Hacker attacks that try to take down websites with a flood of bogus traffic, technically known as Distributed Denial of Service (DDoS) attacks, have become a daily occurrence on the internet. The rise of DDoS has created a cottage industry of companies dedicated to mitigating the attacks, and, on the flip side, professional DDoS-for-hire services and gangs.
Now, a group of security researchers wants to name and shame not only the hackers responsible for such crippling attacks, but also the internet providers and traffic carriers that enable them by turning a blind eye to their actions, with a project called SpoofIT.
"We want to expose that the responsibility of ending DDoS is collective and something needs to be done before there is no return," one of the people behind the initiative, who goes by the alias Jack B., told Motherboard. "What kind of neutrality we have in the internet? If the cost of staying online keeps raising there is no space for real freedom of expression."
Jack B. argued that the blame should be shared among internet service providers who leave their networks badly configured to allow misuse, and international internet carriers who sign peering agreements with peers that are known for running cybercriminal operations, as well as anti-DDoS firms that also protect DDoS-for-hire websites. For example, SpoofIT argues that many hosting and upstream providers allow traffic with spoofed addresses, a common sign of malicious activity, and hardware manufacturers fail to enable filtering technologies in their routers.
"What kind of neutrality we have in the internet? If the cost of staying online keeps raising there is no space for real freedom of expression."
"It's like renting your car everyday to someone that sells rocket-propelled grenades on the black market," Jack B. said in an online chat. "You see the customer everyday loading boxes into the car. And you keep repeating, 'I just rent my car.' Then the next day you rent a truck, as you see that your customer needs more space for the boxes."
Jack B. and the rest of the group quietly launched SpoofIT last week, and they already have published some investigations into the IoT botnet that hit Krebs' website; a Russian provider who allegedly sold infrastructure to a DDoS-for-hire service; and a sketchy anti-DDoS service that also allegedly provides "stress testing," a euphemism for DDoS-as-a- Service.
While this is a project with an admirable goal, Barrett Lyons, who founded the first DDoS mitigation service in 2003, is skeptical that it will have a significant impact, as the very nature of the internet allows DDoS attacks to exists. Lyons explained that there's no way to completely eradicate DDoS attacks as long as it's possible for someone on the internet to send a packet to someone else who's not expecting it, which just how the internet works.
"Shutting this down is going to be basically impossible. You can't stop denial of service attacks."
"There's a lot of attacks on a daily basis. Shutting this down is going to be basically impossible. You can't stop denial of service attacks. You can mitigate them, you can reduce your risk, you can design your network better, you can use protocols that are not as susceptible to attack," Lyons told Motherboard. "But, I don't think you can actually eliminate denial of service attacks, just because the internet wasn't designed in a way that makes that possible."
Still, Jack B. thinks more can be done to track down and stop the people behind this attacks, as well as their enablers. And the group is looking for volunteers to join its cause.
"We want to expose that not only the bad guys are making money. Everyone seems to make money: the guys that route the traffic, the hosting places, the data centers—it's an industry. And many actors say 'we don't know, we can't find the bad guys," Jack B. argued. "That is bullshit."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.