In an October public service announcement, the FBI explained “DDoS-for-hire” services and requested that victims of DDoS attacks file a complaint with the FBI’s Internet Crime Complaint Center (IC3). They explained that malicious actors sell DDoS-for-hire services (aka booters) on criminal marketplaces with effectively one goal: preventing access to a “U.S. company or government website.”
In an earlier press release, the FBI warned that hackers could hijack Internet of Things (IoT) devices and use them for launching attacks against third parties. The FBI used the Mirai botnet as an example of the damage caused by IoT takeovers. While the IoT announcement covered other botnet related activities, it focused mainly on DDoS attacks. And also to give a shout-out to the Mirai botnet for launching DDoS attacks from unsecured IoT devices (or just IoT devices in general – their security is truly abhorrent).
The FBI’s DDoS warning also listed the Mirai botnet as the source of one of the largest DDoS attacks in history. Namely the 1Tbps attack against DynDNS that rendered sites like Twitter, PayPal, and Spotify inaccessible to the public. One of the most capable operators of the Mirai botnet used the name BestBuy, among others. Some know him for hacking Deutsche Telekom. Germany and the UK are currently playing a game of “pass the suspect” with each other, charging BestBuy with various cyber crimes he had allegedly committed.
In addition to warning the public if DDoS attacks in general, the FBI also explained the threat behind booters or stressers. (The threat is effectively the same.) Thanks to the availability of these DDoS-for-hire services on the darknet, the FBI wrote, criminals find them far more convenient than creating their own botnet.
IC3’s press release contained a warning that creating a botnet or using their own infrastructure for the purpose of attacking a service or network “may result in criminal charges.” They added that the same stands for the use of booters or stressers established by someone else. Both are punishable under the Computer Fraud and Abuse Act and could result in prison time
“The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident.” The FBI also wanted as much information about the attack that a target or victim could offer. Including, but not limited to, IP addresses associated with the attack, traffic protocol used, and damages caused downtime.
Illegal darknet marketplace operators are unlikely to receive compensation for downtime caused by the DDoS attacks that brought down effectively every relevant market.