DDoS-for-hire service is legal and even lets FBI peek in, says a guy with an attorney

Filed Under: Denial of Service, Featured, Law & order, Security threats

Paying a site to DDoS other sites is perfectly legal, the proprietor behind one such outfit told security journalist Brian Krebs.

Besides which, he says, his service, called RageBooter, even features a nifty backdoor that lets the FBI monitor customer activity.

RageBooter site

The conversation took place recently between Krebs and Justin Poland, the US man from Memphis, Tennessee whom Krebs sniffed out via WHOIS lookup and Facebook.

According to Poland, DDoSing the beejezus out of sites is perfectly legal/justifiable/morally kosher because:

  1. It's "a public service on a public connection to other public servers";
  2. His service merely takes advantage of default settings of some DNS servers; and
  3. Spoofing a sender address is legal and OK because if a root user of the server doesn't like it they just have to disable recursive DNS.

Regarding item No. 3, recursion is the act of querying additional DNS servers to resolve queries a DNS server can't resolve from its own database.

Microsoft, for its part, confirms that yes, attackers can use recursion to deny the DNS Server service and has this TechNet article on how to disable it.

In short, Poland told Krebs, RageBooter is just a "legal testing service":

How individuals use it is at there [sic] own risk and responsibilitys [sic]. I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product.

How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days.

About that ready accommodation of "any legal law enforcement": when Krebs asked Poland whether police or other authorities had ever asked for information about his customers, Poland told him that well, actually, he works for the FBI.

From Krebs' account of the Facebook chat he had with Poland:

I also work for the FBI on Tuesdays at 1pm in memphis, tn. They allow me to continue this business and have full access.

The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.

When Krebs called the number Poland gave him to check with the FBI, the man on the other end got peeved and referred him to the FBI's press office, which in turn wouldn't confirm or deny any of this.

Poland, for his part, stopped talking with Krebs, saying he'd been instructed to block him. His Facebook page disappeared within moments of Krebs receiving this message:

I have been asked to block you. Have a nice day.

DDoS image, courtesy of ShutterstockRegarding the legality of hiring a DDoS service, Krebs checked with Mark Rasch, a security expert and former attorney for the US Department of Justice.

Rasch told Krebs that while companies regularly hire network stress-testing services, it's generally part of a more inclusive penetration testing engagement in which those conducting the tests insist on first getting a “get out of jail free card" - e.g., a notarized letter from the customer stating that the testing firm was hired to break into and probe the security and stability of a targeted site.

Krebs quotes Rasch:

This is also why locksmiths generally force you to show ID that proves your address before they’ll break into a house for you...

The standard in the security industry is not only to require proof that you own the sites that are going to be shut down or attacked, but also an indemnification provision.

I checked with Sophos' IT security manager, Ross McKerchar, who regularly fends off DDoS attacks, to see what he thought of DDoS legality. Unsurprisingly, he says DDoS should "clearly" be illegal, and the fact that it's not illegal everywhere is just evidence of the law lagging:

To use an analogy, even if I have a very poor lock and no alarm system it’s still illegal to break in to my property.

The argument regarding reflected DNS attacks is "even weaker", McKerchar says:

You are at risk to these attacks regardless of your own DNS servers: the problem is that any misconfigured DNS server can be used to attack someone else.

To say that it’s legit to attack company A, because unrelated companies B, C & D have poor security doesn’t really hold water.

None of this is meant to excuse poor security, of course.

To extend the lock analogy even further, McKerchar says:

If a bank had a rubbish lock and no alarm system, I think most people would agree that they bore some responsibility for a break-in. Larger companies should recognize and plan for the risk of DDoS attacks, given they are so easy to execute.

I think it would be fair to say that any company that doesn’t, and depends on their internet-facing systems for revenue is running a major risk, bordering on negligence.

Krebs' sleuthing on this issue is far more extensive than this write-up. It's definitely worth a read to check his original article, which provides more on the booter market, the nature of the backdoor which the FBI may or may not have into RageBooter, and how booters' biggest threats are attacks from each other.

PayPal logoOne interesting aspect of these services is how they use PayPal to fund their activities.

