Prosecuting DDoS Attacks? 164
dptalia writes "We all have heard of major DDoS attacks taking down countries, companies, and organizations. But how many of them are ever prosecuted? And how many prosecutions are even successful? I've done some research and it appears the answer is very few (Well duh!). And those that are successfully prosecuted tend to have teenagers as the instigators. Does this mean DDoS is a fairly safe crime to conduct? Are the repercussions nonexistent? Does anyone have some knowledge an insight into this that I don't have? How would you go about prosecuting a DDoS attacker? What's your experience with getting the responsible parties to justice?"
The first step (Score:1, Funny)
Don't do if you don't want a other Terry Childs on (Score:2)
Don't do if you don't want a other Terry Childs on your hands.
Re: (Score:2, Funny)
You will wire one million dollars into my Swiss bank account if you want to keep your precious site alive.
HahahahahahHAHAHAHAHAHAAAAAAA!
Re: (Score:3, Funny)
That's ridiculous. First, every nerd knows they don't have a host named www here, it always redirects. Besides, this script is more effective:
#!/bin/bash
while true
do wget -m -p slashdot.org &
done
Second, the easier way is just to submit a popular story that has a link back to slashdot, thus everyone reading will click on the link, and wallah! They /. themselves and self destruct.
Re:Don't do if you don't want a other Terry Childs (Score:5, Funny)
thus everyone reading will click on the link
HAH! A common error!
Re:Don't do if you don't want a other Terry Childs (Score:4, Funny)
Re:Don't do if you don't want a other Terry Childs (Score:4, Funny)
I clicked on it just in case.
Re: (Score:3, Funny)
That was hot!
Natalie Portman /. Olivia Munn slash fiction!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I’m at work right now, but I dragged that link to my flash drive to check it later.
Re: (Score:3, Informative)
you mean voila, not wallah
Re: (Score:2)
Re: (Score:2)
Don't be so "Kayu" La.
Re: (Score:3, Funny)
(In a french accent) I fart in your general direction, now go away or I will ping you a second time!
Re: (Score:3, Interesting)
One of those "the authorities won't become interested until you take matters into your own hands" situations. And the reason is that, as a law-abiding (ok, more or less) citizen, you're much easier to prosecute.
What's needed is for one of these new "cyber" security agencies (and I hope this isn't offensive, but they really need to be led by combat veterans with modern prostheses) to be tasked with hunting botnets and taking them over. Displaying a "this computer secured by the U.S. Gub'mint" message is pr
Re: (Score:2)
Re:Don't do if you don't want a other Terry Childs (Score:5, Funny)
It wouldn't be a matter of if this blew up in our faces, but when. It's still the only workable method.
Fortunately, since this would be run by the US, oversight would be provided by diligent public servants backed by an informed electorate.
Slashdotted (Score:5, Funny)
We get away with it daily here.
Not true - you still need sufficient horsepower (Score:5, Informative)
"Any properly configured web-server can easily handle the slashdot effect."
Obviously your definition of "properly configured" excludes servers designed to handle less than n different machines connecting to it per second, where
n = the number generated by a typical linking from Slashdot.
The guy stuck in the last decade running a web server on an old Pentium machine serving up a streaming video of his latest stupid pet trick comes to mind. Sure, he may be able to serve up a few hundred, maybe thousands, of unique visitors per second, but at some point he's going to fall over and die when the load gets too high, and there's nothing he can do about it short of getting new hardware.
Yes, your point is taken, web sites can be designed so a click on a link here is handled with a minimum of resource utilization while still serving up useful content. But my point is if you are getting burst traffic of BIGGISHNUM unique visitors per second because of the /. effect, your web server and Internet connection better be up to handling those visitors in a graceful manner, preferably one more useful than "server busy, try again later."
Re: (Score:2)
even a few hundred UNIQUE visitors per second is immensively huge. 200 * 60 * 180 (3hrs ./ effect) = 2 160 000 uniques ... I doubt there's that many readers of ./ by far ;)
Re: (Score:2)
The biggest problem would be the internet connection. It doesn't matter if your server is technically up - if the line is badly congested, it's effectively down.
