Purchasing A DDoS Attack For Good - Tufts University

1m ago
66 Views
284 Downloads
740.21 KB
14 Pages
Last View : Today
Last Download : 6d ago
Upload by : Jayda Dunning
Transcription

Purchasing a DDoS Attack for Good: Analyzing the Merits and Repercussions of Paying a Third Party to Take Down a Website Ashley Smith Professor: Ming Chow COMP 116 Computer Security – Final Paper December 13, 2017 1

1. Abstract Distributed Denial of Service Attacks can take down websites for days or even months at a time, depending on the scale of the attack and the size of the organization under attack. These attacks are difficult to defend against and are becoming increasingly prominent in today’s world. People can now pay a third party to perform a Distributed Denial of Service Attack against a small organization for a relatively small fee. This paper contains research about companies selling this service, their costs, and their customer base. It then delves into the legal and moral issues that surround it, and concludes with applications of uses for these services. DDoS attacks can serve a noble purpose by taking down harmful websites, but the moral dilemma and legal battles that result are instrumental to understanding its positive use in the future. 2. Introduction Distributed Denial of Service Attacks are a big issue in the current security world. There is a lot of talk about how to defend against these attacks, but less talk about the morality of the people performing them. While many attacks have harmful intention, there are also many cases that are much less morally clear. The motivation behind attacks like these can range from reasons like disagreeing with the content on the page to believing that the website is actually harming someone or some entity. Experts have not come to a conclusion about whether attacks like these should be looked down upon and treated the same as large attacks against reputable organizations. Can the people attributed to these attacks be rightfully arrested? Where is the line between what is illegal and what is legal? What about attacks that may not have malicious intent? 2

DDoS attacks are performed by gaining control over a botnet, which consists of many hosts all attacking the target at the same time in order to overload the server. Experienced hacker can set up their own botnet, but most people do not know how to do this. Some organizations rent out their servers to clients for a fee, so that people with little hacking experience can pay to perform this attack. Some of these organizations are used for both blackhat (criminal) and whitehat (ethical) hacking. It is important to note, however, that although this type of hacking may be categorized as blackhat because its goal is to take down websites that the person does not own, that does not necessarily imply that the hacker has malicioius intent. Thus, the hacker may not actually be doing the “wrong” thing in the eyes of the public. There are also services that will complete the DDoS attack entirely for its clients, so people can purchase attacks without any prior hacking knowledge. The question then also becomes “Who is responsible if this is an illegal act: the client or the service?” This paper delves into the available services that sell DDoS attacks through research of these specific companies and news articles that report about them. The discussion of legal and moral issues is based on research from legal sites and the official computer science Codes of Ethics. DDoS attacks can serve a noble purpose by taking down harmful websites, but the moral dilemma and legal battles that result are instrumental to understanding its positive use in the future. 3. To the Community I chose this topic because people often feel powerless in stopping the spread of incorrect or malicious information on the internet. Many people want to intervene in order to stop the spread of false information but feel unable to do so. A big topic in current events is the 3

abundance of “fake news” present on the internet. Paying third parties to perform DDoS attacks on websites that have false information is one way to combat this “fake news” problem. Cyber bullying is also a big issue in today’s world. Sometimes when content that is mean or offensive to someone else is posted, it can take some time to get it taken down through proper authorities. Performing a DDoS attack on a website with offensive content can get it taken down much quicker. This type of DDoS attack gives another option for taking down false and offensive information, perhaps as a temporary measure while working on a more permanent solution. It is important for people to know the available options and the possible consequences with this type of intervention. 4. Organizations That Sell DDoS Attacks DDoS for hire services are widely available on the web. On Fiverr, services sell DDoS attacks for as little as 5 (Cluley). This is an extremely low number compared to the average rate of buying a DDoS attack in 2015, which was 38 (“DDOS Report 2015”). The abundance of similar services has driven this price down dramatically in recent years. Lizard Squad offers this service starting at 6 per month, for an attack that lasts for 100 seconds, ranging to 130, for an attack that lasts 30,000 seconds. Lizard Squad is a hacking organization that is generally considered to do blackhat hacking, but they also rent their booters out to anyone who would like to pay for them. This is called the “Lizard Stresser” and allows people to perform DDoS attacks anonymously through Lizard Squad. They currently accept payment in the form of Bitcoin, and will soon accept payments through PayPal (Mlot). xDedic is a company that operates a little bit differently. It offers a platform for individuals to buy and sell stressers. “The owners of xdedic[.]biz claim not to be related to the 4

