Cops use fake DDoS services to take aim at wannabe cybercriminals

The UK’s National Crime Agency (NCA) has recently announced work that it’s been doing as an ongoing part of a multinational project dubbed Operation PowerOFF.

The idea seems to be to use fake cybercrime-as-a-service sites to attract the attention of impressionable youngsters who are hanging around on the fringes of cybercrime and looking for an underground community to join and start learning the ropes…

…after which those who attempt to register are “contacted by the National Crime Agency or police and warned about engaging in cybercrime”.

The fake crimeware-as-a-service offerings that the NCA pretends to operate are so-called booters, also known as stressers, also known as DDoSsers, where DDoS is short for distributed denial of service.

DoS versus DDoS

A plain denial of service, or DoS, typically involves sending specially-crafted network traffic to one particular site or service in order to crash it.

Usually, that means finding some sort of vulnerability or configuration problem such that a booby-trapped network packet will trip up the server and cause it to fail.

Attacks of that sort, however, can often be sidestepped once you know how they work.

For example, you could patch against the bug that the crooks are poking their sharpened knitting needles into; you could tighten up the server configuration; or you could use an inbound firewall to detect and block the booby-trapped packets they’re using to trigger the crash.

In contrast, DDoS attacks are usually much less sophisticated, making them easier for technically inexperienced crooks to take part in, but much more natural-looking, making them harder even for technically experienced defenders to stop.

Most DDoS attacks rely on using apparently unexceptionable traffic, such as plain old web GET requests asking for the the main page of your site, from an unassuming variety of internet addresses, such as apparently innocent consumer ISP connections…

…but at a volume that’s hundreds, thousands or perhaps even millions of times higher than your best day of genuine web traffic ever.

Floooded with normal

For example, a booter service run by crooks who already control malware that they’ve implanted on 100,000 home users’ laptops or routers could command them all to start accessing your website at the same time.

This sort of setup is known in the jargon as a botnet or zombie network, because it’s a collection of computers that can be secretly and remotely kicked into life by their so-called bot-herders to do bad things.

Imagine that you’re used to a million site hits a month, and you’ve made emergency provision in the hope of a gloriously high-traffic period where you might pull in a million hits in a single day.

Now imagine that you suddenly have 100,000 “users” all knocking on your door in a single 10-second period, and then coming back over and over, asking you to send back real web pages that they have no intention of viewing at all.

You can’t patch against this sort of traffic overload, because attracting traffic to your website is almost certainly your goal, not something you want to prevent.

You can’t easily write a firewall rule to block the waste-of-time web requests coming from the DDoSsers, because their packets are probably indistinguishable from the network traffic that a regular browser woild create.

(The attackers can simply visit your website with a popular browser, record the data generated by the request, and replay it exactly for verisimilitude.)

And you can’t easily build up a blocklist of known bad senders, because the individual devices co-opted into the botnet that’s been turned against you are often indistinguishable from the devices or routers of legitimate users trying to access your website for genuine purposes.

No experience necessary

Unfortunately, getting into the DDoS or booter scene doesn’t require technical skills, or the knowledge needed to write and disseminate malware, or the ability to operate a botnet of your own.

You can start off simply by hanging out with more experienced cybercriminals and begging, borrowing or buying (more precisely, perhaps, renting) time and bandwidth from their existing booter service.

Perhaps it doesn’t feel like much of a crime?

If all you’re doing is asking your school’s servers to process thousands of otherwise well-formed requests in order to disrupt a test you haven’t revised for, or to get back at a teacher you don’t like, or simply for bragging rights with your mates, where’s the criminality in that?

You might manage to convince yourself you aren’t doing anything wrong as long as you aren’t flinging malware at the network, aren’t aiming to break in, and aren’t intending to steal any data.

Heck, “enjoying” more traffic is something most sites would love to brag about, surely?

Not an innocent pastime

But DDoSsing is nowhere near as innocent as you might hope to claim in your defence if ever you find yourself hauled in front of a criminal court.

According to the NCA:

Distributed Denial of Service (DDoS) attacks, which are designed to overwhelm websites and force them offline, are illegal in the UK under the Computer Misuse Act 1990.

As the cops continue:

DDoS-for-hire or booter services allow users to set up accounts and order DDoS attacks in a matter of minutes. Such attacks have the potential to cause significant harm to businesses and critical national infrastructure, and often prevent people from accessing essential public services.

[. . .]

The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyberoffences with ease.

Traditional site takedowns and arrests are key components of law enforcement’s response to this threat. However, we have extended our operational capability with this activity, at the same time as undermining trust in the criminal market.

The NCA’s position is clear from this notice, as posted on a former decoy server now converted into a warning page:

Here be Dragons! (Click on image to see original.)
Message shown after an NCA decoy site has served its purpose.

What to do?

Don’t do it!

If you’re looking to get into programming, network security, website design, or even just to hang out with other computer-savvy people in the hope of learning from them and having fun at the same time…

…hook up with one of the many thousands of open source projects out there that aim to produce something useful for everyone.

DDoSsing may feel like just a bit of countercultural amusement, but neither the owner of the site you attack, nor the police, nor the magistrates, will see the funny side.


go top