For the last three years, law enforcement agencies all over the world have been playing an infuriating game of whack-a-mole with DDoS for hire services. After months or even years of cooperation between various high-tech and computer crime departments from any number of nations, and after jumping through legal hoop after legal hoop to figure out how outdated laws can be made to apply to sophisticated cybercrime, a DDoS for hire service will finally be brought down and the administrators arrested. As a result of all that effort, for one day, possibly two, the internet will be beleaguered by a slightly lower number of DDoS attacks…until another DDoS for hire service springs up to take its place in the market and law enforcement agencies start all over again.
However, a task force led by the United Kingdom’s National Crime Agency and the Dutch police’s high-tech crime unit recently whacked the biggest mole of all, leaving 136,000 users without their favorite means of exacting revenge, getting attention, making money from a DDoS ransom note, taking aim at a business competitor, messing with rival gamers, or having a bit of old-fashioned fun on the internet.
Will it be enough to make an appreciable dent in the DDoS landscape and make anti DDoS protection any less necessary?
Aptly named services
Up until April 25, 2018, the number one DDoS for hire service in the world was a service named WebStresser. While you would be forgiven for thinking it was named the way it was because the DDoS attacks it launched were so stressful to website and business owners, the reason for the name is because many of these services hide behind the pretext of being a legitimate service, one designed to stress-test servers to ensure they can perform under high-traffic conditions. These legitimate services are often called stressers, and so too are the bastardized versions that unleash DDoS mayhem every hour of every day.
On that fateful Wednesday in April in a collaborative effort named Operation Power Off, authorities across 12 countries seized WebStresser servers while four of the administrators were arrested, including a 19-year-old Serbian named Jovan Mirkovic who is alleged to be at the top of the WebStresser food chain. In addition to webstresser being brought to its knees, at least eight other services that were reselling WebStresser’s DDoS efforts also appear to be offline.
Thus, the reign of a service offering monthly attack subscriptions to anyone for $18.99 and an ax to grind has ended. A stresser, indeed.
Same old story
For true insight into the impact this takedown could have on the overall distributed denial of service situation, take a look back at September of 2016 when the then-biggest DDoS for hire service vDOS went down after it was hacked and its founders exposed (and later arrested). At the time this was hailed as a victory in the fight against DDoS attacks, and understandably so: in the four years vDOS was active it facilitated over two million DDoS attacks. Surely this would help slow the scourge of distributed denial of service attacks targeting everything from mom and pop shops to major enterprises.
Remember that whack a mole analogy though. With vDOS gone, another DDoS for hire service would have to take its place at the top. It was WebStresser, and in the three years it was active it was responsible for between four and six million attacks.
Looking to the future
There’s no denying that law enforcement agencies have made real progress in the war on DDoS services. However, there’s also no denying that this is a war that is in its infancy. Distributed denial of service attacks, whether perpetrated by the average unskilled jerk with a PayPal account or by professional attackers who are tailoring attacks to their specific targets, are still some of the most common cyberattacks out there and with damages ringing up to potentially six or seven figures, they’re also some of the most devastating. As law enforcement agencies and legislation alike begin to catch up to cybercriminals, we may see a future where DDoS protection is less of a necessity, but WebStresser or no WebStresser, that future is not now. The game of whack a mole continues.