DDoS and The Damage a Single Person can Do

Featured article by Debbie Fletcher, Independent Technology Author

If a person went on a vandalism spree that interfered with an organization’s ability to do business and ended up warranting restitution that totaled up to 8.6 million dollars, that person would be a well-known criminal indeed. He or she would be a topic at the water cooler, an ice breaker on awkward dates and a hashtag on social media. Yet for everyone other than the technologically tuned-in, Paras Jha has managed to fly entirely under the radar.

This is, of course, because Jha’s crime spree took place entirely online, with DDoS attacks being his main weapon of choice. His online attacks caused major real-life problems for his victims, however, and now he’s grappling with serious real-life consequences. He’s just one of the latest cybercriminals to prove just how much damage one person can do with DDoS attacks.

The downfall of the Mirai mastermind

If distributed denial of service or DDoS attacks have gone mainstream at all in the past few years, it’s because of the Mirai attacks that took place at the end of 2016, one of which was responsible for taking Reddit, PayPal, Spotify and the New York Times offline, amongst 45 or so other major online sites and services. As one of the authors of the Mirai botnet, Paras Jha should be known as one of the bad boy rockstars of the website-downing cyberattack genre. Yet even though his botnet baby basically brought the internet to a screeching halt with the attack on the Dyn DNS server and unleashed record-breaking attacks while ushering in the era of the massive IoT botnet, he received just five years of probation, 2,500 hours of community service, was ordered to pay $127,000 in restitution for his Mirai handiwork, and received just a moderate amount of attention after the court case wrapped.

Anyone hoping one of the malicious minds behind Mirai would get a bigger dose of justice had their wish come true at the end of October, 2018 when Jha was convicted and sentenced for a series of attacks on his alma mater, Rutgers University. This time he received six months of house arrest, another 2,500 hours of community service, and has been ordered to pay a staggering 8.6 million dollars in restitution to the university. While that restitution is part of Jha’s sentence and can be considered punitive, what it really is, is a direct repayment to Rutgers University for the losses they suffered as a result of the series of distributed denial of service attacks launched by Jha.

Jha’s reasons for launching those devastating attacks on Rutgers? In one case, he wanted to block enrollment to a course he himself wanted to take. In another, he wanted to delay his calculus exam. Other attacks were launched at the university because Jha found he enjoyed the attention and outcry his earlier attacks had garnered.

Prolific DDoS damage causers

Paras Jha is just one of the most recent names to get added to the list of DDoS attackers who have been caught and convicted of wreaking havoc all over the internet.

Some, like Adam Mudd and Jack Chappell who each ran DDoS for hire services, seemed to be in it for the money. Mudd earned over $500,000 USD with his Titanium stresser launching over 1.7 million attacks, while Chappell’s vDos stresser was once the most prolific DDoS-for-hire service in the world.

Other high-profile DDoS arrestees like the Lizard Squad’s Bradley van Rooy and PoodleCorp’s Zachary Buchta, similar to Jha with his attacks on Rutgers, are largely in it for the outcry and internet infamy. As members of two of the internet’s most notorious hacking groups that often took aim at online gaming platforms, van Rooy and Buchta thrived on the firestorms their attacks sparked on Twitter and reveled in the Reddit outrage.

Other famous attackers have even simpler motivations. For a teenage hacker known as Jelle S., who basically crippled the Dutch financial system for a week in early 2018 by taking down financial institutions, the tax authority and other government services, his string of high-profile DDoS attacks all occurred because he thought it was funny to begin with and even funnier when state-sponsored Russian hackers were blamed.

The power of one

While the attackers listed above stand out from the crowd of DDoS perpetrators because they were caught and convicted, their misdeeds provide a good example of exactly what is going on in the distributed denial of service landscape. Organizations are suffering millions of dollars in damages, millions of attacks are being launched from DDoS for hire services at targets of all types and sizes, government services and financial institutions are being brought down to the point that an entire nation’s financial system is crippled, and not a week goes by where gaming outages don’t make the headlines, all because of what a smattering of malicious individuals get up to with their botnets and attacks.

Whether attackers are motivated by money, attention, infamy or simple entertainment, the sad fact of the matter is that arrests and convictions are rare and these attackers are exceedingly hard to stop at the source. Instead, they need to be stopped at the target. Get professional cloud-based DDoS protection so you don’t have to care about what some 22-year-old in New Jersey or 16-year-old in London is doing for fun.