A 17-year-old high school boy may face state and federal charges for allegedly having paid a third party to launch a distributed denial of service (DDoS) attack that crippled the West Ada school district in Idaho, US, for a week and a half earlier this month. Because he’s a minor, he can’t be named. A DDoS is an attack wherein the servers of a targeted online service are slowed to a crawl with loads of pointless data like email or file uploads that clog up their processing ability. KTVB reports that West Ada students suffered assorted misery because of the attack, including losing their work on the Idaho Standard Achievement tests. Some students had to take the tests multiple times. Meanwhile, online classes and textbooks weren’t available for much of the week, and faculty and staff had problems accessing administrative and business systems, including payroll. The school district’s IT staff eventually traced an IP address back to the 17-year-old, who was suspended from Eagle High. School officials are recommending that he be expelled. The sheriff’s office told the TV station that the boy will likely be charged with a felony charge of computer crime, which is punishable by up to 180 days in a juvenile detention facility. In addition, his family will be responsible for financial restitution to cover costs incurred by the school district. Operations at more than 50 schools were disrupted because of the attack. As of Wednesday, investigators were also looking into whether a younger student – one attending Eagle Middle School – attempted a similar attack this week. School officials sent parents a letter on Friday that urged them to talk with their children about the consequences of committing cyber attacks such as this one. We can assure students and parents that the consequences associated with a DDoS attack are far from trivial. Examples include two online gaming programmers from Poland who were given 5-year jail sentences in December 2013 for DDoS and cyber-extortion of a UK online marketing company and a US internet software company. In that same month, a US man was fined $183,000 (£116,772) after joining, for merely 1 minute, an Anonymous DDoS of the enormous, multinational corporation Koch Industries. When it comes to DDoS, the law doesn’t spare you if you’re a kid. In fact, a 16-year-old London schoolboy was arrested under suspicion of involvement in the 2013 DDoS attack against Spamhaus: an attack of unprecedented ferocity. He pleaded guilty in 2014. Then too, a UK teenager was arrested in January for possibly having a hand in the PlayStation/Xbox Live DDoS that Grinched up gamers’ Christmas day playing. We often hear DDoS’ers trying to justify DDoSes under the premise that really, companies should be thanking the attackers for “raising awareness” of their vulnerability. That’s an old, tired spiel that we got from Lizard Squad members after they ruined Christmas with their XBox Live/PlayStation attack. Or, in the words of a man who claimed to speak for the attackers, they did it … …to raise awareness, to amuse ourselves… But as Naked Security’s Mark Stockley said at the time, a DDoS attack isn’t a skilful hack. You don’t need elite lock-picking skills to pull it off, because you’re not picking a lock. Rather, you’re blocking the door from the outside with as much garbage as you can pile up. Is DDoSing a company, or your school, or any online service, worth the lulz? For an answer, we can ask the LulzSec guys—If they’re out of prison, maybe they can let us know. Source: https://nakedsecurity.sophos.com/2015/05/22/high-schooler-allegedly-hired-third-party-to-ddos-his-school-district/?utm_source=Naked%2520Security%2520-%2520Feed&utm_medium=feed&utm_content=rss2&utm_campaign=Feed
Read the article:
High schooler allegedly hired third party to DDoS his school district
The admin of Therealdeal market ( http://trdealmgn4uvm42g.onion/ ) provided us with some insights about the recent DDo’s attacks that are hitting all the major DNM’s in the past week: In the past few days, it seems like almost every DN market is being hit by DDoS attacks. Our logs show huge amounts of basic http requests aiming for dynamic pages, probably in attempt to (ab)use as many resources as possible on the server side, for example by requesting for pages that execute many sql queries or generate captcha codes. As we are security oriented we manged to halt the attack on our servers the moment it showed up in the logs. Although this required fast thinking, due to the fact that dealing with this kind of attack over tor is not the same as dealing with such attack over clearnet. New addresses? Shifting Pages? Waiting? All these did not work for other markets… Here you can see the beginning and failure, as caught by Dnstats: As you can see, our market’s response time spiked to almost 70 seconds while our market’s usual response time is insanely fast, almost like most clearnet sites. But also, you can see that the response time was back to 2-3 seconds a little after. Here is an example of a darknet market that didn’t know how to combat this problem: The flat line at 0 seconds meaning there was no response from the server. The Problem As opposed to cleanet attacks, where mitigation steps could be taken by simply blocking the offending IP addresses,when it comes to tor, the requests are coming from the localhost (127.0.0.1) IP address as everything is tunneled through tor. Another problem is the fact that the attackers are using the same user-agent of tor browser – hence we cannot drop packets based on UA strings. The attackers are also aiming for critical pages of our site – for example the captcha generation page. Removing this page will not allow our users to login, or will open the site to bruteforce attempts. Renaming this page just made them aim for the new url (almost instantly, seems very much automated). One of the temporary solutions was to run a script that constantly renamed and re-wrote the login page after 1 successful request for a captcha… Attacks then turned into POST requests aiming for the login page. Solutions If you are a DNM owner or just the security admin, check your webserver logs. There is something unique in the HTTP requests, maybe a string asking you to pay to a specific address. (assuming these are the same offenders). Otherwise there might be something else … Hint: you might need to load tcpdump during an attack. Hopefully, you are not using some kind of VPS and have your own dedicated servers and proxy servers. Or if you are using some shit VPS, then hopefully you are using KVM or XEN. (first reason being the memory is leakable and accessible by any other user of the same service). The other reason is – control on the kernel level. You can drop packets containing specific strings by using iptables, or use regex too. This is one example of a commad that we executed (amongst others) to get rid of the offenders, we cannot specify all of them, so be creative! iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string “(RANSOM_BITCOIN_ADDRESS)” -j DROP Where (RANSOM_BITCOIN_ADDRESS) is the unique part of the request… To Other Market Admins: There are additional things to be done, but if we expose them, this will only start a cat and mouse game with these attackers. If you are a DNM admin feel free to sign up as a buyer at TheRealDeal Market and send us a message (including your commonly used PGP), since at the end of the day even though you might see us a competitor in a way, there are some things (like people stuck without their pain medication from mexico) that are priceless… Source: http://www.deepdotweb.com/2015/05/11/this-is-the-ransom-ddos-that-is-hitting-the-dark-net-markets/