European law enforcement are today celebrating the dismantling of a website police claim sold Distributed Denial of Service (DDoS) attacks and helped launch up to 6 million of them for as many as 136,000 registered users. Alleged administrators of the webstresser.org service were arrested on Tuesday in the U.K., Canada, Croatia and Serbia, whilst the site was shut down and its infrastructure seized in Germany and the U.S., Europol announced Wednesday.
DDoS attacks typically flood web servers with traffic to take them down. So-called stressers sell those attacks as a service, offering to take down customers’ selected targets for a small fee or providing direct access to a simple DDoS tool. According to investigators working on Operation Power Off, webstresser.org appeared to be the biggest of all such services.
DDoS hits emanating from webstresser.org targeted banks, government institutions, police forces, schools and the gaming industry, investigators said. And Americans made up the majority of both targets and customers on webstresser.org, according to Europol’s lead case coordinator, who asked to remain anonymous in speaking with Forbes exclusively ahead of today’s announcement. “It’s become one of the most important [DDoS stressers] on the market,” he said.
“It is significant,” added Gert Ras, head of the Netherlands National High Tech Crime Unit, speaking of the takedown. “It is a really big one.”
A Google cache of the webstresser.org site reveals a boastful set of admins, but they appeared to be advertising their DDoS stresser as a testing service to see how well websites could stand up to attacks rather than anything illegal. They claimed to provide “the strongest and most reliable server stress testing” and promised “24/7 customer support spread on over three different continents.” They sold in packages, ranging from $18.99 per month for the “bronze” membership to $49.99 for the “platinum” service.
The team members all went by pseudonyms, including Admin the CEO, backend developer m1rk, head of support Mixerioza and “support agent” Tyrone. They ran a Facebook page too, where they encouraged customer engagement, recently asking for help with YouTube marketing. Whoever managed the Facebook page also reported some problems with the site on April 9. “Deutscher Commercial Internet Exchange is currently experiencing outages so we remain offline until their network is fixed,” one message read. Investigators said they didn’t believe that downtime was related to the law enforcement action, however.
How the investigation went down
Led by the Dutch National High Tech Crime Unit and the UK National Crime Agency (NCA), and assisted by Europol, the investigation into webstresser.org started in October last year, according to the lead case coordinator at Europol.
That month a tip from the NCA landed at the Dutch agency, informing them the web infrastructure for webstresser.org was hosted in the Netherlands. Forbes reviewed domain registration information for the site and found it was registered in October 2015 by someone with a Hotmail email address and who claimed to be based in the small Netherlands village of Gulpen. Forbes emailed the user but had not received a response at the time of publication.
In November, the Dutch police were able to take “snapshots” of the site’s server, from which they recreated their own version of webstresser.org, according to Ras. That allowed them to determine how it worked and eventually led them to the identities of the alleged administrators, though Ras couldn’t say just how as the investigation continues. Even an attempt by the site’s owners to move infrastructure to Germany didn’t stymie the cops, Ras added, as American authorities took down the site today.
Investigators were also able to gather some remarkable statistics from the site, which made apparent the unprecedented scale of the DDoS market. Europol said the total time of persistent DDoS attacks launched via webstresser.org reached 15.5 years. The longest single attack reached around 10 hours, with the average around 20 minutes per target. And the admins made hundreds of thousands of dollars in the process, Ras added, as they accepted payments over PayPal and Bitcoin. Paying via Bitcoin got users a 15% discount too.
“The service was professional, the most professional I’ve seen,” said Europol’s investigator. He noted the controllers of the service were using techniques to “amplify” their attacks. One involved the use of the Domain Name Service (DNS), the telephone book of the internet that connects people searching up a web address like Google.com to the relevant server. The attack relies on the fact that the computers used to deal with such requests – open DNS servers – respond to a small question with a large response. With this so-called DNS amplification, it’s possible to make a large number of small requests to the DNS server and pass on the significant returned traffic to a target website. Webstresser.org offered attacks up to 350Gbps, a sizeable hit.
Not only were alleged administrators arrested (their names have not yet been released and so Forbes has not been able to contact their legal representation) but police across the world have also paid visits to users of webstresser.org, either arresting them or warning about their continued use of such DDoS products. “The message here is that people who use these services will not stay anonymous,” Ras said. “We will bring them to court.”
Whilst webstresser.org was the biggest fish in the DDoS stresser pond to fall to date, others have been dismantled in recent months. In August, the vDOS service that launched more than two million DDoS attacks over four years was closed and the alleged owners arrested in Israel. Their lawyers said the vDOS operators were simply running a legitimate tool to help businesses test the cybersecurity of their website.
It would appear cops across the world aren’t buying such claims.