Re: (Score:3, Interesting)
In a way I think "properly configured" includes "not running on a 512/128 kbps DSL line", "not running the latest whizbang blogging platform webapp on a 133 MHz Pentium with 64 megs of RAM" and "not trying to server up funny cyborg pet videos on said 512/128 kbps DSL line".
There seem to be three common scenarios when sites get slashdotted:
Several recent examples (Score:5, Informative)
Maybe... (Score:1)
...DDoS goes unpunished because it usually originates through bot-nets and zombie computers. More so when trace-back leads to "masterminds" located in countries outside the country of targeted host.
If you get DDoS'ed by a teenager, maybe you deserve it. BTW, who the hell are you and your "research"?
You could always try (Score:2, Funny)
...using William Gibson's "black ice" from Neuromancer.
Illegal; but.... (Score:5, Insightful)
It doesn't help that a lot of the DDoS victims are either clueless and irrelevant(Yup, the feds don't really care about dialup users getting ping-flooded on IRC), widely considered to be a little shady themselves(*Call to the FBI* "Hi guys, I run this offshore gambling site in Antigua, and I've been having some problems with DDoS attacks that are really cutting in to my ability to serve American customers during peak sporting-event times...." *click*), or are parties in some sort of nationalist pissing match, of the sort where many "patriotic excesses" have a tendency to be overlooked(Yeah, I'm sure the Russian authorities are working night and day to bring to justice anybody involved in atttacks against Estonia...)
While, as a matter of law, DDoSing is hard to do legally, even in fairly shady areas(if nothing else, your botnet likely implies a fair number of computer-intrusion crimes in jurisdictions where that is an offense, and it is unlikely at best that you are properly reporting and paying taxes on the "protection" money that you are collecting). However, with the complexity of cross-jurisdiction investigation and prosecution, and without the massive public antipathy that something like kiddie porn has, the odds of actually getting brought to justice are fairly low, unless you are basically just a petty vandal, hitting some high-profile target in the same country as you.
Re:Illegal; but.... (Score:4, Interesting)
A DDoS requires many hosts in different places... and that role is usually played by a botnet of unwitting users. If users cared more about their bandwidth consumption, or were responsible for the damage they caused by their insensitivity to the Internet community, then botnets would be a whole lot harder to assemble. I'm sick of the 3am calls from the girl who only calls when her computer won't work for her....
Re:Illegal; but.... (Score:5, Insightful)
I'd be delighted if there were something that caused people to wipe their flyblown zombie-boxes more often than they do now; but essentially criminalizing getting compromised seems cruel and ineffective when it is so easy to do and sometimes so hard to detect. You don't have to be "negligent", in any useful sense of the term, to get hit.
Re: (Score:3, Insightful)
Not applying security fixes, or not having a minimal level of antivirus/firewall software is a sure way to join a botnet lately. We need those $15/yr. subscribers to pay the white hat hackers who develop antivirus tech, this isn't like letting a magazine subscription lapse.
Re:Illegal; but.... (Score:5, Insightful)
Even having one isn't nearly as much protection as most of us would like to believe. A 2007 research study by Panda Labs [pandasecurity.com] found that about 23% of infected machines had active and up-to-date AV software.
My own tests of AV software were less than encouraging and made the 23% quite believable. The better software either had more than a few false positives (Avira), or can be a PITA for non-techie users, and even techie users, (Comodo).
Re: (Score:2)
My mother's computer was up to date with windows and flash patches, spybot S&D, and antivir, and still got rooted somehow. I had to go back home, so I couldn't finish cleaning it up. She took it to a shop, destroyed the machine claiming it was unsalvageable, and then sold her a new one.
Re: (Score:2)
Frankly, if they charge per hour it and she didn't have restoration disks, it probably was unsalvageable - at least, not without incurring more cost than the value of the computer.
Re: (Score:2)
>>Frankly, if they charge per hour it and she didn't have restoration disks, it probably was unsalvageable - at least, not without incurring more cost than the value of the computer.
