consequences thing.

Congratulations for getting away with it, I guess.

How about targeting the source?

Busting a few users sounds like the same failure that is the War On Drugs. They should go after the purveyors of these DDoS/stresser/booter services. Check out this recent list of them, all serviced by CloudFlare in the last year. This is who they need to arrest.

alphastress.com, anonymous-stresser.net, aurastresser.com, beststresser.com, boot4free.com, booter.eu, booter.org, booter.xyz, bullstresser.com, buybooters.com, cnstresser.com, connectionstresser.com, crazyamp.me, critical-boot.com, cstress.net, cyberstresser.org, darkstresser.info, darkstresser.net, databooter.com, ddos-fighter.com, ddos-him.com, ddos.city, ddosbreak.com, ddosclub.com, ddostheworld.com, defcon.pro, destressbooter.com, destressnetworks.com, diamond-stresser.net, diebooter.com, diebooter.net, down-stresser.com, downthem.org, exitus.to, exostress.in, free-boot.xyz, freebooter4.me, freestresser.xyz, grimbooter.com, heavystresser.com, hornystress.me, iddos.net, inboot.me, instabooter.com, ipstresser.co, ipstresser.com, jitterstresser.com, k-stress.pw, layer-4.com, layer7.pw, legionboot.com, logicstresser.net, mercilesstresser.com, mystresser.com, netbreak.ec, netspoof.net, networkstresser.com, neverddos.com, nismitstresser.net, onestress.com, onestresser.net, parabooter.com, phoenixstresser.com, pineapple-stresser.com, powerstresser.com, privateroot.fr, purestress.net, quantumbooter.net, quezstresser.com, ragebooter.net, rawlayer.com, reafstresser.ga, restricted-stresser.info, routerslap.com, sharkstresser.com, signalstresser.com, silence-stresser.com, skidbooter.info, spboot.net, stormstresser.net, str3ssed.me, stressboss.net, stresser.club, stresser.in, stresser.network, stresser.ru, stresserit.com, synstress.net, titaniumbooter.net, titaniumstresser.net, topstressers.com, ts3booter.net, unseenbooter.com, vbooter.org, vdos-s.com, webbooter.com, webstresser.co, wifistruggles.com, xboot.net, xr8edstresser.com, xtreme.cc, youboot.net

If CloudFlare would stop providing bulletproof hosting for criminals and spammers, the internet would be a better place. But CloudFlare apparently loves its criminal customers and the FBI loves CloudFlare. DDoS purveyors, terrorist websites, malware distributors, CloudFlare seems to welcome them all to its hive of scum and villainy. Maybe it's time to revive the concept of the Usenet Death Penalty and apply it to all traffic to and from CloudFlare. They're the sewer of the internet and should be null routed and de-peered.

Re:Grown Up Children

[93+Escort+Wagon]

The immaturity of some of these graduate students is astonishing, they're essentially grown up children.

Modern society is such that people aren't often forced to grow up until their 20s or 30s.

What?

[Gumbercules!!]

The FBI estimate his attacks cost Chatango about $5,000.... so bail is set at $100,000 and fines are around $250,000 with 10 years in prison? What?!? Surely a payment of say - $5,000 or maybe even $10,000 to the effected company would be a more suitable response?