The alleged creators of the popular VDoS website were arrested by Israeli authorities at the behest of the FBI on Thursday (September 8th). The 4-year-old site provided attack-for-hire services that helped its customers orchestrate more than 150,000 so-called distributed denial-of-service attacks (DDoS attacks) designed to take websites offline, and earned approximately $300,000 per year.
It is simply frightening that a 14-year-old child can build, maintain and earn hundreds of thousands of dollars a year and amass an estimated $1M after four years of operating a DDoS service before being stopped at the age of 18.
This is clearly only going to serve as an inspiration to legions of children who have talent and are interested in having high rewards for their employed pursuits. It’s the next step in the hacking-for-hire culture that has emerged over the past decade. For some time now, we have watched talented child-hackers take down high profile targets and then receive lucrative job offers after they complete their incarceration. What these two young men have shown us is that it is potentially more lucrative to nurture an entrepreneurial venture as a hacker than the previous pattern of hackers seeking to “build their resume.”
This story sheds light on one of many DDoS as a service tools that rapidly gain popularity over the last few years. VDoS is not the only attack-for-hire service out there. Many of the world’s most notorious hackers have developed their own iteration of a for-hire attack website. Many have learned how to avoid prosecution with extensive Terms of Service agreements that absolve them of personal liability. And as we can see from the VDoS founders, DDoS-as-a-Service (DDoSaaS) is a profitable business! Radware’s ERT researcher, Daniel Smith, talks at length about the breadth and sophistication of for-hire attack services in his Rise of Booters and Stressers blog.
In addition, this raises a flag for organizations around the globe. Companies must rethink DDoS protection strategies in a world where such tools commoditize attacks, site owners can make so much money so quickly, and the model for calculating return on investments of security protection technologies is reset.
How to look at this?
- Like everything, security attacking tools have moved to the cloud and are much easier to use
- Financial incentives for people to jump into this business has been terrifyingly awesome
- Most security controls purchased over the past few years whose main DDoS mitigation technique relies on source or destination IP address is no longer useful. Examples of IP-based blocking are the following:
- Geo-IP Blocking
- Black & Whitelists
The time has come to find the vendors who can support real time detection with high quality (e.g. not requiring source or destination IP address) blocking. Also, this must be done while negotiating SSL and encoding algorithms.
Best of luck, and always know that Radware can help!