Given that all the data was available on the computer before they destroyed it, I'm of the school of thought that they just blew it up to sell her a new computer.
Re: (Score:2)
Unless they're selling hardware at silly prices, I wouldn't bet on that. Profit margins for most hardware are so low they'd probably make more money to charge for a few hours of cleanup.
Re:Illegal; but.... (Score:4, Insightful)
The public's acceptance of that crime is simply the same that applies to everything else:
Does it affect me?
No.
Can I get in trouble for it?
No.
Then why the heck should I care?
That's basically what it comes down to. People do not care about crime that (appearantly, or at least directly) does not affect them. Even if they're being made accomplices. Why? Because it takes an effort to avoid it and there's no gain in it. Simple as that.
And no, you can't really make people directly liable for the damage they do that way. As much as I'd like it, but even I could, unwittingly, become part of a botnet. A fair lot of malware passes through my machines here on a daily base. That one of them manages to escape the sandboxes sooner or later is a given. So, for simple self preservation, I wouldn't really want to see such a law become reality. Besides, it is near impossible for the average user to 100% avoid becoming subject to an infection. Yes, that includes you, dear reader. Not being a moron does help a lot to minimize the infection propability, but it does not remove it entirely. And with knowledge comes the (false) sense of security that you're too good to be infected. You're not. Well, you might be if you don't use Windows. But don't count on it. How often did you reinstall your Windows in the last 2 years? The average clueless idiot does so about every 6 months. And at least then his machine will be clean again. I have to admit, some of the machines here have been running Windows for over 5 years now. Are they still clean? I sure hope so. Am I sure? Not really.
But, and here is the point where I'd put the liability angle, I do what I can to keep them clean. I update their software. I keep them patched and sealed. I use a router to avoid external direct access. They are hidden behind a layer of firewalls. And of course they run on-access AV scanners, and are regularely swept with a different on-demand scanner. And aside of the firewall layers this is something that can easily be asked from Joe Randomuser: Get a router, get a AV scanner and get a software firewall. Where's the problem with that? You don't need to have a huge knowledge of computers to install those tools and turn on auto updates on the software you're using.
I wouldn't call it asking too much from any user to do that. If you got that and still get infected, pity. But you're off the hook. You did everything that could possibly be asked from you as a normal user. But if you install every kind of crap that's sent to you in a spam mail and poke around the net without any protection at all then yes, you're acting negligent. And then you should be liable for the damage you do.
Re: (Score:2)
Joe-User doesn't even know what a router is. To him it's a blinking box put in by them TV people. And a firewall? Might as well be talking about the latest monster truck event.
Fact is, most people are clueless and until they all replace their computers with smartphones and wired toasters we just have to accept that they're going to mess things up for the rest of us.
Re: (Score:2)
Ok, then go and get a course for computers 101. What? A course just to check my email? Yes. For every other kind of operation where you may put someone else in jeopardy you have to take a course, take some lessons or even pass a test. Why not computers and internet use?
Note that I don't say anything about an "internet license" or similar rubbish. Just that there should be a certain minimum standard expectation from you (i.e. having a router in front of you and having an AV tool installed) or your ass is on
Re: (Score:2)
Computing 101 or whatever isn't going to be enough to make a difference.
Re: (Score:2)
People do not care about crime that (appearantly, or at least directly) does not affect them.
Then why has there been such support for the war on drugs, the criminalization of prostitution, crackdowns on illegal immigration, etc.?
Re: (Score:2)
It doesn't matter if it does or doesn't affect them. It only matters if they *think* it affects them.
It took a lot of marketing and fear-mongering to convince people they needed to make drugs illegal to pro-actively prevent addicts from raping and killing their daughters.
Re: (Score:2)
Obviously fining the members of botnets is impractical. A better idea would be to require the ISPs to disconnect them, although you'd have to be very specific about what they were allowed to monitor.
Re:Illegal; but.... (Score:4, Funny)
It woulda been nice, but it was Midnight her time when she called.
Re: (Score:2)
Re: (Score:2)
Or...
don’t answer?