sellers of hacked server access, but only to provide a secure trading platform for others” (“The XDedic Marketplace”). In March 2016, it offered access to 51,752 servers from 183 countries among the 425 sellers and in May 2016, it had 416 sellers with access to 70,624 servers in 173 affected countries. They use brute-force attacking techniques to gain access to the servers they control (“The XDedic Marketplace”). Kaspersky Lab refers to the users of xDedic as “cybercriminals,” insinuating that it has the reputation of blackhat hacking and its users generally use it for criminal activity. An article in Corero also demonizes them, referring to the users of xDedic as “cyber thug” and the site itself as “the dark underworld” which further supports the site’s reputation as being used for malicious activity (Weagle). “Top – DDOS” is a service that entirely performs the attacks for its clients. It advertises itself as a way to “take down your competitors.” Below is a screenshot of its purpose. This service provides competitive prices, based on the length of time for which the client wants the target to be down. The pricing options this company offers are shown in the screenshot below. 5

There are also several websites that sell stressers to be used for both whitehat and blackhat hacking, and advertise themselves in a less malicious fashion. Most of these are subscription-based and allow users to purchase usage of the servers for a certain number of concurrent attacks for a certain amount of time. PowerStresser is one such example. Below are screenshots of its prices. 6

Str3ssed Booter is a service that handles its pricing and sale method similarly to that of PowerStresser. Its prices are similar, at 10 for a month with 300 second boot time, 20 for a month with 1200 second boot time, and 55 for a month with 3600 second boot time. Str3ssed Booter takes care to outline its usage policy on the home page to ensure absence of blame for its services being used for malicious attacks. It actually states that it must only be used to attack servers that the client owns. Below is a screenshot of the Terms of Service. 7

Cloudstress is similar service which seems to place high priority on keeping its customer base happy. It provides 24/7 support and even has a live chat (shown in the bottom-right corner of the screenshot). Its prices and plans that are also very similar to those of the previous two services, and are shown in the screenshot below. 5. Relevant Laws and Moral Dilemma i. Laws Relating to Distributed Denial of Service Attacks Laws vary from country to country; some nations prosecute the attacks more severely than other nations. Since the internet is accessible worldwide and attribution can be such a difficult problem, it makes it difficult to assign blame and make criminal charges against an individual or organization, but several laws exist around this issue. In America, the most relevant law is the Computer Fraud and Abuse Act, which states that it is illegal to intentionally gain access to a computer without authorization, compromise confidentiality, damage a computer or information, traffic in passwords, and even to threaten to damage a computer (“Computer Fraud and Abuse Act”). According to this law, in the US, it is illegal to perform a DDoS attack because 8

it often requires gaining access without authorization and it is damaging the computer system. People could also be prosecuted for attempting to perform a DDoS attack if it is seen as a threat. It could also be illegal as a claim of “Tortious Interference with Business Relationship or Expectancy” if the DDoS attack is against a business that causes the business to lose substantial profit. This law states that it is illegal to interfere with a person or company’s contracts or relationships with the intention of causing economic harm (“Tortious Interference”). In the UK, the applicable law is the Computer Misuse Act 1990, section 3, which states that the following is illegal: (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; (c) to impair the operation of any such program or the reliability of any such data; (d) to enable any of the things mentioned in paragraphs (a) to (c) above to be done. (Computer Misuse Act 1990”) This clearly states that it is illegal to perform a DDoS attack against anyone, which encompasses a, b, and c in most cases. Other countries have similar laws in place. As such, when it is proven that a person performed a DDoS attack, that person will face criminal charges, according to these laws. ii. DDoS Attacks in Codes of Ethics The IEEE (Institute of Electrical and Electronics Engineers) is a professional organization that has a code of ethics that it expects electronics/software engineers to abide by. The first statement says, “to hold paramount the safety, health, and welfare of the public, to strive to comply with ethical design and sustainable development practices, and to disclose promptly factors that might endanger the public or the environment” (“IEEE Code of Ethics”). According 9