When Krebs checked with PayPal about this, the company told him that the use of its service for DDoS-for-hire sites would violate its terms of use agreement.

From its statement to Krebs:

While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly.

We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.

PayPal will work with law enforcement to take down something that the FBI might well have its hand in? Up to the elbow and beyond?

Sure. OK. Right.

Eyebrow arched.

Image of buy now button courtesy of Shutterstock.

, , , ,

You might like

8 Responses to DDoS-for-hire service is legal and even lets FBI peek in, says a guy with an attorney

  1. Someone · 828 days ago

    Has it occurred to you that maybe this Poland guy isn't actually w/ the FBI and referred you to the press office, knowing their response would be that they can't deny or confirm anything that they are or aren't doing.

    Perhaps an elaborate fishing scheme to take down sophos, and they tucked tail and disappeared when it became clear you were actually checking their claims.

  2. Machin Shin · 828 days ago

    "Unsurprisingly, he says DDoS should "clearly" be illegal"

    "To use an analogy, even if I have a very poor lock and no alarm system it’s still illegal to break in to my property."

    This is totally incorrect thinking. DDoS does not necessarily "break in to" anything. Yes, it should be illegal to use other peoples computer without their consent to launch a DDoS.

    This does not mean DDoS, should be flat out illegal. If I organize a large group of people who all agree to do a DDoS on a website then we are not "breaking in" and so the analogy does not fit at all. Instead the analogy would be more along the lines of me and a bunch of friends all agreeing to go fill a store to capacity and then stand around in protest. You are simply taking the full capacity of a public facing server. In a way it is the modern version of a sit-in.

    • CDB · 828 days ago

      I would like to point out that executing a DDoS attack disrupts computer systems and denies services to users. That, at least in the United States of America, is illegal. There are various Federal and State provisions.

      For instance, check Florida statutes, Title XLVI, Chapter 815 (Computer-Related Crimes), Section 815.06. Disrupting services is a third-degree felony, and if that disruption causes more than $5,000.00 in damages, it is kicked up to a second-degree felony.

      What if you have a small business which you use to make transactions, and you rely upon it for most of your income...and then somebody uses a service like this to interrupt your service? They are robbing you of your bread-and-butter, and potentially driving your customers somewhere else, never to return (due to annoyance that your site is down, though through no fault of your own). That's not only disruption, that's tantamount to robbery, because it directly attacks your very means of making a living.

      Finally, as has been stated already, you can have tight security on your own servers, but still be victimized if others do not have tight security, because DDoS attacks rely on a veritable zerg-rush of requests.

    • Doodle · 828 days ago

      It's not the same as a "Sit-In" or "Protest". Even if a group has a permit to hold a "Sit-In" or "Protest", they cannot physically prevent a perspective customer from entering that facility. If I want to cross a picket/protest line, I can. If the protesters try to physically stop me, they can and should be arrested. In my opinion, same goes for the DDoS attacker (never heard it called a DDoS protester, so I use attacker).

    • Adam · 827 days ago

      Actually, sitting in the store against the owner's wishes would still be illegal, because it's private property. You can stand outside of his property if you wish, but you may have problems convincing the police that you have the right to prevent his customers from doing business with him by blocking access to his store.

    • Anonymous · 591 days ago

      id say your close to reason, but if one person ddos a site cause they are doing bad stuff then i see no harm and if enough people got to a protest outside a store im talking about thousands then im pretty sure that would stop or if not slow them down a lot.

  3. Henry · 828 days ago

    The part about this site owner working with the FBI is a bit fishy. While it is completely legal to tell people you work for the FBI, why would you do so? If they're trying to catch criminals who are abusing these services, why would they announce that their service is being monitored? Surely almost any criminal can figure out that it's not the best idea to use a service monitored by the FBI when you plan to use it for malicious activity, and it's not like RageBooter is the only website that offers such a service. It also strikes me as fishy that he provided a phone number to the office. If he really works for the FBI, did he honestly believe that someone would pick up the phone and generously hand out employee information to someone they've never spoken to before? Doesn't really add up.

  4. Very ropey. the services listed sound closer to a DoS attack than a DDoS attack. __Isn't spoofing illegal?____Also the privacy policy mysteriously ends in a 404 error...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.