Isn’t anybody considering the obvious?
If it’s not crucially important, let it go to voicemail and return the call at a decent hour...
Re: (Score:3, Interesting)
Re: (Score:2)
How conclusive is the evidence?
If it's all digital log files, how do you prove they haven't been manually created? If they pick the guy up and he denies it, then what? Even if they do successfully bust him, he's a minor and likely the first time he's been caught so not much is going to happen anyway... And if you take matters into your own hands, it's likely you that will get busted for harassing a minor.
But most of all the feds don't care because you aren't paying them enough to care... If you were a big c
Re: (Score:2)
The police can request his ISP logs to confirm, it's not that hard. They simply have more important things to do.
Re: (Score:2)
Most ISPs won't keep logs beyond when they connected and when they disconnected, they won't log the actual traffic to show that the user connected to the first in a series of systems leading to the botnet ommand&control server...
And even if they did get logged connecting to the command&control server, it would be hard to prove they were in control of it and not just another bot.
And it's all still just digitally created logfiles, trivial to forge such that a half decent lawyer would easily be able to
Re: (Score:2)
It's just one person? Flood protection at a firewall level works fine when the attacker(s) floods from the same IP continually.
Re: (Score:2)
If he's got all that info, just file a civil suit for damages. Sure, it might not be easy to actually recover the money, but it might get the ball rolling at least.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
the odds of actually getting brought to justice are fairly low, unless you are basically just a petty vandal, hitting some high-profile target in the same country as you.
So when can I start?
i got dossed ONCE (Score:2, Interesting)
Re: (Score:2)
Geez. Ever hear of punctuation?
I once penetrated a botnet (Score:2)
Years ago, a webserver that I was admin for was hacked. It was a multi-homed machine with perhaps 300 websites on it, and permissions were all over the map. I did numerous permissions scans and found a nasty dog's breakfast of 777 directories, this works, but I never got approval to do the work to clean it up because of potential customer upset.
So in this case, somebody used a flaw in a vulnerable formmail.cgi (remember that one?) uploaded a perl script in a hidden "dot" directory in a 777 images folder tha
Re: (Score:2)
Re: (Score:2, Insightful)
What makes you think they don't?
Dear China... (Score:5, Informative)
My company, and our hosting clients, are victims of DDoS attack at a surprisingly high frequency. Although this has cost us thousands, and if you believe our angry customers it's cost them millions, we've never even attempted to prosecute a DDoS perpetrator for the following reasons:
1) The fact that a DDoS is distributed means we'll be left with a list, in the best case scenario, of hundreds or thousands of IP addresses, without the slightest clue which one might lead to the real troublemaker. In fact, for most types of DDoS, none of them lead to the perp in any special way. Often times DDoS attack machines are just zombied desktop computers, infected by a virus the genius user got from clicking on a porn ad.
2) In my experience, the vast majority of DDoS IPs are zoned to foreign countries. Mostly developing nations, or nations not particularly interested in Internet crimes against a US hosting company.
3) Even if the person or persons responsible for the attack were my next-door neighbors, we'd still need to track their actions through servers zoned in other countries. Try sending a subpoena to a (the?) Chinese ISP, asking for logs (if they even exist) from a server within their borders. Even if the log files showed activity from the perpetrator, it would still be somewhat circumstantial, and up for debate ("My computer has been hacked before / My wifi connection isn't secured / etc").
4) Even if you somehow managed, against all odds, to find the perpetrators, who were within a sane legal jurisdiction, and you won a contentious civil court case against them... Is a 17 year-old script kiddie really going to have any money?
It simply isn't worth the hundreds, if not thousands of man hours for us to jump down the rabbit hole for what's honestly not going to be much, if any, reward. I have never once in my life heard of a single successful DDoS prosecution that justified the cost in doing so.
Re: (Score:2)
And most attacks of this kind are using spoofed packets, so finding the actual nodes in the first place can be quite difficult.
