Paying a site to DDoS other sites is perfectly legal, the proprietor behind one such outfit told security journalist Brian Krebs.
Besides which, he says, his service, called RageBooter, even features a nifty backdoor that lets the FBI monitor customer activity.
The conversation took place recently between Krebs and Justin Poland, the US man from Memphis, Tennessee whom Krebs sniffed out via WHOIS lookup and Facebook.
According to Poland, DDoSing the beejezus out of sites is perfectly legal/justifiable/morally kosher because:
- It's "a public service on a public connection to other public servers";
- His service merely takes advantage of default settings of some DNS servers; and
- Spoofing a sender address is legal and OK because if a root user of the server doesn't like it they just have to disable recursive DNS.
Regarding item No. 3, recursion is the act of querying additional DNS servers to resolve queries a DNS server can't resolve from its own database.
Microsoft, for its part, confirms that yes, attackers can use recursion to deny the DNS Server service and has this TechNet article on how to disable it.
In short, Poland told Krebs, RageBooter is just a "legal testing service":
How individuals use it is at there [sic] own risk and responsibilitys [sic]. I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product.
How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days.
About that ready accommodation of "any legal law enforcement": when Krebs asked Poland whether police or other authorities had ever asked for information about his customers, Poland told him that well, actually, he works for the FBI.
From Krebs' account of the Facebook chat he had with Poland:
I also work for the FBI on Tuesdays at 1pm in memphis, tn. They allow me to continue this business and have full access.
The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.
When Krebs called the number Poland gave him to check with the FBI, the man on the other end got peeved and referred him to the FBI's press office, which in turn wouldn't confirm or deny any of this.
Poland, for his part, stopped talking with Krebs, saying he'd been instructed to block him. His Facebook page disappeared within moments of Krebs receiving this message:
I have been asked to block you. Have a nice day.
Regarding the legality of hiring a DDoS service, Krebs checked with Mark Rasch, a security expert and former attorney for the US Department of Justice.
Rasch told Krebs that while companies regularly hire network stress-testing services, it's generally part of a more inclusive penetration testing engagement in which those conducting the tests insist on first getting a “get out of jail free card" - e.g., a notarized letter from the customer stating that the testing firm was hired to break into and probe the security and stability of a targeted site.
Krebs quotes Rasch:
This is also why locksmiths generally force you to show ID that proves your address before they’ll break into a house for you...
The standard in the security industry is not only to require proof that you own the sites that are going to be shut down or attacked, but also an indemnification provision.
I checked with Sophos' IT security manager, Ross McKerchar, who regularly fends off DDoS attacks, to see what he thought of DDoS legality. Unsurprisingly, he says DDoS should "clearly" be illegal, and the fact that it's not illegal everywhere is just evidence of the law lagging:
To use an analogy, even if I have a very poor lock and no alarm system it’s still illegal to break in to my property.
The argument regarding reflected DNS attacks is "even weaker", McKerchar says:
You are at risk to these attacks regardless of your own DNS servers: the problem is that any misconfigured DNS server can be used to attack someone else.
To say that it’s legit to attack company A, because unrelated companies B, C & D have poor security doesn’t really hold water.
None of this is meant to excuse poor security, of course.
To extend the lock analogy even further, McKerchar says:
If a bank had a rubbish lock and no alarm system, I think most people would agree that they bore some responsibility for a break-in. Larger companies should recognize and plan for the risk of DDoS attacks, given they are so easy to execute.
I think it would be fair to say that any company that doesn’t, and depends on their internet-facing systems for revenue is running a major risk, bordering on negligence.
Krebs' sleuthing on this issue is far more extensive than this write-up. It's definitely worth a read to check his original article, which provides more on the booter market, the nature of the backdoor which the FBI may or may not have into RageBooter, and how booters' biggest threats are attacks from each other.
One interesting aspect of these services is how they use PayPal to fund their activities.
From its statement to Krebs:
We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.
PayPal will work with law enforcement to take down something that the FBI might well have its hand in? Up to the elbow and beyond?
Sure. OK. Right.