How the FBI goes after DDoS cyberattackers
In 2016, hackers using a network of compromised internet-connected devices — vulnerable security cameras and routers — knocked some of the then biggest websites on the internet offline for several hours. Twitter, Reddit, GitHub and Spotify all went down intermittently that day, victims of what was at the time one of the largest distributed denial-of-service attacks in history.
DDoS is a form of cyberattack where bad actors flood websites with malicious traffic with the goal of taking them offline. DDoS attacks had existed for years before 2016, but the fact that this one incident took down so many major services drew the attention of people who didn’t know much about cybersecurity.
Since then, no DDoS attack has ever been so newsworthy, but the problem hasn’t gotten away. On December 15, 2022, right before Christmas — historically a popular time to launch DDoS attacks — the FBI announced that it had taken down dozens of websites that sell what are called booter or stressers, essentially DDoS-for-hire services. These are relatively cheap services that allow people with low or no hacking skills to carry out DDoS attacks.
On the same day, the feds also announced that they had arrested seven people who allegedly ran those services. Then, the FBI targeted those services and took down more booter sites in May.
All these recent operations — as well as the investigation into Mirai, the malware used in the infamous 2016 attacks — were led by the FBI office in Anchorage.
On Wednesday, Elliott Peterson, one of the FBI agents who led those investigations, spoke at the Black Hat cybersecurity conference in Las Vegas. Peterson, along with Cameron Schroeder, a prosecutor who specializes in cybercrimes, talked about the work behind the investigations that led to the Christmas and May takedowns.
Schroeder also revealed that it was Peterson himself who created the splash pages that replaced the seized websites.
Peterson, who has focused on DDoS attacks for a decade, sat down with TechCrunch on Thursday to talk about his work going after the people behind those DDoS services, and identifying which services to take down. He explained what goals law enforcement has with these investigations, how DDoS attacks have changed over the years, who are the people behind them,
The following transcript has been edited for brevity and clarity.
TechCrunch: How long have you been investigating DDoS attacks? And how have DDoS attacks changed over time?
So probably nine or 10 years. And it’s changed quite a bit. When I started looking at the problem, we were really thinking in terms of the top booter or stresser services, which is where a lot of the market and a lot of the customer base was. And then, in the middle of working investigations into booter and stressers, we got drawn into the botnet world. And so it’s really been kind of this yo-yo back and forth between what we think are the most threatening portions of the DDoS landscape, and then we’ll try to deal with that. And then the criminals react to what we do and change, and we have to relearn, and it’s just been this kind of constant process over about nine or 10 years.
What is the biggest change that you’ve seen in the last 10 years?
I think in a lot of ways just the expanding of the partners that we have. When we first started, we were trying to work with people that understood and focused on DDoS, and that was a really small subset of the security community. I feel like over the years, we’ve had a lot more partners within the private sector, within academia, and within law enforcement, we’ve had a lot of people really interested in the problem.
And maybe this is a little bit of a media bias, but I feel like sometimes there’s a feeling that DDoS is kind of a boring problem, or a problem that’s been solved?
Oh, no, no, you’re not wrong at all. We bump up against it all the time. And there’s ways in which it’s kind of true. And there’s ways in which it’s emphatically not true. But if you look at the transitory, temporary nature of some DDoS attacks, it’s a problem while it’s going on, and maybe it’s a problem when the attack stops.
“Generally, if you’re big enough to be in the news, you start to be on our radar.” Elliott Peterson, FBI
If somebody is intending only to temporarily disrupt a website or person, it’s a little bit of a problem or a lot of a problem during it, and then afterwards, they might forget or move on. Now, DDoS at a certain scale or volume is an entirely different problem. And so, a lot of the people that say DDoS isn’t a problem are crying for the hills when their websites are down continually, or there’s a threat that’s so large, that there’s not a mitigation pathway.
I think what’s kind of unique of what FBI Anchorage has been doing is we’ve been really focused on that crime-type throughout that period. And it’s allowed us to respond a lot more quickly when it does become a really sustained problem. But by volume, it is one of the largest cybercrime problems in terms of the frequency of attacks, for example.
How large is it in terms of financial losses?