Re: (Score:3, Interesting)
It depends - one of the most effective ways to kill a small site is to perform a "bandwidth rape" until they cross their monthly limit. A couple dozen people running simple wget loop requesting a large image/video continually can waste hundreds of gigabytes per day.
Re: (Score:2)
4) Even if you somehow managed, against all odds, to find the perpetrators, who were within a sane legal jurisdiction, and you won a contentious civil court case against them... Is a 17 year-old script kiddie really going to have any money?
Most likely there's someone far more "serious" being huge DDoS operations than 17 year old script kiddies, they might be hirelings but nothing more and you can be sure there's money at the top. The trouble is that many career criminals rarely have any legal money, just black money. Mysteriously they always make rent and their car lease but they never have any assets for anyone to seize or wages to garnish. Or it's somehow whitewashed and put on relatives or some other way you can't reach it. So the conclusi
Re: (Score:2)
Downtime beyond their control... (Score:2)
My web host (MediaTemple) got hammered with a DDoS aimed at their DNS servers over the last few weeks. As a result, I've put my most critical domains using ZoneEdit's free-for-your-first-five DNS offer, with the web host playing backup, for my most critical domains. This plan successfully weathered a repeat attack.
To paraphrase Jim Cramer, redundancy must be the only free lunch in IT.
I'd love to provide you more insight into this (Score:1, Funny)
But the risk of being DDoS'ed due to what I might say is too great.
The 1st rule of defending yourself against DDoSers is not to talk about how to prosecute DDoSers, or DDoSers being brought to justice.
Ask slashdot (Score:5, Funny)
Does this mean DDoS is a fairly safe crime to conduct?
Oh I see "someone" is very interested in DDoS attacks for "research" right? Dude, listen, just give the link here and your problems will be solved.
Re: (Score:2)
Re:Ask slashdot (Score:5, Funny)
Fight back with eggs (Score:1)
It is? Really??? (Score:1)
I thought the left-coasters, er, I mean liberals, extended animal welfare laws to fetuses and embryos. Think of the poor pre-baby chickens!
Oh wait, you must mean non-fertile eggs, my bad.
Egging them on (Score:3, Informative)
IIRC, California passed an anti-animal-cruelty referendum, but it's got a couple of years to phase in.
Most eggs are non-fertile; the main people selling fertile eggs are selling them to random health-fooders, or else they're selling them because it's easier not to check whether your free-range hens have had access to a rooster.
Re: (Score:3, Informative)
I very, very seriously doubt that vandalism is legal in California.
You should take those urban legends you hear with a larger grain of salt next time.
It could be argued that toilet papering someone's house is legal, but eggs can and will easy cause actual damage that takes actual real money to fix. Eggs on a car can cause the whole car to need to be stripped and repainted.
Eggs are serious fucking business, not a harmless prank.
Re: (Score:2)
Eh, that sounds a lot less like "It's legal" and more like "anything we do will just be ignored", or "we're too busy to do all that paperwork"
it's vandalism clear as day. hell, it could be a hate crime even.. but when you're dealing with a bunch of parents who are convinced their kid is a perfect little angel who would never do such a thing and who never lies to adults, any sort of punishment above a scolding gets pretty hard to actually accomplish.
So basically.. yeah, I don't doubt the cops have no inte
Types of attackers (Score:1)
The small time crooks will go for smallish targets that have reasonable amounts of cash. They'll get noticed but aren't going to be a law enforcement priority. Even multi-million dollar companies don't have a lot of governmnet influence - you need to be valued in the billions for that.
The teenagers will go for the big corporations or the government because they can and they want to get noticed. Well, surpr
It depends on the scale of your operation (Score:2, Insightful)
If you are a rich company that is well connected politically you can get away practically anything, this also goes for DDOS attacks.
Re: (Score:3, Insightful)
Re: (Score:2)
DDOS isn't solely a function of using all the bandwidth. You can keep a server so busy that it starts thrashing, while using less bandwidth than a T1. It is about keeping their server so busy it can't process legitimate requests using one or more of many methods. Hogging the bandwidth *is* one way, but a very ineffective way to do it.
