[190839] in North American Network Operators' Group
Re: EVERYTHING about Booters (and CloudFlare)
daemon@ATHENA.MIT.EDU (Phil Rosenthal)
Thu Jul 28 12:20:30 2016
X-Original-To: nanog@nanog.org
From: Phil Rosenthal <pr@isprime.com>
In-Reply-To: <9578293AE169674F9A048B2BC9A081B401E66668BE@MUNPRDMBXA1.medline.com>
Date: Thu, 28 Jul 2016 12:20:24 -0400
To: "Naslund, Steve" <SNaslund@medline.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Keep in mind also, the victims of these DDoS attacks do not know which =
"booter" service was paid to attack them. The packets do not have =
"Stress test provided by vBooter" in them. The attack packets do not =
come from the booter's or Cloudflare's IP addresses, they come from =
secondary victims -- compromised servers, PC's infected with malware, =
and abused DNS/NTP [and a few other protocols] reflectors.
It is impossible for a victim to submit a complaint to Cloudflare =
stating "I was attacked by someone paying vBooter", because they do not =
know which of the numerous "booter" services was responsible.
-Phil
> On Jul 28, 2016, at 12:12 PM, Naslund, Steve <SNaslund@medline.com> =
wrote:
>=20
> Miles is right. Their thinly veiled "stress tester" thing is not =
going to be much of a defense. They must not have very good legal =
counsel. Here is the issue. Stress testing is perfectly legal as long =
as I am:
>=20
> a) Stress testing my own stuff
> b) Stress testing your stuff WITH YOUR CONSENT
>=20
> Selling a product or service that is unsafe can lead to serious civil =
consequences. For example, I sell you roach killer and don't warn you =
that it will also kill every other living thing in your home, I am going =
to get sued and lose badly.
>=20
> Let's say I am running a demolition company that offers to knock down =
any house for a price. Don't you think I have a responsibility to =
verify that you own the house you just asked me to knock down? (by the =
way, this has happened in the real world -wrong address on paperwork- =
and the demolition company was held liable) Obviously I have that =
responsibility and obviously the same rules would apply to any service =
that can potentially damage someone's property.
>=20
> Steven Naslund
> Chicago IL
>=20
>> Let's see:
>>=20
>> Vbooter (on their home page) claims:
>> "#1 FREE WEBBASED SERVER STRESSER"
>> "Using vBooter you can take down home internet connections, websites =
and game servers such us Minecraft, XBOX Live, PSN and many more."
>> "You don't have to pay anything in order to use this stresser! In =
addition there are NO limits if you are a free user."
>=20
>> So they're advertising a free service that explicitly offers DDoS =
capabilities.
>=20
>> Now - with the caveat that I'm not a lawyer, and I'm talking from a =
US perspective only - as a sometimes hosting provider who pays attention =
to our legal liabilities, and >who's had one of our boxes compromised =
and used to vector a DDoS against a gaming site....
>=20
>> 1. DDoS is clearly illegal under multiple statutes - most notably =
the Computer Fraud and Abuse Act - see =
https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01=
/14/ccmanual.pdf
>> - for a Justice Dept. memo on "Prosecuting Computer Crimes." When =
coupled with threats, requests for payoffs, etc. - it expands into lots =
of other crimes (e.g., >extortion). And that's before one starts =
attacking Government-owned computer systems.
>>=20
>> 2. One might infer that, while "stress testing" is a legitimate and =
useful service - under specific circumstances, vBooter's tools might =
also fall under laws regarding >being an accomplice to a criminal act, =
aiding & abetting, "burglar's tools," etc., and more generally "creating =
a public nuisance."
>>=20
>> 3. There are also various (mostly state) laws against the sale of =
burglar's tools (e.g., sale of a lockpick to someone who's not a =
professional locksmith). I expect some >of those laws might apply.
>>=20
>> 4. All of those certainly could be applied to vBooter.org. Whether =
Cloudflare is liable for anything would seem to depend on whether =
Cloudflare is complicit in the use >of vBooter's use for criminal =
purposes, or promoting it's use therefore. Hosting would certainly fall =
into that category - and while, I have no direct knowledge that =
>Cloudflare hosts vBooter, they do provide nameservice, and their web =
server's IP address is in a network block registered to Cloudflare - =
that would seem to establish >complicity. Now if Cloudflare were to =
actively suggest that folks use vBooter to test systems, as a way to =
boost sales for Cloudflare - that would certainly be an >interesting =
test case for RICO (akin to McAfee encouraging folks to write and =
release viruses).
>>=20
>> As to whether "Nothing is going to happen" - I expect something WILL =
happen, when somebody big, with a good legal department, gets hit by a =
really damaging DDoS attack, >and starts looking for some deep pockets =
to sue. Or, if somebody attacks the wrong Government computer and the =
FBI, or DoD, or DHS get ticked off.
>>=20
>> It will make for very good theater - at least for anyone not directly =
in the cross-hairs.
>>=20
>> Miles Fidelman
>=20