That’s harder to determine. You have cases where there’s extortion or a victim might pay a certain amount of money. But DDoS has a lot of indirect costs. If I’m getting DDoS’ed continually, a lot of victims can pay their way outside of the power of the attacker, but that is incrementally increasing their bandwidth costs. That’s really hard for us to capture, I think. But if you look at just the size of some of the companies that specialize in DDoS mitigation, for example, you have very large companies that that’s their business model. So, I don’t want to put a price tag on it.
Yeah, Cloudflare is a giant company…
As is Akamai, as is Fastly. There’s a lot of that. And every ISP will have plans that certain customers get pushed to because it’s maybe the way to stay outside of certain DDoS services. We think that it’s one of the things where it increases the expense for everybody on the internet, but it’s hard to know exactly how much.
And so how do you choose who to go after? It’s a huge problem, how do you pick your battles?
One of the things that I think it’s the most exciting is that we have that ability to choose, we can look at it, and think about it. Generally, we’re prioritizing top services. So, who is conducting the most attacks? Who’s been around the longest? Who has the most customers? Who’s capable of conducting the largest attacks for booter stresser services?
When we make questions about how are we focusing on — for example — botnets? It’s a similar methodology. But generally, if you’re big enough to be in the news, you start to be on our radar. And then we might pause and focus on something like that.
Like Mirai from a few years ago.
Yeah, and that was an FBI Anchorage case. It’s a great example of everyone says, ‘DDoS doesn’t matter.’ And then you finally have a botnet like Mirai and for a while DDoS really matters. That was actually a case we worked from start to finish in Anchorage, and basically used everything we’d learned about booter stresser services and pivoted and dealt with Mirai, and then came back to work on booter stresser services.
Mirai was huge, I remember there was that day the internet kind of went down for a few or a couple of hours, which is crazy to think about now. What’s the goal? Obviously, catching criminals, but is it deterrence? Is it getting access to low level criminals so that you can then go after bigger services? What’s the thinking?
I think, big picture, our thinking is what can we learn in trying to reduce the threat of these services that we can apply to other crime types? What can we learn in combating these DDoS services, both to make the internet safer, but also maybe to apply to ransomware, remote access trojans or other types of internet tools? That’s by and large what Cameron [Schroeder] and I were trying to discuss. But we think it’s a problem that people only pay attention to a little bit of the time, and we think we’re having a lot of success by focusing on it all the time.
How effective has been the deterrence? At some point Schroeder said that after one big operation that there was a 20% decrease in DDoS activity. Can you talk more about that?
We’re ascribing value to numbers. But because we can measure DDoS and because we can accurately look at where DDoS is and follow trajectories, we have an estimate that probably our last operation saw a pretty sustained net 20% reduction on daily attack volume. Other operations we’ve seen less or more than that.
What’s neat this time is at least it looks like it’s sustained. Maybe some portion of the customer base maybe moved on. And that’s really our goal: a combination of educating people that this is criminal, holding people accountable and trying to not be in a position where young men and some young women grow up accustomed to having access to these tools. Because when you’ve had access to the kind of firepower that you can get for $20 a month — that, by the way, if you wanted that kind of bandwidth, at home you’d be paying $250-$350 a month or more — what we see is people become habituated having that, so they just continue to use these services. We’d really like to explain to people that it’s criminal, they shouldn’t do it, so we can focus on other crime problems.
You said that for the last there was a 20% decrease. That’s the March or the Christmas operation?
That was Christmas and March. There’s a whole sequence of operations that came out after Christmas. We saw about a 20% overall reduction in the attack volumes. But we’re hoping to have much better data soon, as some of these universities study that.
Is going after the booters also in part trying to dismantle the botnets behind them?
To me, they’re functionally very different things with the exception that we have had booter services that have tied themselves to botnets or added botnet capability. But if we consider botnets victim devices, and generally, those are conducting what are often called layer 7, or TCP-based attacks, and they can be very powerful because you can make the infected victim that comprises the botnet, essentially interact with the intended victim. Whereas most of the time with booters, they’re conducting these clever attacks where they’re magnifying their data. But at the end of the day, it’s all unrequested UDP. It’s just sheer bandwidth, it can be filtered, it can be dropped.
The botnets, generally, that’s a lot more challenging. We look at them as different threats. But we understand that they sort of exist within the same criminal economy. The difference is that botnets tend to be a lot more expensive. You have people that have larger criminal economic goals, they’re often using botnets, or you have other cases where the booting services tend to be a lot cheaper and have a different clientele.