Re: (Score:2)
Re: (Score:3, Interesting)
Well, not from what I know.
http://magbiz.net/news-en/unknown-person-extorts-shut-down-of-an-erotic-portal/?lang=en [magbiz.net]
D stands for distributed (Score:1)
And if you're a rich company that can pay for more bandwidth and processing than the other guy, you're virtually immune to DDoS problems.
I think you mean....
... if you're a rich company that can pay for more bandwidth than that used by a huge botnet or group of botnets attacking you, you're virtually immune to DDoS problems.
I expect (Score:2)
I expect that the people behind the DOS Attacks break other crimes where there is already a lot of case law supporting it.
AI DDOS Monitoring (Score:2)
Re: (Score:2)
"The internet has reached a stage were it is just as important a service as power and water ..."
No, it hasn't. It can't. If you need me to explain, you need to review 3rd grade biology. My daughter recently completed 3rd grade, but I'm pretty sure I don't trust any slashdotters around my daughter. So you'll need to find your own 3rd grader.
doc
Re: (Score:2)
The internet has reached a stage were it is just as important a service as power and water
Oh please. If the internet were removed it would be an inconvenience, nothing more. You can't say the same about power and water.
Tracking Down BotNet Masters (Score:4, Informative)
I found an interesting article on someone tracking down some botnet masters by contacting a few of the infected users, getting a copy of the trojan and running it in a sandbox.
http://www.bellua.com/bcs/asia07.materials/fredrik_soderblom.pdf [bellua.com] (PDF)
Happens on XBox live every day (Score:2)
people use bots to "host boot" people from their Halo 3 session and get level up fast. There is even websites to sell these bots for couple dollars each.
Re:Well done. (Score:4, Informative)
nope sorry im busy atm (Score:2, Funny)
Re:Well done. (Score:5, Funny)
No link tn the article. Smart move.
Here's a link to the article: http://ask.slashdot.org/story/10/06/06/2051226/Prosecuting-DDoS-Attacks [slashdot.org]
Proof the article is option (Score:2, Offtopic)
Dozens of comments despite the lack of article. I vote slashdot does away with links to the articles and just posts speculation from now on.
Re: (Score:2)
Great. Just great.
Do you realise what you’ve done? Now Slashdot will get slashdotted by thousands of blondes. Possibly millions.
Re: (Score:3, Funny)
Wouldn't want to trigger a DDoS attack on some innocent web server.
Banning Windows machines... Hmm.... (Score:1)
You cant just go banning windows machines.
Hmm, maybe that should be part of every ISP's terms of service: "No windows machines." Yeah, that's the ticket....
Seriously though, ISPs should offer their consumer-grade customers a choice:
*Let us actively monitor your traffic for signs of known active virus- or botnet activity and when we spot it, block it, shutting down your service entirely if necessary, even though there will be false positives and even though this may have privacy implications for you, or
*provide us proof of liability insurance for
Re: (Score:2)
Re: (Score:2)
Rather than cracking down "with the full force of the law" you ask for a fine, no jail time, and possibly forfeiture of their computer hardware (but not the hard drive or other media).
No, I'd say the opposite. Take their computer, all the media and every computer in the house. Non returnable. The parents will then rip their little criminal teenie bopper a new one. Problem solved.
Re: (Score:2)
The problem with DDOS Is the same as crimes committed by multi-nationals no one has the authority crime committed in country X Data center in country Y business registered in country Z
That's why the world court is such a good idea. A common set of rules for everyone and no where to hide.
Re: (Score:2)
Like the endless number of websites taken down by fark or /.
Re: (Score:2)
I don't want to be a party-pooper; but I don't think that is going to be enough.
I'm reasonably tech savvy, running Windows 7, fully updated, fully patched, running as a non-admin user, running FireFox. About two weeks ago, I found a website that was able to infect my computer with malware. All it took was my opening the website. The website was in the top 10 results returned by Google.
After cleaning it, I went back to the website to verify that it really did infect my PC and that it really required zero
Re: (Score:2)
And yes, I had anti-virus software running at the time.
Which AV product?