
FBI kicks some of the worst ‘DDoS for hire’ sites off the internet - tareqak
https://techcrunch.com/2018/12/20/fbi-ddos-booter-sites-offline/
======
Jedi72
I watched a documentary on Scientology ages ago about how they were suing the
crap out of people for DDoSing their site. The problem was these people were
basically just kids, most were ~14 years old, who saw something on 4chan and
followed instructions. I believe this was ~2001 [correction: 2008]. One of
their lawyers was going with the defence that DDoS was equivalent to a sit-in
protest, not unlike those used during the segregation protests in the US in
the 1960s, specifically of diners who refused black customers. Sending 200
people into a diner and refusing to move is basically IRL denial of service.
Unfortunately I can't remember the exact name of the documentary but this wiki
page covers the events
[https://en.m.wikipedia.org/wiki/Project_Chanology](https://en.m.wikipedia.org/wiki/Project_Chanology).
I always wondered how successful that defence was, I havent been able to find
a follow-up.

~~~
marcoperaza
The major problem with that defense is that sit-ins aren’t legal. There is no
general right to occupy private property to make a political point.

You may think that’s what was going in the 60s lunch counter sit-ins, but the
question there was the legality of racial discrimination in privately owned
restaurants. The court never ruled on the exact issue, made moot by the Civil
Rights Act. But there was never any suggestion that sitting-in somewhere
_where you had no right to be_ was legal.

~~~
blitmap
Speaking as someone who wasn't alive during the 60s:

I thought the objective of a sit-in was to gain service (not obstruct it)? My
understanding is that people of color were not served when they were very
willing to pay for and make use of it.

~~~
chrissam
The objective of sit-ins was to protest, not to buy lunch. If you wanted
lunch, you'd go to a place that would serve you and the status quo would be
maintained. It's immaterial whether people participating in sit-ins had money
or planned to eat.

You might say that the long term objective of sit-ins was to gain service, but
only inasmuch as "gaining service" fell under the umbrella of "equal rights".

Finally, as a possibly unwelcome aside, I find it somewhat irritating to see
civil rights protestors referred to as "people of color". The Civil Rights
Movement was about acknowleging shared humanity, not dividing people into
groups based on privilege. Also, Americans, dark-skinned and otherwise,
participated in these movements. Many sit-ins involved large groups of white
people sitting down with at least one black person, so _all of them_ would be
refused service. The Civil Rights Movement of the 60s sought allies regardless
of race, which is perhaps why it was so successful.

~~~
chimeracoder
> The Civil Rights Movement was about acknowleging shared humanity, not
> dividing people into groups based on privilege. The Civil Rights Movement of
> the 60s sought allies regardless of race, which is perhaps why it was so
> successful.

This is rather revisionist.

The term "privilege" in its contemporary usage hadn't been coined then, but if
you go back to the writings of early civil rights leaders, it's pretty clear
that the purpose was _not_ about "acknowledging shared humanity". It was
specifically about liberation of Black people, and the fight to secure equal
rights for Black people. It was _not_ uniformly welcoming to "allies" of other
races, and in fact, many of its most successful leaders were skeptical at best
of support from people who weren't black.

We've since whitewashed the legacy of its most famous leaders, such as Martin
Luther King Jr., but even he was a lot less interested in "shared humanity"
and non-black "allies". Yes, if you go by popular representation of him today,
that's the impression you'll get of him, but as often is the case, the primary
sources tell a very different story.

The statement "the Civil Rights Movement sought allies regardless of race,
which is perhaps why it was so successful" is only correct if you are
referring to the Civil Rights Movement as a retroactive construct: the way
that contemporary society has essentially retconned the history of the real
civil rights movement. Yes, _that_ depiction of it has been very successful,
because that depiction is more palatable and appealing to people who aren't
black (specifically: less threatening to white people), and that's why we
think of Martin Luther King, Jr. as a milquetoast nonviolent preacher who gave
speeches but didn't really step on anyone's toes, instead of the
revolutionary, armed radical man that he really was.

------
creaghpatr
Did the FBI add the santa hats? Because that's pretty savage if they did.

~~~
brian_herman__
No I thing arstechnica did that...

~~~
zantana
Yes if you go to the sites via the links to the domains in the article they
don't have the santa hats. I had to check for myself.

~~~
atonse
Aww yeah ok this is more realistic :-)

------
hannob
I won't shed a tear for DDoS services, but I seriously doubt this will have
any relevant impact.

These DDoS services exist because we have an Internet full of devices that you
can trivially take over by logging into them with admin/admin or other default
credentials you can find in public lists. As long as these exist there will be
people abusing them.

If you want to do something about DDoS the thing that needs to happen is that
the number of trivially vulnerable devices needs to be reduced. That likely
means thinking about device security regulations and minimum security
requirements, probably also vendor liability.

------
thosakwe
All seriousness aside, the "domain seizure" actually made me laugh. I guess
there was deliberately a bit of humor it. Random hex numbers scattered all
around, glassy blue, and a massive red "THIS DOMAIN HAS BEEN SEIZED," feel at
least a little tongue-in-cheek.

------
PhasmaFelis
Hadn't heard them called "stressers" before. Is that for sites that were
pretending they were for stress-testing your own site, not DDoSing someone
else's? Glad it didn't work out for them.

