> and taking down all of Liberia’s Internet—to name a few examples.
This did not happen [1] as was documented here[2], here and here[3]. It spices up the story but in truth, one of local telcos was affected but they accounted for less than a third of Liberia's Internet traffic. The weekend-like Internet traffic seen on that day was because of a national holiday.
Additional source: I lived in Liberia during that time managing the local IXP.
> The Department of Justice made the unusual decision not to ask for jail time. In its sentencing memo, the government noted “the divide between [the defendants’] online personas, where they were significant, well-known, and malicious actors in the DDoS criminal milieu and their comparatively mundane ‘real lives’ where they present as socially immature young men living with their parents in relative obscurity.” It recommended five years of probation and 2,500 hours of community service.
Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
I thought the more fascinating part was the mandate, as part of the community service, to help the FBI in tracking down additional abusers of Mirai and the resulting success. Seems like the best possible turnout for all parties involved.
If our society was teetering in the edge of chaos because we couldn’t figure out how to prevent shoplifting maybe there would be a push to exploit the minds of people who can probe the dark mysteries of stealing Tide from CVS.
> Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
Rehabilitation is an excellent path, but removing consequences makes rehabilitation significantly less effective. It does not need to be either - or.
It also furthers an apparent divide of justice system, irrelevant if it does or does not exists.
> It might be surprising that DDoS providers could advertise openly on the Web. After all, DDoSing another website is illegal everywhere. To get around this, these “booter services” have long argued they perform a legitimate function: providing those who set up Web pages a means to stress test websites.
This reminded me of a Wired article[1] from a few weeks back that argued that many of the kids using these services to DDoS their friends/rivals don't realize they're illegal—so federal agencies are taking out keyword ads to warn potential users:
> In fact, he and other members of [cybercrime-busting group] Big Pipes argue that most booter customers seem to believe—or convince themselves—that merely paying to use one of the services to knock out an adversary’s internet connection isn’t against the law, or at least isn’t an enforceable crime. When the UK’s National Crime Agency (NCA) ran a six-month Google advertising campaign in 2018 to intercept people seeking booter services and warn them about their illegality, Clayton’s research group found that attack traffic in the UK remained flat for those six months, while it increased at its usual pace in other countries.
> In the years since, law enforcement agencies seem to have learned from that experiment: The FBI now also buys similar Google advertisements to warn potential booter customers that paying for the services is a crime. The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
During that time frame, I recall some top players being directy impacted by targeted DDOS attacks from other players. It wasn't too common only because people learned to protect their IP addresses, or change them periodically.
The Mirai botnet had a very negative impact on game play for several servers, and I would argue it was the key factor in the demise of at least one of the servers simply because it rendered certain games unplayable.
> To get around this, these “booter services” have long argued they perform a legitimate function: providing those who set up Web pages a means to stress test websites.
Don't these botnet services run on compromised computer systems?
For L7 request floods - they spin up a few dozen machines and use open & private proxies to funnel http requests thru. Sometimes those proxies are misconfigured squid, sometimes it's private proxy services, sometimes it's compromised machines converted into proxies (which may be open or require auth / has been sold).
For L3/L4 amplification/reflection they're buying machines where they can spoof and using UDP amplification lists (other people's machines) to reflect off of (and obviously not getting permission to, etc.).
This is abstracted away from the customer and there is a wider and richer grayscale than at least I imagined before working at a data company and looking at IP providers for outbound. You have your TV sticks and VPN providers where a careful squinting at the ToS will tell you that users on the other end are signing off on the right to have their bandwidth leased. I don't see how else the supposedly legitimate providers of residential IPs could possibly offer the supply, geo-diversity, and pricing they do.
I find it extremely interesting that the fbi buys ads for illegal stuff, rather than Google Just putting up a warning when you search for ddos services
I mean, it's not illegal to search for those keywords, so Google doesn't have much of an incentive to stop running ads on them (at least of their own free will). I'm sure "triple homicide" is a hot keyword for advertising the latest true crime podcast or whatever.
Granted, I'm also a little surprised that the FBI didn't just twist Google's arm about it, but who knows. Maybe Google did them a solid and doesn't actually charge for the ad space, or maybe the FBI is just trying to play nice since Google has plenty of federal contracts.
What I was trying to convey was that the FBI could have exerted some kind of pressure to get Google to run the anti-booter ads of their own volition instead of the FBI (presumably) buying the ads like anyone else would buy ads. I have no idea what that kind of pressure would entail cuz I don't work for the feds and couldn't say what their "do this or else" strategies are like, lol.
Right, I am assuming, because I'm not particularly familiar with the workings of the FBI lol.
Surely it's obvious that by "pressure" I'm referring to the threat of some sort of nebulous legal-y action if Google didn't comply with [xyz request]. Is that not how law enforcement functions? (I'd be shocked if they were asking very nicely and offering to take Google out to dinner.)
