DDOS for Profit

Brian Krebs reports that the Israeli DDOS service vDOS has earned $600K in the past two years. The information was obtained from a hack and data dump of the company's information.

EDITED TO ADD (9/11): The owners have been arrested.

Posted on September 9, 2016 at 9:12 AM • 13 Comments

Comments

GweihirSeptember 9, 2016 2:09 PM

They probably did a few million times that in damage. Why are we tolerating scum like that on this planet?

Nick PSeptember 9, 2016 6:33 PM

@ Sancho_P

"I’m afraid we have to face it."

Maybe. Remember these things only succeed because our architectures make it insanely easy to do so. They couldn't have pulled this shit on a Burroughs B5000 without return-oriented programming. Small mods can knock that out too. Resulting computer is still fast and cheap in mass market. Intel is even adding extensions for software security. So, a system immune to code injection by default is both possible & economical.

I did say Maybe, though. :( The maybe comes in the fact that insecure OS's and apps dominate everything to the point that the switching cost might be too high. Essentially, we'd have to convince Intel, AMD, and Microsoft to do it in a way that works for all versions of Windows. Including old and unlicensed. Otherwise, they'll still have millions of stragglers to target. It's not impossible to pull this off but pretty improbable.

I'm not even including the carrier side of the situation where we get Tier 1 to Tier 3 to block these or disconnect hosts that do poor security. That's asking way too much for companies that care way too little. Their brands don't even get hurt by the attacks.

Mick E. SpillaneSeptember 9, 2016 7:22 PM

@Gweihir

"Why are we tolerating scum like that on this planet?"

Because some people are just as crazy for Moolah as other people are for Allah*. They've all got some "excuse" for dry-humping their "fellow" man.

Also, because people like me aren't allowed to.... well, you know, have a little fireside chat with them.

*Not just picking on one Invisible Sky Daddy here. Take your pick.

ShacharSeptember 10, 2016 12:54 PM

@Jacob,

What's strange to me is that the article you point to (explaining traffic amplification using 3rd party services and spoofed source packets to the victim's machine) takes it as read that conducting DDoS is a desirable thing. There is not a single apologetic or even half way evasive sentence in there. And yet, this paper is written with people's full names given as authors.

And yet, the publication in which this was published advertises itself as a security publication. Are people really so fuzzy about the difference between attack and defense?

Shachar

Sancho_PSeptember 10, 2016 6:10 PM

@Nick P

I assume @Gweihir was addressing the bigger picture (?).
I this domain there is no technics, so there can’t be a technical solution.
Our mantra is unlimited growth, this is incompatible with any restriction.
Security means limits, this was yesterday, we can’t go back in time.

JacobSeptember 11, 2016 7:12 AM

Interesting development:

Israeli police claimed in court today that it has followed the vDOS operation for the last 9 months.
Since the 2 criminals turned 18 yo a couple of months ago, the defence wondered if the police has waited for them to turn 18 so they would be tried as adults.

If this is true, then we see again that the police (and the FBI who submitted the formal arrest request a few days ago)are more interested in nailing criminals hard than protecting the victims - just as was the case with the child porn site which had been run by the FBI for an extended period of time.

CarlitoSeptember 11, 2016 9:18 AM

That's a nice protection racket you have going there... It'd really be a shame if your little leg breakers were jailed before you even got to capitalize on it.

CallMeLateForSupperSeptember 11, 2016 10:20 AM


Additional article by Krebs:
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/

I read it yesterday (10 Sep). When I returned just now to grab the link, the main page only partially loaded. Four subsequent attempts were totally unresponsive. Krebs says in the above article that a DDOS against his site began on Friday, was still under way as he was writing, and that Akamai was protecting his site. Either Krebs took down his site or Akamai has been overwhelmed.

EvilKiruSeptember 11, 2016 5:28 PM

That Krebs link loaded for me just now, with visible lag as the various elements loaded in over the course of a few seconds (about 2 to 3, I'd estimate).

vas pupSeptember 13, 2016 9:19 AM

http://www.bbc.com/news/technology-37348014
Fighting hacking back - good example to follow. Unfortunately, in US (as pretext as civilized way of interaction) your ability to actively fight back any violation of your personal privacy, invasion of your home/property, attack on you or your family member is substantially limited by Laws which basically protects rights of criminal more than rights of the victim. Bitter observation. Your home is not your fortress anymore (I guess except in Taxes - any input is appreciated). The old practice of making criminal/fugitive more vulnerable than victim by removing any protection and letting anybody to apply deadly force (criminal was assigned status of outside the Law protection)forced criminal to run as fast as possible to LEO station to get protection. Do you think any criminal could be reformed without actually suffering same or close level of pain he deliberately inflicted on the victim? I guess most of them not, because pain goes directly to the old brain for processing and pain is almost always go throuhg rather than all other measures which required developed frontal lobes to accept, process and internalize to be reformed. In any case starting point to be really reformed is to go through same painful personal experience as victim did. Just politically incorrect opinion.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.