I guess it’s fair to say that maybe the botnets are not for kids that want to disrupt gaming?
They can be, but generally a botnet is something that you are using to disrupt an entire gaming service, let’s say, because the number of bots and then the peak available capacity of those bots isn’t always greater than what you would see with a booter but often it is. The use case becomes a little different. Where we often see botnets being successful is they might take down the entire gaming service and not just kick somebody out of a game.
Now that we are talking about it, I remember a few years ago when the whole PlayStation Network went down, it was Christmas day or the day after Christmas.
“Our hope is not to arrest everybody, our hope is to arrest the most problematic people and convince the rest of the people that this isn’t a good path.” Elliott Peterson, FBI
A really funny — and long story that we don’t have time for — is that part of Mirai’s development was driven by competition, because the group that did those Christmas attacks had an [Internet of Things] botnet that was very effective.
They both were aware of the same vulnerability. And whoever controlled that vulnerability, controlled hundreds of thousands devices. They were actually fighting with each other to see who would be able to control all of those devices. That is actually what drove a lot of the advancement that made Mirai so effective.
Sometimes you time your operations around times when DDoS attacks are more prevalent, like Christmas, for example in 2022. What’s the motivation behind doing this?
Exactly what you described. You’ve had this historical tendency where Christmas is the busiest DDoS period for a lot of reasons. We’ve started trying to time operations to coincide; where in the vacuum created by our takedowns through December, DDoS is a lot harder to do, because the operators that weren’t arrested are going back to have to reset up their stuff. Everyone’s generally a little alarmed at what the next shoe is going to drop. That’s why we’ve timed it. In some ways, we’re setting ourselves up where we’re competing with the most intense DDoS period. We could pick a different time and maybe see more of a reduction, but that’s why. Banks and other industries can get really nervous around Christmas time. This changed that landscape a little bit.
Does it also send a message to the criminals themselves?
Ideally, what we’re trying to do is send this broad message of deterrence. Our hope is not to arrest everybody, our hope is to arrest the most problematic people and convince the rest of the people that this isn’t a good path.
And speaking of the cyber criminals, you said yesterday that there are some wrong assumptions about them, both in terms of who uses these services and who runs them?
Yeah, DDoS to me has a very distinct cybercriminal profile. Generally, you’re going to have somebody based in North America or Western Europe. They generally will communicate in gaming, they’re usually young adult males, they can be engaged in other cybercrime types, but often DDoS may be one of the most popular types. They’re usually adjacent in some way to gaming, and they’re often making $30,000-$50,000 to $100,000 a year, depending on how big their services are. They often start maybe between 16 and 19 [years of age], and by the time they are top service — and we catch up to them — they are somewhere between 19 and 25 [years old], usually, in terms of a profile.
That’s not bad money for that kind of age.
And that’s the problem, right? That’s what we’ve been trying to figure out is where you have this economic driver for the crime type, it makes it harder to move people away from the service.
And how sophisticated are they? Because you showed that they make some pretty bad OPSEC mistakes.
I would say that because of the crime type, and because of who their customers are, I would say that they’re generally not as sophisticated as you might consider some of the more traditional cyber actors. But that’s not even entirely fair, because criminals who are offering services tend to be more sophisticated than the criminals that are consuming the services. If I look at somebody operating a DDoS service, they are usually much more technically sophisticated than their customers.
But they may not be far behind somebody doing a remote access trojan or somebody doing something else, because by and large, the tools they’re using have been placed online. So, a little bit of web development, [and] a lot of customer service experience is often required for them to be successful. There’s a lot of back and forth with customers that these guys have to be willing to do if they want to make money.
You mentioned yesterday that some people don’t even use VPNs. Can you talk a little bit more about that?
Tons of people don’t use VPNs. It’s really a misconception, I think, in the cybercrime space that all of these actors are using VPNs. And even when they’re using VPNs, a lot of actors still don’t fortunately understand the ways that we often have to push past VPNs.
In the booter space, it’s probably more uncommon than common for me to see VPN usage. But that’s not untrue for other crime types where people don’t think they can be caught. Because the actor is using this criminal service and he’s been told there’s no logs kept by the criminal actor, he doesn’t necessarily feel the same need to have a VPN engaged as he might try to cash out credentials from a bank or something.
