US Prosecutors Charge 6 With Offering DDoS for SaleFeds Seize 48 Booter Service Domains
U.S. federal prosecutors charged six individuals and seized four dozen web domains for their role in millions of mercenary distributed denial-of-service attacks.
The six men, ranging in age from 19 to 37 and charged in federal courts in California and Alaska, allegedly operated "booter" websites often marketed as services for stress testing infrastructure resiliency. Warnings attached to DDoS-for-sale services from sites such as Astrostress.com or SecurityTeam.io, saying not to use them to send overwhelming amounts of IP traffic to third-party sites, were "essentially a pretense," an FBI agent told a federal judge in an affidavit that led to the domain seizures.
Logs indicate that one seized service, Ipstresser.com, launched 30 million DDoS attacks over 13 years. More than 2 million individuals were on the site, and about half used it to launch a DDoS attack. The site's alleged owner - Honolulu, Hawaii, resident John Dobbs - is set to hear formal charges in an Anchorage federal courtroom in early January.
Federal investigators say the men charged between $25 and $100 for monthly access to their sites, where they promised to launch amplification attacks against specified targets. Amplification attacks exploit properties of IP routing, such as the network time protocol, to use a small amount of bandwidth to send a large-bandwidth response to the intended target. Attacks spoof the request so it appears to have originated from the IP address of the intended victim.
One indicator that the sites were malicious and not really meant for self-resiliency checks was their owners' offer of IP address resolution meant to identify the true server location of the victim. Attackers use that information to bypass anti-DDoS defenses, such as those offered by Cloudflare.
Ironically, many booter services are consumers of Cloudflare protections themselves, sometimes on the free plan and sometimes on a paid plan. The Department of Justice says a slew of companies, including Cloudflare and Akamai, assisted the investigation.
Two of the defendants have submitted guilty plea agreements.* One is Angel Manuel Colon Jr., aka "Anonghost720" and "Anonghost1337," 37, of Belleview, Florida, who operated SecurityTeam.io. The other is Cory Anthony Palmer, 22, of Lauderhill, Florida, who ran a booter service known as Booter.sx.
The other defendants are:
- Jeremiah Sam Evans Miller, aka "John the Dev," 23, of San Antonio, Texas, charged with conspiracy and violations of the Computer Fraud and Abuse Act. Miller allegedly handled a booter service named RoyalStresser.com, formerly known as Supremesecurityteam.com;
- Shamar Shattock, 19, of Margate, Florida, charged with conspiracy for allegedly running a booter service known as Astrostress.com;
- John M. Dobbs, 32, of Honolulu, Hawaii, charged with aiding and abetting violations of CFAA for operating Ipstresser.com, also known as IPS, between 2009 and November 2022;
- Joshua Laing, 32, of Liverpool, New York, charged with aiding and abetting violations of CFAA for operating TrueSecurityServices.io between 2014 and November 2022.
"These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone's ability to access the internet," said Martin Estrada, U.S. Attorney for the Central District of California.
Update Dec. 15, 20:29 UTC: Adds Palmer as additional defendant who submitted a guilty plea.