Operation PowerOFF: DDoS Sites Denied Service (by US, UK, Europol)

Around 50 so-called booter DDoS sites have been nuked by international law enforcement. And seven of their alleged administrators have been charged.

Also known as stressers, these denial-of-service services do DDoS for hire. They claim to be legit performance testing tools, but as you might imagine, they’re often used for evil.

And the FBI says the operators knew full well what they’re used for. In today’s SB Blogwatch, we service their denials.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: DJ Earworm’s annual thing.

FBI and Friends Pull the Plugs

What’s the craic? William Turton reports—“US Is Seizing 48 Websites in Sting of Cyberattack-for-Hire”:

Harassment, extortion and criminal mischief
In all, the US obtained a court order to seize 48 websites, and six people were criminally charged in relation to the takedowns, according to federal prosecutors. The FBI [is] in the process of seizing the websites [which] were used to launch … millions of so-called DDoS attacks around the world.

The services are often used for harassment, extortion and criminal mischief. … DDoS services have been used to extort news websites to remove unflattering articles, … to demand money from businesses to make the attacks stop [or] to knock competitors in a video game offline. … The Christmas holiday [is] a popular time for DDoS operators to launch attacks on gaming services.

It’s not just in the U.S., notes Jessica Lyons Hardcastle—“Sting op takes down 50 DDoS-for-hire domains, seven people collared”:

FBI posed as a customer
Europol put the number of takedowns that were part of this Operation Power Off at 50 [with] a total of seven suspected booter site administrators detained thus far … the European cops said. … The FBI, the UK’s National Crime Agency, and the Netherlands police have launched an advertising campaign across search engines, [aiming] to deter would-be cybercriminals searching for DDoS services.

While some of the sites claimed to offer “stresser” services, ostensibly to help organizations test whether their networks could withstand a DDoS flood, after reviewing “thousands of communications between … administrators and their customers [it’s] clear that both parties are aware that the customer is not attempting to attack their own computers,” according to an FBI affidavit. … For each one [of the] six defendants who each allegedly operated at least one booter website … the FBI posed as a customer and conducted test attacks to confirm that the DDoS-for-hire site functioned as advertised.

Which is it: Six or seven? The seventh suspect is in the UK—“DDoS-for-hire services taken out”:

DDoS attacks are illegal in the UK
Operation PowerOFF is the ongoing, coordinated response by international law enforcement targeting criminal DDoS-for-hire infrastructures worldwide. 48 of the world’s most popular ‘booter’ sites … were taken down yesterday by the FBI, following close collaboration with the National Crime Agency, Netherlands Police and Europol, under Operation PowerOFF.

DDoS attacks are illegal in the UK under the Computer Misuse Act 1990. … National Crime Agency officers arrested an 18-year-old man in Devon [England], who is suspected of being an administrator of one of the sites. … Admins and users based in the UK will be visited by the National Crime Agency or police in the coming months.

Some of these admins think they have an excuse, according to Brian Krebs—“Mass Takedown of DDoS-for-Hire Sites”:

Advertised through a variety of methods
Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks. … According to U.S. federal prosecutors, the use of [such] services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month … generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Did they really think they’d get away with that? ericpauley is amused:

It’s funny (kind of cute, honestly) that these site operators pretended that the … booting side of the service was the only legal risk, and that they could address this with click-through terms. Clearly, compromising third-party devices and services, or misusing services for amplification, is just as legally fraught as the attack itself.

[But] there is probably some zero-sum game here, with a fixed quantity of exploitable booter hosts available and all the providers vying for control of these. Shutting down a set of providers would then just make others more powerful.

And what about the demand side? Retired Chemist has this old prescription: [You’re fired—Ed.]

So, are they going to go after their customers? You can only provide a criminal service to criminals.

Do you hope so? CircleSpokes hopes so:

Hopefully they will. My whole apartment complex was under DDoS attacks for 6 months early during covid. Hundreds of people without a stable connection because someone had a grudge.

Wait. Pause. Six people in the U.S. and one in the UK? LazLong sounds confused:

What?!!??! No Russians involved? Or other Eastern Europeans? Gotta be fake news.

Will the guilty go to jail? Oh yes, says tptacek:

The sentence will scale with the money they made added to the amount of damage attributed to the victims. They’re in essentially the same boat as SBF with respect to sentencing, albeit with lower numbers.

If they made + caused more than six figures, they’ll be looking at multiple years. [If] over a million, something in the vicinity of 5-6 years. … The DDoS’ers will have some 18 USC 1030 accelerators (circumvention devices, domain names, maybe PII) [but] the accelerators are nothing compared to the loss table.

SBF will serve something close to life if convicted. … The DDoS’ers will serve something scaled to the amount of losses they actually caused. I think $1MM is a reasonable ballpark, which gets you into the high single digit years.

Meanwhile, lglethal imagines the sentencing chat:

Don’t worry son, we’re not sending you to the slammer, we’re just asking you to stress test the prison service.
For an extended period of time.
From the inside.
While wearing this prison uniform.
And sleeping in a cell.

And Finally:

Review of the year

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Kelly Sikkema (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi