Users of a popular DDoS-for-hire website are being targeted by Europol and multiple law enforcement partners around the world, signalling a crackdown on a practice that makes it possible for anyone with internet access to launch an attack on their website of choice.
Distributed denial of service (DDoS) attacks involve flooding a website’s servers with traffic from vast networks of bots, known as botnets, which are often formed of hacked internet of things (IoT) devices used without their owners’ knowledge.
These attacks can be used to either take down or reduce the performance of websites and web apps, with those that require peak performance to work effectively, such as online games, being particularly susceptible.
While these types of attacks used to require a certain level of skill to enact, they have become accessible to anyone willing to pay for them, through the proliferation of DDoS-for-hire websites. These charge low prices – sometimes as little as $5 – to perform attacks, making them highly accessible for unscrupulous web users.
Europol targets users of popular DDoS-for-hire site
Last year one of the most popular DDoS-for-hire websites, webstresser.org, was taken down and seized by law enforcement.
Prior to its removal, it charged as little as €15 a month to users, and was key to over 4 million attacks.
Now law enforcement agencies from across the world, including Europol as well as UK, US and European partners, are targeting the users of the site in Operation Power OFF.
Working with a list of the site’s 151,000 registered users, the operation is looking to identify and prosecute perpetrators of DDoS attacks using the site.
It has already had some success. In the UK alone, over 60 personal electronic devices have been seized as part of the operation, and more than 250 users of the site and other similar DDoS-for-hire services are now facing the prospect of prosecution.
Companies warned not to be complacent
For Europol, Operation Power OFF is key to clamping down on these types of attacks.
“The DDoS-for-hire trend is a pressing issue, mainly due to how easily accessible it has become. Stresser and booter services have effectively lowered the entry barrier into cybercrime: for a small nominal fee, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks by barraging them with traffic,” said Europol in a release about the operation.
“The damage they can do to victims can be considerable, crippling businesses financially and depriving people of essential services offered by banks, government institutions and police forces.”
However, cybersecurity professionals warn that the operation’s efforts so far a minimal compared to the sheer scale of individuals undertaking DDoS-for-hire attacks.
“It’s encouraging to see law enforcement agencies around the globe continuing to crack down on cybercriminals. However, the numbers speak for themselves in this case,” said Sean Newman, director of product management at Corero.
“With those prepared to launch DDoS attacks, on just this one service, well into six figures, and only 250 currently being pursued for their crimes, it’s indicative of how easy it is for the perpetrators to mask their true identities.
“The ease with which any individual can use an anonymised email account for communications and make payments in cryptocurrency, ensures it is extremely hard-going trying to track down the individuals concerned.
For companies, then, the message is not to be complacent about the risks posed by DDoS attacks.
“Although this is positive news on the whole, organisations shouldn’t become complacent about the need for real-time DDoS protection, as Corero continues to see attacks on the increase year on year.”