[This was originally published on Infosec Island, now 404. Mirror available.]
Distributed Denial of Service, or DDoS, attacks are an extremely simple thing, in concept.
This article won’t get into the details of investigation, C&C tracking , dozens of jurisdiction battles, mitigation, or any of the technical aspects of such attacks.
Rather, this article is a simple request directed at those who launch, contract, or operate botnets that facilitate DDoS attacks.
On the most fundamental level, a DDoS attack is about PersonA doing wrong, and PersonB punishing them for it. It doesn’t matter what your perception of “wrong” is. PersonA did something wrong in the eyes of PersonB, and that is all that matters. PersonA could have fired PersonB from a job, posted derogatory comments about the wife, or said cats are better than dogs on a pet forum.
Rather than ignore the transgression, move on, or confront the person in a more rational manner, PersonB resorts to a DDoS attack. They may have the resources to launch it themselves, or may have to pay for the service.
Most in the security industry frown upon botnet-for-hire operators that sell their stolen bandwidth for illicit purposes. Just today, a person I spoke with called them “scum”. Perhaps they are. Personally, while I don’t like or agree with it, I understand it. They are no different than any other person selling questionable or illicit services or goods in our society.
Considering U.S. politicians essentially sell their vote for campaign backing and favors, a botnet herder really no different than my senator as far as I am concerned. That comparison may be a jump to some, but I firmly believe it. I make that comparison because the botnet operator is selling a service; they are not emotionally vested in the resulting activity.
Back to causality. PersonA has grievously offended PersonB, and PersonB has decided to retaliate by denying the bandwidth of the offender. Revenge is typically a strong, in the moment, emotional response. It is not rational, so I understand lashing out in a wide variety of methods. It is easy to argue that hiring a botnet operator to launch an attack moves out of the realm of a purely emotional response, but emotions linger and I understand that too.
What I don’t understand is the disconnect between cause and effect. If a person insults you and you lash out by punching them in the nose, it is usually clear what the person did wrong. “I nailed your mom!” … punch. The person with the bleeding nose and mental fog will immediately know that insulting your mother is not a good thing and leads to pain and dizziness.
If the person posts a message and insults your mother, leading you to reply with “say goodbye to your phone service!” as you shut their phone off, they once again know that insulting your mother leads to the inability to make a phone call.
With some DDoS attacks, and apparently it is a growing number, they begin by denying connectivity service and accompany it with an email demanding payment for the attack to stop. This extortion is easy to understand on a fundamental level; pay $MONEY to $BADGUY and you get your connectivity back (I have to wonder how many times the DoS prevents the extortion demand email to arrive?).
Anyway, there is a serious disconnect in emotionally driven revenge-based DDoS attacks. A person does something wrong, but doesn’t know they have done wrong by any standards, and they get punished hours or days later. No email comes in demanding money, no posts are made on Twitter directed to the affected person, and no rumors circulate as to why it is happening. Has that person really learned a lesson.
Yes, they have. They have learned that some unknown person is a dick. But that is all they have learned. Without a message instructing them what they did wrong, and what they can avoid doing in the future, they are in the dark as to what you are mortally wounded by. Launching a DDoS attack can send a message, but it is often lost in the high amounts of traffic flowing at the victim.
Bottom line; if you are going to initiate a DDoS attack, fine. I get that you are insulted or wounded. I get that you feel wronged over something that was done or said. But really, how do you expect your target to know what to not to do to avoid angering you again?
If you don’t give them a simple and easily understood explanation, they are just as confused as to what they did wrong, as you are confused as to why they did $BADTHING in the first place.
Just as a DDoS attack is pretty safe to carry out without being caught, so is posting a brief message to Twitter or Pastebin to let your target know why. Often times, the ‘why’ is much more important than ‘who’ launched the attacked.
At least, that is the case for me.