Of course they do, though not to a big company like Google for something trivial like this when they could pay a bit of money. Threats aren't cost free.
> The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
The FBI would be indicting them, not just warning them -- go to all that trouble of setting up a fake site, and then you just give up actually indicting them for their crime? What's even the point of that? That they didn't know it was a fake site is no defense, the FBI routinely, say, sells people fake bombs and then indicts them.
There's an extreme difference in severity between trying to buy a bomb and trying to pay for DDoSaaS. I'd rather people come out of this sort of thing unscathed but wiser, especially if they're simply ignorant of the law, which seems to be the objective of that tactic.
Besides, if something is illegal and there's a significant portion of offenders who are truly ignorant of its illegality, perhaps a new approach to education is needed, which this tactic also covers.
The NCA too, not just the FBI. But the Wired article goes on to say:
> Big Pipes’ Allison Nixon says she hopes that softer tactics like those can intercept would-be booter service operators early, before they start committing felonies: She’s found that most booter operators start as customers before launching their own service. But for people who aren’t dissuaded by those interventions, she says, Big Pipes and its partners at the FBI will still be watching them.
> “The hope is that this whole show of force will convince some of them to quit and get a real job,” Nixon says. “We want to send a message that there are people tracking you. There are people paying attention to you. We have our eyes on you, we might get you next. And it might not even be on Christmas.”
So the honeypots sound like a sort of catch-and-release strategy to scare kids before they start their own DDoS enterprises.
> Broadly speaking, § 1030(a)(5)141 prohibits a variety of acts that result in damage to a computer.
Subsection 1030(a)(5) may be used to prosecute many of the activities that are commonly
associated with hacking, such as the transmission of viruses or worms and unauthorized access by
intruders who delete files or shut off computers.142 The provision may also be used to prosecute
the perpetrators of Distributed Denial of Service (DDoS) attacks,143 which occur, for example,
when an attacker overwhelms a server’s ability to process legitimate requests by overloading the
server with a flood of illegitimate traffic.1
Kicking your friend offline (via DDOS or other) would prevent it from processing legitimate requests and count as a breach of CFAA.
>would prevent it from processing legitimate requests
Your friend is not hosting a server and they are not incurring damages due to having trouble connecting to the internet.
The damages from not being able process legitimate requests is like if you DDoS an ecommerce site which means that they are unable to receive orders from legitimate customers which causes them damage.
The example about servers is not the complete interpretation of the law. It is merely a simple, understandable example.
> The CFAA broadly38 defines “computer” as any “electronic, magnetic, optical, electrochemical,
or other high speed data processing device performing logical, arithmetic, or storage functions,”
including “any data storage facility or communications facility directly related to or operating in
conjunction with such device . . . .”39 The CFAA excludes only automated typewriters,
typesetters, portable hand held calculators, and similar devices from its definition of computer.40
These limited exceptions to the CFAA’s definition of “computer” “show just how general” the
statute’s definition of computer is.41 As one court explained, the definition includes any device
with an electronic data processor, of which there are numerous examples.42 Thus, under the
CFAA, computers include not only laptops and desktops, but also a wide array of computerized devices ranging from cellphones to objects embedded with microchips, such as certain
microwave ovens, watches, and televisions. 43
The definition is extremely broad; which means it also includes things like modems and routers.
> Your friend is not hosting a server and they are not incurring damages due to having trouble connecting to the internet.
But they are, right? Whoever is hosting the multiplayer match is running a server. And damages come in the form of being rendered unable to enjoy the video game they paid money for. "Damages" do not have to come in the form of lost customers.
I don't agree with that. If your DDoS prevents me from using services I paid for, I could rightfully sue you in small claims for the damages. They'd be small- a percentage of a monthly Internet bill. It's still damages.
It would depend on if being unable to access services you paid for would be considered damage to a "protected computer" which is specifically the kind of damage 1030(a)(5) protects against.
According to the FBI, 18 U.S.C. § 1030 proves you wrong, and I'm going to believe fbi.gov over anonymous HN commenters 99 times outta 100. Even if you think you're right because you think some part of the law is unconstitutional, or the way you worded the question was specifically chosen such that you think it doesn't fall under this law, or something I am not aware of idk, I don't believe that the FBI agrees with you, and they're the ones who would be charging me/my kids.
"The Rutgers IT department is a joke. This is the third time I have launched DDoS attacks against Rutgers, and every single time, the Rutgers infrastructure crumpled like a tin can under the heel of my boot."
The fact that people think this is impressive is mind boggling to me
It's interesting that a potentially very large amount of people have the necessary technical skills to set up large botnets. It's mostly teenagers that do it in the Western world since they're both stupidly brave and at the right level of technical knowledge to be able to do the hacking without understanding how much evidence they're leaving behind. Or perhaps they think themselves invincible anyway.
