Law Enforcement Takedowns of DDoS Botnet Sites Fail to Make Significant Impact

Distributed Denial of Service (DDoS) attacks are a threat to any organization. Since they rely upon overwhelming a system’s ability to handle traffic, they don’t require a malware author to develop a means of sneaking past antivirus scanners and executing malicious code on the target machine. Any organization that does not have the appropriate DDoS mitigation protections deployed could have their Internet presence degraded or destroyed by a DDoS attacker.

The threat of DDoS attacks is growing rapidly as attackers have taken advantage of new technology, tools, and tactics to increase their ability to render systems non-operational. The impact of these attacks has reached the point where several law enforcement organizations have acted to take down cybercriminal organizations that are associated with or support DDoS botnets. Most recently, the Dutch police have taken down a provider that hosted dozens of DDoS botnets.

However, the impacts of these law enforcement actions have been historically limited. While botnet operators are negatively impacted in the short term, other providers move in to fill the vacuum. As a result, organizations need to deploy appropriate protections in order to be secure against DDoS attacks.

The Evolving DDoS Threat Landscape 

While DDoS attacks have been around for a while, the threat is constantly evolving. One of the biggest factors in the change in how DDoS attackers operate is the evolution of the Internet and the devices that are connected to it. In the past, the Internet was primarily composed of servers and personal computers, which were designed to be fairly secure and received cybersecurity protection and regular updates.

On the modern Internet, Internet of Things (IoT) devices are increasingly common. These devices have extremely poor security and do not receive the same level of protection and maintenance as traditional computers. As a result, botnets composed of these easily-compromised IoT devices and computing power for rent available on the cloud allow attackers to launch more numerous and more powerful DDoS attacks.

Innovation in DDoS is not limited to taking advantage of the changing Internet landscape. DDoS tactics are constantly changing, and DDoS attackers are continually working to discover and exploit DDoS amplifiers. A DDoS amplifier is a protocol that allows an attacker to spoof the source address and that has a significantly larger response than the request. Using an amplifier, an attacker can masquerade as their victim and ensure that they receive and must process much more data than the attacker has to send out.

The evolving Internet landscape and the growth of DDoS botnets have made large-scale DDoS attacks cheaper and easier to perform. The low price of performing a DDoS attack allows botnet operators to offer their services for affordable prices on online marketplaces. As a result, any organization could potentially be the victim of a large-scale DDoS attack.

Law Enforcement Takes on DDoS Attackers

Dutch law enforcement is the most recent organization to take action against DDoS botnets. The police recently seized servers belonging to a “bulletproof” web hosting service that housed numerous DDoS botnets. Bulletproof providers ignore any complaints about illegal or unethical actions being performed using their services, allowing cybercriminals to operate with impunity.

KV Solutions BV, the bulletproof hosting provider in question, hosted a variety of different cybercrime services (phishing, cryptojacking, etc.) but specialized in IoT DDoS botnets. These botnets ran the gamut from ones operated by script kiddies using the Mirai source code to some of the most talented malware authors and botnet operators in the business. KV Solutions BV also hosted “booter for hire” websites where customers could hire the services of DDoS botnets to attack a target of their choice.

The bust by the Dutch police involved seizing servers and arresting two individuals suspected to be the company’s founders. Currently, the focus of the investigation is on hosting DDoS botnets; however, data extracted from the servers and the suspects may lead to other arrests. Regardless, the loss of these servers likely had a significant impact on malware operations due to the loss of command and control servers, DDoS botnets, and other cybercriminal infrastructure hosted by KV Solutions BV.

The Need for DDoS Protection

Taking down a DDoS hosting provider, like the Dutch police did, typically has an impact on the number and intensity of DDoS attacks for a while afterward. However, this impact typically does not last.

In December 2018, the FBI took down several of the biggest DDoS for hire sites in operation, which caused a dramatic decrease in the number and scale of DDoS attacks during the holiday season (which is usually a peak time for those attacks).

However, the DDoS attack market quickly recovered. In Q1 2019, the number of DDoS attacks increased 200% compared to Q1 2018. While the FBI takedown had a significant short-term impact, DDoS service providers simply relocated to other sites to perform their attacks. Unfortunately, many of the clients of KV Solutions BV will likely do the same.

While the efforts of law enforcement against DDoS attackers and other cybercriminals are important, they do not provide a long-term solution to the DDoS threat. In order to ensure that they are protected against attack and that their Internet presence remains unaffected, organizations need to deploy the appropriate cybersecurity protections to protect themselves. A DDoS prevention solution capable of handling the attack volumes that modern DDoS botnets are capable of achieving is a basic cybersecurity requirement for any modern organization.