to this ethical commitment, it can be argued that it is justly to perform a DDoS attack against a website that is hurting the welfare of the public. If a website is spreading false information, it may be hurting the welfare of the public, and then by civic duty, a person is abiding by this code of ethics to take down that information. The same can be argued for content that is bullying someone. It may be hurting someone’s safety and therefore should be removed by whatever means possible. The ninth statement says, “to avoid injuring others, their property, reputation, or employment by false or malicious action” (“IEEE Code of Ethics”). This can be argued both ways. It may be injuring an individual’s property/reputation by taking down their website, but the content on an individual’s website may be injuring someone else or someone else reputation depending on the content present on the site. The ACM (Association for Computing Machinery) has a separate code of ethics that computer scientists/software engineers should follow. Section 1.1 is similar to the aforementioned sections in the IEEE. It says, “Contribute to society and human well-being” (“ACM Code of Ethics”). This can follow the same argument as earlier. In addition, the ACM Code of Ethics and Profession Conduct says, in section 2.3, “ACM members must obey existing local, state, province, national, and international laws unless there is a compelling ethical basis not to do so Violation of a law or regulation may be ethical when that law or rule has inadequate moral basis or when it conflicts with another law judged to be more important” (“ACM Code of Ethics”). This acknowledges the complexity of law versus moral judgement and that some laws are not meant to be abided by. It says that in the case that breaking the law is the moral thing to do, the person should do it and accept their consequences. 10

6. Applications There are many cases of when DDoS attacks can be used for morally just causes. These services allow non-hackers to perform them, too. One might use these services to take down false information. Many websites that intentionally spread false information are not properly maintained and would be fairly easy to attack. It would likely take a not very powerful attack to take down a blog, phishing site, prank website, or fake news site. Cases like these would also likely not pursue legal action because they are small, disreputable organizations. Another application is if someone finds content online that is bullying someone. Content like this can often be taken down through proper reporting to authorities, but in some cases, this may be implausible, unwanted, or take too long. In those cases, it may be a good option to purchase a DDoS attack to take down this website so the content is gone from the internet immediately. The moral dilemma should be fairly clear in the case that someone posted offensive or threatening content on a website. Often, this too can be taken down by reporting it to authorities, but sometimes it is unsuccessful, and in these cases, it could be a feasible option to purchase a DDoS attack to take down the website. Another use of these DDoS-for-Hire services is for industrial sabotage, as is the public selling point of “Top – DDOS”. It can be used to take down the website of a competing organization in order to increase one’s own profit. This usage is less of a question of ethics than the others. It is clearly both illegal and immoral, as it breaks the IEEE code of ethics and the ACM code of ethics as well as violating the “Tortious Interference with Business Relationship or Expectancy” law. 11

7. Conclusion The usage of services that sell DDoS attacks clearly presents a complex issue of law and morality when they are used to attack a website that the person does not own. There are a variety of services that exist, including services that market toward blackhat hackers, services that market toward whitehat hackers, and some that deny responsibility or affiliation with what its customers choose to use them for. To be learned is that while it is illegal to perform these attacks, the option exists and can be taken advantage of if it seems appropriate or necessary. According the codes of ethics presented, there may be cases when it is the morally correct thing to do, even when illegal and can be justified in doing so. Both hackers and non-hackers have the ability to and therefore the choice to take down websites if they see it to be the right thing to do. 12

Works Cited “ACM Code of Ethics and Professional Conduct.” Association for Computing Machinery, ACM, Inc., 2017, ssional-conduct. “CloudStress - Booter.” CloudStress, CloudStress, 2017, cloudstress.com/. Cluley, Graham. “Hire a DDoS Attack for as Little as Five Dollars.” The State of Security, Tripwire, Inc., 26 May 2016, -ddos-attack-for-as-littleas-5/. “Computer Fraud and Abuse Act (CFAA).” Internet Law Treatise, Internet Law Treatise, 24 Apr. 2013, ilt.eff.org/index.php/Computer Fraud and Abuse Act (CFAA). “Computer Misuse Act 1990.” Legislation.gov.uk, Statute Law Database, 29 June 1990, www.legislation.gov.uk/ukpga/1990/18/section/3. Danchev, Dancho. “DDoS For Hire Services To 'Take Down Competitor Websites' On Rise Webroot.” Webroot Threat Blog, Webroot Inc., 6 June 2012, es-going-mainstream/. “DDOS Report 2015.” Lp.incapsula.com, Imperva, 2015, lp.incapsula.com/ddos-report-2015.html. “IEEE Code of Ethics.” IEEE, IEEE, 2017, www.ieee.org/about/corporate/governance/p7-8.html. Mlot, Stephanie. “Lizard Squad Offers 6 DDoS Attack Tool.” PCMAG, Ziff Davis, LLC, 31 Dec. 2014, www.pcmag.com/article2/0,2817,2474386,00.asp. “Power Stresser.” Power Stresser, powerstresser.com/. Themedept. “Str3ssed Networks - Booter.” Str3ssed Booter, Str3ssed Networks, 2016, str3ssed.me/?r t10booters. 13

