Vengeance by DDoS: No one is immune

In what may catch many by surprise, distributed denial of service (DDoS) attacks are being used against companies, organizations, and individuals as an act of vengeance or revenge.

No one is immune; documented victims have included non-profit organizations, community colleges, courts and law enforcement entities, and even noted security journalist Brian Krebs.

The commonality is the individual behind the attack wishes to inflict damage, swiftly and completely, on the entity being attacked. No prior experience necessary; you can rent the DDoS service, by subscription no less, with a few clicks and an anonymous bitcoin payment.

DDoS for hire

According to the Department of Justice (DOJ), John Kelsey Gammell in January 2018 pleaded guilty to “conspiracy to commit intentional damage to a protected computer.” The DOJ continues, “Gammel directed DDoS attacks at a number of victim’s websites, including websites operated by companies he used to work for, companies that declined to hire him, competitors to his business and websites for law enforcement agencies and courts.”

Gammel, it would appear, wasn’t totally ignorant of the need to obfuscate his identity when hiring the DDoS service (vDOS, CStress, Inboot, Booter.xyz, and IPStresser), as he used IP anonymization services, cleaned his drives, and used encryption to conceal the records of his activities.

DDoS attack against a small business

Then we review the actions of David Chelsey Goodyear, whom the DOJ tells us was convicted in February 2018 by a jury of “directing distributed denial of service cyber-attacks against two websites owned by Oklahoma telescope retailer, Astronomics.” Astronomics, operates a free astronomy forum, “Cloudy Nights,” which has 65,000-plus participants. Goodyear was booted from the forum for violating the terms of service and would repeatedly return under a new userid/alias only to get booted again for violating the terms of service. With each instance, Goodyear’s frustration increased, and he threatened a DDoS attack against Cloudy Nights and A55tronomics.

What makes Goodyear’s act of vengeance so interesting is that it didn’t cost him a penny. Goodyear joined HackForum, and within hours of joining the forum posted a request for the forum’s users to “take down” the Astronomics website. For the next two weeks, the family owned Astronomics was subjected to DDoS attacks. No shortage of individuals ready to do the dirty work on request. Astronomics pegged their losses at a minimum of $5,000, with sustained damage for over a year.

DDoS attack against a security writer

Then there was the DDoS attack against noted security journalist Brian Krebs, which occurred in September 2016. The attack, large for the time, was estimated by Krebs to be 620 Gbps in size. This attack leveraged Internet of Things devices, routers, IP cameras and digital video recorders.

In Krebs’ instance, he was attacked by two individuals associated with the vDOS, a DDoS service for hire. Yes, the creators of the service used by Gammel to attack his victims. Krebs had written about the takedown of the vDOS service and the identity of two 18-year-old Israeli’s, Yarden “applej4ck” Bidani and Itay “p1st” Huri, as the admins. Shortly after Krebs’ article — and his site going dark as a result of the attack — the teens were arrested in Israel.

Industry steps up

For news organizations, journalists, election monitoring sites, human rights organizations, etc., Google offers a free service: Project Shield. It matters not how large your site is, if your application for Project Shield protection is approved, you will receive free protection.

For businesses, many IP hosting companies have partnered with a variety of DDoS defense companies, some bundling the service into their hosting agreements. Noted names include Cloudflare, Akamai, AWS Shield, and Microsoft Azure.

Bottom line: If you rely on your website for commerce, be it as a store front or service provider, you must factor the DDoS threat into your cybersecurity matrix, and put in place a protection, mitigation and defense.

The threat is not going to dissipate, and, indeed, as witnessed in the recent February 28 attack against GitHub, the DDoS 1.3 Tbps in size, DDoS attacks are only going to increase in both frequency and velocity. In GitHub’s instance, they were prepared, and their service interruption was measured in minutes and not days.

Are you prepared for a DDoS against your site?