I think that some of it is, they exist in a place where they think that they already have some protection.
And so once you identify who to go after, what’s the evidence that you’re looking for, and how do you collect it?
It depends on if we’re looking for customers or if we’re looking for operators. For operators, as we laid out in the presentation, what we’re trying to establish is does their service work because we want to focus our time on people who are actually really facilitating DDoS generally? And if their service works, then we’re going to ask questions about who set that service off, and once we start to establish that, we will often ask questions about their communication accounts. What are they using, and how are they communicating? And most of the time, that’ll take us over a period of months to know where we think somebody’s located, and then we go and ask a judge for permission to basically go and take evidence from them, and interview them. That starts this process where I would take all of that accumulated evidence, and we give that to a prosecutor, and then they make decisions about how we go forward.
So that’s on the people’s side. At what point do you decide to seize and shut down the services? And why do you decide to do it then?
What’s fun about this case is because we’re trying to do so much simultaneously, we will batch things. So like my investigation, I might be batching questions about a bunch of actors, but I obviously can’t usually visit everybody on the same day. We might spread all of our searches out over a period of a month or two months. But we’ll usually pick a date, not just with us but with our partners.
Sometimes you won’t hit that date. That’s what’s really complicated in this space. To have so many things happen simultaneously, like we’ve been able to do, we have to commit to a date often months out, and everyone will have different roles, and it adds a lot of pressure. The one thing we usually have done well in advance of that date is we’re ready, we know who we want to charge. But the mechanisms of taking the service stuff away is really complicated. And somebody might change hosting a week before we do it, or something else could change that we’re scrambling.
What’s the role of the private sector in fighting DDoS attacks?
In a lot of ways, they’re the front lines. They are the hosting companies, or the DDoS defense companies that are really focused on this. They do an incredible job of making sure we understand the science and technology we need to keep up with this.
If there’s a new attack technique, or a new service, they’re often where we hear about that first. They’re providing us the information we need to make better decisions, and that’s been most of the role that we’ve filled with them. They’re helping us shape our strategy by giving us feedback in terms of what they think will or won’t work. And that isn’t necessarily a question about which service to go after, or what we should say to these actors during interviews, but more like: Should we do this at Christmas? Which protocols should we prioritize for our testing of these services? How can we test these services without causing too much harm?
So it’s really like a team sport?
Very much, yes.
And what message would you send to victims of DDoS?
Let us know. We do a lot of consulting in Anchorage for victims of DDoS, especially large platforms that get hit.
There’s ways to report it. We’re not necessarily doing technical remediation, but we try to help victims understand is this a short term attack? Is this a long term attack? Do you understand the motivations of the attacker? Because if you know what the motivations are of the attacker, and you know how they’re attacking you, we can also help them understand how much the attacker is probably paying to do this. That can be important because an attacker who’s mad enough at a business that they have thousands of dollars to spend, that puts them in an entirely different risk category than an attacker that’s using a cheap plan on a booting service.
We’re encouraging victims to reach out to us. If they’re victims of DDoS attacks, if they’ve lost money. If it’s a lot of attacks, we’d love to know and talk to them.
You said yesterday that you’re still not making the hackers’ lives hard enough. What are doing or going to do differently going forward?
Our hope is to continue to learn how to conduct more effective operations, which might mean larger, more moving pieces, [and] more partners. Our next phase is taking a really hard look at some of these customers that probably don’t think that we have the data we do, and also shifting to including more of the customers and basically holding them accountable for their attacks.
Finally, can you tell me about your experience making the logos for the seizure notices?
We get feedback from some of our partners, especially international law enforcement, who have a lot of experience with these takedowns and these seizures. And so they’re the ones that say, ‘hey we are doing these really smooth blue seizure pages.’ And like, ‘no, it has to be red, you’ve got to communicate viscerally to them this idea of stop.’ It seems simple, but how do you get a background everybody agrees on, whose logo goes where, how large, and there’s all these funny things that you don’t expect to have to deal with, that we get asked to do? Because we don’t really have a graphic support department to help us with a lot of that.
Did you put the Christmas hats on the logos?
No, researchers did that. And honestly I had lost a battle. I tried to use that as our official logo next time, and I was told we couldn’t, because I thought that would just be really a funny gesture.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.