Europol Shuts Down World's Largest DDoS-for-Hire Service

In what is being seen as a major hit against cybercriminals, Europol, an international police operation, has taken down the world's biggest provider of potentially crippling Distributed Denial of Service attacks. From a report: Europol officials have shut down WebStresser, a website where users could register and launch DDoS attacks after paying for a monthly plan, with prices starting as low as $18.25. The website, considered the largest DDoS-for-hire service online, had over 136,000 users at the time it was shut down. Europol said it had been responsible for over 4 million DDoS attacks in recent years. Visitors to the web site will now see a notice stating that the site has been seized in conjunction with "Operation Power Off," which is the name of the multi-country operation that took down the site.

The users should be prosecuted too

[sjbe]

Europol officials have shut down WebStresser, a website where users could register and launch DDoS attacks after paying for a monthly plan, with prices starting as low as $18.25.

So someone who signs up for a service like this really is saying they intend to cause harm. While logistically difficult to prosecute everyone, it would seem logical that every user of this service should find themselves in some legal hot water. I cannot think of a single lawful reason why someone would need to use a service like this. And if there isn't a law against using a service like this there darn well should be. Obviously the providers of this "service" should be put in jail but I would argue the users of the service are really no less culpable.

Re:The users should be prosecuted too

[110010001000]

You might use a service like this to stress test your website. Maybe that is why they called it WebStresser.

Re:

[OverlordQ]

*eyeroll*

And those water pipes are for tobacco.

Re:

[DRJlaw]

I cannot think of a single lawful reason why someone would need to use a service like this

*eyeroll*

And those water pipes are for tobacco.

Set yourself up with a challenge like that and you'll get that sort of answer. It doesn't matter whether 99.9% use it for something else, you need only point to the lawful example.

Re:The users should be prosecuted too

[lbmouse]

There are legitimate reason for stress testing. The problem with this company is that they didn't confirm that the addresses tested belonged to their customers. They knew what they were doing and thought they could skirt the law.

Re:

[RandomFactor]

I can see no legitimate rationale for not performing validation on a destination to prove control/ownership.

For example with with various online services it is common to require a cryptographically signed DNS entry to prove domain ownership.

If stress testing an 'IP' you should be able to require a specific website response at http://ip/testingapproved.html [ip] or other similar method before starting.

Re:

[Riceballsan]

Well yes but I think the point is that they shouldn't blindly prosecute the users, for using a service that doesn't check how it is being used first. Just as if you buy alcohol from a store that doesn't check ID. That store should absolutely be in deep crap, but they won't go trying to chase down the customers. I suppose in the process of investigation, they could say go through the records of where the for hire DDOS's went. Compare that to reported hacking crimes, and where there is overlap, prosecute th

Re:

[Luckyo]

If you use the service to stress test your site against DDoS attacks, how is this in any way criminal?

Any sane court would laugh your arguments of guilt by association out. As they should.

Haha

[Anonymous Coward]

lol

My brother had an account there.

Hope he goes to prison so I can get his laptop :))))

Re:

[sjbe]

My brother had an account there.

Then your brother is an asshat.

Re:

[BronsCon]

Or his brother load-tested his own websites, or those of his clients, with permission. I know that's what I use similar services for, legitimately and legally, on a semi-regular basis.

Re:

[Dutch Gun]

Any legitimate web-stressing service should require that you prove ownership of the domain to be stressed by adding specific markers to root-access resources. Not performing this basic safety check is criminally negligent at best, and a criminal enterprise at worst. And anyone who subscribes to and thus promotes a malicious service like that should be prosecuted. Anything else is just excuses.

Re:

[BronsCon]

Sure they do, but who's to say I'm paying her to do anything more than talk, until I ask how much a handy j costs? And paying a girl to talk to you is perfectly legal, despite other services she may or may not be offering; some call it therapy.

Re:

[BronsCon]

Any legitimate web-stressing service should require that you prove ownership of the domain to be stressed by adding specific markers to root-access resources.

Well, since the site is offline now, we can't very well see for ourselves whether or not they did so. More to the point, that's a weak check anyway since, for many sites, it is trivial to host your domain with the same provider the target site uses and send enough traffic that way to take down not only your own domain, but also any domains hosted on the same server, the same subnet or, if you send enough of the right traffic, the entire provider. The only difference is, then, the target site won't have info

Re:

[nnet]

Free Hat!

Re:

[Highdude702]

I'm an electrician and computer nerd have been both for 15+ years and have been a computer nerd far longer. I make nowhere hear 6 figures, yet I understand electronics and computers a lot better than most of the users I see on slashdot.

Crime against humanity

[bigmacx]

For years, it seemed SPAM email blasting companies were the worst Internet villain imaginable, but then came the for-hire DDOS companies. Eventually they didn't even have to hide on the DarkWeb and appeared on public websites. Now anyone with even the most minor beef can take someone or something offline for a few hours for a few dollars. These things whack indie multiplayer games all the time. It's soo easy to phish someone's IP address and then target them after getting frag'd, tk'd, or blog-flamed.

I thin

Congradulations

[cwsumner]

Congradulations to Europol all of the people who worked to take this website down! The fight is not over, but at least we got in a "good hit".

Re:

[Alwin Barni]

Congratulations indeed, however is it only about the site or also about the owners and their infrastructure? How about the customers? It should be easy to check if they just tested their own services or were involved in some malicious activity.
One cannot have DDOS without proper infrastructure, either hacked or own, so there are much more details I would be interested to read about this issue.

Re:

[fazig]

Like in most of these cases if it goes to court, they'll be offered significantly reduced sentences in exchange for information that exposes others or even their entire infrastructure. And they usually cave in quickly.

Re:

[jiriw]

What I read on my 'local' tech website (page in Dutch) [tweakers.net] is they arrested several admins in various countries, and a former admin in the Netherlands. Also, it wasn't a Europol lead operation. Law enforcement agencies of eleven nations were involved from Europe, North America and Hong Kong (Asia), 'in corporation with Europol'.

The site is seized by the US DoD. In the coordinated effort the agencies hunted down various admins. The hunt for other personnel and users of the services is ongoing.

Dutch police is ans

Re:

[cwsumner]

Interesting!

illegal?

[fish_in_the_c]

which country where they in? Where were their servers? I assume this was illegal in their native country and they should have known better.
Of coarse, being a private military contractor isn't illegal, so I'm not sure why this should be. I would think the people who own the site should have known to put it in a country with a small king and include him in on the money.

Which countries?

[Alwin Henseler]

From the article: "the site's administrators, located in the United Kingdom, Croatia, Canada, and Serbia. (..) server infrastructure located in the Netherlands, the US and Germany".

I would think the people who own the site should have known to put it in a country with a small king and include him in on the money.

I'm from the NL, which is known for hosting things that are frowned upon elsewhere (eg. the NL is a popular choice for hosting porn sites). Why? Because my country has a long tradition of protecting free speech, protecting minorities, embracing diversity among groups of people etc. Besides well-connected internet inf

Same guys ?

[rojash]

Are these the same guys who facilitated bringing down SD every few weeks ??

Did they use a bot net?

[Required Snark]

There is a real lack of technical information in the reporting, at least so far.