~~~
Cyph0n
Yep, especially on the more "public" forums like HF.

The same approach is used with malware crypters or RATs (remote administration
tools, heh).

~~~
Namrog84
I take it then that there are legitimate sites that do offer this service but
properly verify owners first?

~~~
ceejayoz
Yes. I used Blitz.io a couple of times; they'd require you to put either a DNS
entry in place or upload a file to a specific location in the domain's root.

~~~
yepguy
That doesn't really prevent anyone from attacking a hosting service like
GitHub Pages or Netlify, though.

~~~
lelandbatey
The idea is that the stress testing site dictates where the file must go, not
the user. So for them to run the test, they may need to see a specific file at
"subjectsite.com/secretguid"

The idea being that unless you have total domain control, you can't get that
file where they want you to put it.

~~~
yepguy
If you use a custom domain with those services you can still place a file
anywhere you want.

~~~
cwyers
Sure, but now GitHub can see what domain all the DDoS traffic went through,
see who paid for it, and now you've practically giftwrapped a confession.

------
slang800
They just seized the marketing sites domain names? How is this a victory? If
the people running these sites are still able to continue their operations
then they'll just get a new domain name and host a new signup page. The only
thing they might have lost is some brand recognition.

------
ourmandave
Wonder if they managed to get their hardware or a list of compromised machines
they use for their attacks.

Maybe let some people know their router is f'd.

------
bcaa7f3a8bbc
Sure, some particular DDoS campaigns can be seen as a sit-in protest and
personally I'm not personal objective or supportive to these campaigns, but
under the current architecture of the Internet and World Wide Web, DDoS cannot
be prevented, and as a vulnerability, it not only enables "sit-in protest",
but essentially enables a mechanism of censorship, especially after the rise
of these "DDoS as a service" vendors, they are effectively a "Censorship on
Demand" service. Any self-published speech on a personal webserver now can be
kicked out of the Internet by anyone. For example, during the Hong Kong Occupy
Central protest in 2014, some news websites experienced a government-sponsored
500 Gbps DDoS attack. The recent example was Krebs On Security blog, which has
been a target for blackhat groups and hit by a 1 Tbps attack.

The World Wide Web was supposed to be a (to some extent) permissionless
publishing platform, that means if you are already connected to the Internet
via a commercial ISP, as long as the content is legal and the law of your
jurisdiction protects the freedom of speech, you don't need anyone's
particular approval to run a HTTP server. But now under the threats of DDoS
attack, no independent webserver can survive, the only solution is utilizing a
centralized CDN / reverse-proxy, and accepts EULA of their choice and
theoretically they can modify and censor your traffic arbitrarily. I think
decentralized systems such as ZeroNet or IPFS may be a solution, and I hope
they can be integrated into a web browser one day.

------
TheGrassyKnoll
‘DDoS for hire’ == Aaas == Assholes as a Service

~~~
mickael-kerjean
Not necessarily, a DDoS for hire is of great way to test things before
deployment

~~~
chipperyman573
This is exactly how they're marketed - they're not DDoS services, they're
"stress testing" services you can use to make sure your server can withstand a
real DDoS. Obviously nobody (including the FBI) believes that.

~~~
thecatspaw
Professional load testing tools usually require you to proof ownership of the
server

------
Medox
Any idea what percentage of all (at least the biggest ones) were taken down?
'15 high-profile [...] websites' could be most of the high-profile ones or
just 10%. Sadly, few articles put things into perspective.

~~~
hiccuphippo
I'd be more wary of the low-profile sites. Those will be more difficult to
take down.

------
wolco
FBI domain takeovers is abuse of power, pure and simple.

~~~
lern_too_spel
The government has long been able to seize property used in a crime.
[https://en.m.wikipedia.org/wiki/Civil_forfeiture_in_the_Unit...](https://en.m.wikipedia.org/wiki/Civil_forfeiture_in_the_United_States)

~~~
wolco
why would you apply us law to global top level domain extensions?

~~~
ashelmire
Because the US created and still largely controls the internet, in practice if
not in ideology. Also we have the largest military and law enforcement reach
on the planet.

~~~
cf498
> Also we have the largest military and law enforcement reach on the planet.

I think the modern equivalent of gunboat diplomacy fit the term abuse of power
rather well, wouldnt you agree?

------
graphememes
Can't they just move them?

~~~
tyingq
They can, but whatever existing links or organic rankings they had are now
gone.

~~~
hiccuphippo
And now copycats will probably release their own site claming they are the
same guys. This happens with torrent sites whenever they get taken down.

------
starbeast
This site is still up.

------
sandov
The US is such a weird country. They probably have the best free speech
protection in the world, for which I admire them, but then they do this kind
of stuff. They sometimes are an example in freedom and sometimes they're the
complete opposite.

~~~
symfoniq
Maybe we "do this kind of stuff" specifically _because_ we value free speech.
DDoS perpetrators restrict the online speech of their victims. There is
nothing inconsistent about America's First Amendment protections and the FBI's
actions here.