“Tortious Interference.” Findlaw, Thompson Reuters, 2017, ortious-interference.html. Weagle, Stephanie. “Cyber Criminals Sell Compromised Servers to Carry Out DDoS Attacks.” Neptune Web, Inc., Corero Network Security, Inc., 20 June 2016, omised-servers-to-carry-out-ddos-attacks.html. Winder, Davey. “DDoS It Matter What Motivates Lizard Squad?” SC Media UK, Haymarket Media, Inc., 23 June 2016, -lizardsquad/article/530470/. “The XDedic Marketplace.” Kaspersky Lab, 15 June 2016, pp. 6–8., securelist.com/files/2016/06/xDedic marketplace ENG.pdf. 14

Lizard Squad offers this service starting at 6 per month, for an attack that lasts for 100 seconds, ranging to 130, for an attack that lasts 30,000 seconds. Lizard Squad is a hacking organization that is generally considered to do blackhat hacking, but they also rent their booters out to anyone who would like to pay for them.

Related Documents:

In DDoS attack, the attacker try to interrupt the services of a server and utilizes its CPU and Network. Flooding DDOS attack is based on a huge volume of attack traffic which is termed as a Flooding based DDOS attack. Flooding-based DDOS attack attempts to congest the victim's network bandwidth with real-looking but unwanted IP data.

as a flooding-based DDoS attack. A flooding-based DDoS attack attempts to congest the victim's network bandwidth with real-looking but unwanted data. As a result, legitimate packets cannot reach the victim due to a lack of bandwidth resource. 2 DOS AND DDOS DoS and DDoS attacks are simple in design and generated

SDN security issues [31-37] Security policies in SDN [28,38-52] DDoS [53-56] DDoS vulnerability in SDN [33,36,57] Policies for rescuing SDN from DDoS [58-69] DDoS, distributed denial of service; SDN, software-defined network. focusing on DDoS issue, followed by the comparison of various proposed countermeasures for them. Table I has

most important questions related to DDoS attacks and the best practices offered through the Cisco DDoS Protection solution. INTRODUCTION TO DDoS ATTACKS A DDoS attack is an attack on the end host system or the network infrastructure that disrupts service to the user. The disrupti on can come in many forms, including:

Fig. 4. (a) Direct DDoS attack; (b) Reflexive DDoS attack. IV. CONSEQUENCES OF DDOS Effects of DDoS attacks on business installation are immediately reflected as Revenue Losses, with loss rate going as high as 300K/hour for service outage hours [13]. With advent of time, cost to mitigate DDoS attacks kept ever rising,

anti-DDoS services and can mitigate many DDoS attacks. Having one device for firewall, IPS, and DDoS is easier to manage and less complex to deploy, but a single device to do all the protection might be easily overwhelmed with volumetric DDoS attacks. Besides, resource-intensive protection necessary to detect and defend

detect a DDOS attack and thus, start the processes to defense these attacks. The main objective is to understand the DDOS attacks and to find the security measures. Keywords— DDoS, Intrusion detection, preventive measures of DDoS, defense mechanisms, defense models, game theory, application model defense, new enhanced model.

F5 Silverline DDoS Protection is a service delivered via the F5 Silverline cloud-based platform. It detects and mitigates DDoS attacks in real time, with industry-leading DDoS attack mitigation bandwidth to stop even the largest of volumetric DDoS attacks from ever reaching your network. F5 security experts are available 24x7x365 to keep your