Earlier this week, authorities in the UK have raided several providers and customers of Distributed Denial of Service (DDoS) attack services. In this briefing we will take a look at what happened, the economics around DDoS attacks and likely future developments.


What happened?

In April of 2018, authorities from the US, UK and Netherlands took down an online service selling DDoS attacks called Webstresser. This service is suspected to have been used by thousands of customers to stage tens of thousands of attacks. DDoS attacks send a very large amount of traffic to a target server. The goal is to overwhelm the system and thus make it unusable. 

While payments were made in cryptocurrencies and identities hidden behind online accounts, neither of these techniques provides the level of anonymity that unskilled customers of such services assume. Small mistakes or specific usage patterns can easily lead to customers and operators being identified. Thus, 10 months after the initial raid on the Webstresser marketplace, authorities have begun to take action against its customers.


The economics of DDoS attacks

DDoS attacks require a large number of computers - ideally spread evenly across the world. Computers infected with malware and thereupon added to botnets are usually the ones abused by criminals in these cases. Since most criminally-inclined people don’t have the technical skills and risk-tolerance to establish their own botnets and since many operators of botnets try to optimize their profits, marketplaces that matched botnet operators with those seeking to carry out a DDoS attack developed over time. Customers pay money to the botnet operators who in turn perform the DDoS attack against a specified target.

Motivations to pay for such attacks can vary widely. Some may seek to hinder competing platforms, services or online-stores. Others use DDoS attacks to extort ransoms from the targeted websites. But a surprisingly large number of attacks are carried out for personal reasons such as taking down sites associated with disliked individuals or preventing others from competing in online games.

The proliferation and ease of use of DDoS service marketplaces have led to a wide variety of customers - from hard core criminals looking to extort money to hormonal teenagers seeking to settle an online-gaming feud. 


What developments are likely in the future?

The wide variety of customers of DDoS services has led to some considerations among governments. While the effects of a grown criminal attempting to extort money and a teenager trying to win an online-game are ultimately the same, there are many that balk at drawing a moral equivalency. Countries such as the Netherlands have thus begun to sentence younger, less impactful and more rehabilitable offenders to intern at IT companies as punishment. While we do expect other countries to follow suit in establishing such programs over the coming years, at this point in time it is too early to predict whether they will be successful in curbing cybercrime.