[LINK] ArsT: DDoS Openly for Hire

Roger Clarke Roger.Clarke at xamax.com.au
Mon May 20 12:59:39 AEST 2013 

DDoS-for-hire service works with blessing of FBI, operator says
Dan Goodin
May 20 2013, 7:15am EST
Ars Technica
http://arstechnica.com/security/2013/05/ddos-for-hire-service-works-with-blessing-of-fbi-operator-says/

"My service is a legal testing service," Ragebooter.net boss insists.

A website that accepts payment in exchange for knocking other sites 
offline is perfectly legal, the proprietor of the DDoS-for-hire 
service says. Oh, it also contains a backdoor that's actively 
monitored by the FBI.

Ragebooter.net is one of several sites that openly accepts requests 
to flood sites with huge amounts of junk traffic, KrebsonSecurity 
reporter Brian Krebs said in a recent profile of the service. The 
site, which accepts payment by PayPal, uses so-called DNS reflection 
attacks to amplify the torrents of junk traffic. The technique 
requires the attacker to spoof the IP address of lookup requests and 
bounce them off open domain name system servers. This can generate 
data floods directed at a target that are 50 times bigger than the 
original request.

Krebs did some sleuthing and discovered the site was operated by 
Justin Poland of Memphis, Tennessee. The reporter eventually got an 
interview and found Poland was unapologetic.

"Since it is a public service on a public connection to other public 
servers this is not illegal," Poland was quoted as saying. He 
continued:
"Nor is spoofing the sender address [illegal]. If the root user of 
the server does not want that used they can simple disable recursive 
DNS. My service is a legal testing service. How individuals use it is 
at there [sic] own risk and responsibilitys [sic]. I do not advertise 
this service anywhere nor do I entice or encourage illegal usage of 
the product. How the user uses it is at their own risk. I provide 
logs to any legal law enforcement and keep logs for up to seven days."

Poland went on to say:  "I also work for the FBI on Tuesdays at 1 PM 
in Memphis. They allow me to continue this business and have full 
access. The FBI also use the site so that they can moniter [sic] the 
activitys [sic] of online users.. They even added a nice IP logger 
that logs the users' IP when they login."

An FBI spokesman would neither confirm nor deny the claim, but Krebs 
said security researchers have found the site bizarrely includes the 
ragebooter.net user name in the flood of data directed at the target 
websites. Even more intriguing, someone hacked the site in March and 
leaked the users table, spilling the usernames of e-mail addresses of 
people who used the service. The list could contain a fair amount of 
data, since Ragebooter.net appears to average more than 400 attacks 
per day.


PROMOTED COMMENTS
keltor wrote:
I could see them requiring extra warnings, but really whatelse could 
there be that's wrong with it. Mind you all the big penetration 
testing companies use these same techniques to test your websites 
when you hire them.

Response:  Wrong, the penetration testing and load testing services 
from legitimate companies requires you to prove the ownership of the 
domain or server you are testing. You can't just use them to test 
external third party servers which do you not have control.

Hell, even Google requires you to prove the ownership of a domain or 
website for some services. Doing this is extremely easy like adding 
an extra record in the DNS server, or confirming the email address on 
the whois or adding a code in the domain to be readed externally by 
the test server.

Any service which do not want users proving the ownership of the 
servers they test, is not legally complaint.

The excuse about not using recursive DNS is a lame excuse. How about 
"If you don´t want me breaking your house doors down, do not use wood 
doors..its your fault!!!!..!

There are tons of reasons why some need to have recursive DNS on, 
that is a stupid excuse. If the service is legally complaint, he 
should require users to check they are the admins of the systems they 
want to test.

GrieviantArs Praetorianet Subscriptor
Based on its name (RageBooter), it's probably safe to assume that 
this site was attempting to appeal to gamers who get pissed off when 
they start losing and want to boot their competitors offline. The 
rage boot goes almost as far back as the rage quit.

Let me explain. Unlike PC games which usually use a dedicated server 
for multi-player, the vast majority of Xbox live games typically pick 
one player in the game to act as the server. This person is referred 
to as the host and everyone else is a client. If you have a good 
connection and are centrally located, you might find that you 'pull 
host' quite often. Since all the game traffic goes through your xbox, 
you can identify the IP addresses of your competitors and teammates 
without much difficulty. There is a program called 'Cain and Abel' 
which is quite popular for this purpose. Actually, because there is 
an initial negotiation phase where Xbox live attempts to determine 
who should be host by testing latency and bandwidth between all 
players, you don't necessarily even need host to discover the IP 
addresses of everyone else in the game. While you might not know the 
specific IP address of every player, you could use a DDOS site like 
RageBooter to start hitting players until the desired target lags out 
of the game. Rather sadistically, the users of such services will 
sometimes let the DDOS continue for hours so as to hold the target 
offline.

If you've ever watched any Halo 3 on twitch over the past couple 
years, people getting booted offline is incredibly common. The 
booters will often even come into the twitch chat of the person 
streaming to taunt them. You might think that a community whose 
matchmaking population is almost completely dead would be happy just 
to have people still playing the game, but you'd be wrong.

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list