I've known a lot of people who did DDoS and it's honestly like speeding. Chances are that everyone is already doing it so you're not going to get caught, unless you decide to go 140 mph in a 55 mph zone or DDoS Chase bank.
DDoSing your own university and then disclosing publicly it is like going 140 mph in a 55 mph zone though.
I was a Rutgers student when this was happening. I recall some final assignments and exams getting canceled when they attacked the Rutgers network.
When the news broke about the perpetrators behind Mirai and specifically the Dyn attack, I was shocked that such a high-impact attack originated from one of my classmates in the CS department.
I was a student at the same time, and if memory serves correctly, the school's authentication server was down for multiple days at a time. This is a requirement to log into pretty much anything on campus. I remember being unable to access Canvas to download assignments and notes or read professor announcements.
> Paras had started his own DDoS-mitigation service, ProTraf Solutions, and wanted Rutgers to pick ProTraf over Incapsula. And he wasn’t going to stop attacking his school until it switched.
Isn't that just a protection racket? I.e. extortion?
I had thought, from the way the article was phrased, that the student was in an active dialogue with his school, and this makes me think they should've just kicked him out
The giant stories Brian Krebs wrote about these guys is fascinating, there's many more characters tangentially involved (like the Datawagon guy) that aren't covered in this.
"Telnet, an outdated system for logging in remotely."
This comment from the article bothered me. No evidence was given as to why it is outdated. I did a little digging to find that Telnet is vulnerable to several different attacks, but all of it can be mitigated by Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication. Of course many devices don't support TLS and SASL. If a device does support the newer standards I think it's wrong to consider it outdated.
"Outdated" is a reasonable moniker for devices that accept cleartext telnet over the open Internet. That you can retrofit security onto telnet by running it over a TLS tunnel is not especially relevant, nor does it make telnet less outdated; secure devices are better off just using SSH.
What makes a protocol outdated? I would argue that outdated protocols "bake in" outdated assumptions. The telnet protocol has a builtin assumption that the network is secure, while newer protocols for remote administration lack this assumption and assume an actively malicious network.
the telnet protocol does not have to be used only on the open internet, just as HTTP (insecure) does not have to be either. It can be used internally for whatever reason you want as well. I don't think that makes it outdated.
And what sort of network do you think the IOT devices from the article were designed to be used on? This kind of thought process (well security isn't important if you use it internally) is exactly the sort of attitude that led to the botnets in the article becoming as large and as devastating as they ended up being
"A bad workman blames his tools" - if you're implementing a solution and you choose the wrong tool for the job, the tool is not to blame. If you need a secure protocol, don't use an insecure protocol.
There are still ample use cases for the insecure protocol.
Telnet is not used really at all anymore. Most distributions come without it, or have it disabled by default. Historically it was the only way to connect remotely, as it imitated how connections used to work over phone lines. It's definitely outdated, as SSH is now the defacto.
That last part is interesting, it imitated how connections used to work over phone lines, can you talk more about that or provide a link please? Thank you
> but all of it can be mitigated by Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication
At this point anyone sane should question why he would add TLS and SASL to Telnet (and expect to find clients which would support those too) instead of slapping SSH.
It's like asking why anyone would consider a hand-operated drill outdated, since you can slap an electric motor on it.
Telnet is extremely, insanely outdated. It's like walking around in Elizabethan clothes. Just because you also strap on a fanny pack and can go to a modern pub in it doesn't make it up to date. Wearing six inch long pointy toes and a giant codpiece just makes you look ridiculous.
Possible reason: telnet lets you log in with username/password, which is much easier to obtain than an ssh key. Encoded traffic doesn't matter. Paras cs. wouldn't have been able to wiretap the affected servers.
It's not really related to teletypes (which I've never heard being called a teleprinter). They didn't operate over the internet, but used protocols such as RS-232 or acoustic modems.
Can you imagine how incompetent the FBI are that they can barely catch some teenagers? Jesus they're embarrassing.
The protocols and networks the internet runs on are ancient and inherently insecure and flaky, but nobody wants to invest in solutions. These attacks have gotten easier, not harder. So I hope these kind of attacks ramp up in intensity and severity to the point that the nation is crippled by some 15 year old anime nerd. Nothing else will get the government or private industry to take security seriously.
This did not happen [1] as was documented here[2], here and here[3]. It spices up the story but in truth, one of local telcos was affected but they accounted for less than a third of Liberia's Internet traffic. The weekend-like Internet traffic seen on that day was because of a national holiday.
Additional source: I lived in Liberia during that time managing the local IXP.
[1] https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-rea... [2] https://thehackernews.com/2016/11/ddos-attack-mirai-liberia.... [3] https://twitter.com/DougMadory/status/794592487159529472